0x00 背景
之前打杭电新生赛hgame的时候碰到一个题目, 题目会检测用户输入的shellcode, 限制shellcoode只能是大写字母和数字, 经社团大佬提醒得知对付这种问题用一个专门的工具: alpha3. 这篇文章就以这题为例来记录一下alpha3的使用方法.
0x00 程序分析
用ida打开二进制文件再反汇编得到main函数的伪代码如下
int __cdecl main()
{
char buf; // [esp+Fh] [ebp-19h]
int i; // [esp+10h] [ebp-18h]
unsigned int sc; // [esp+14h] [ebp-14h]
ssize_t v4; // [esp+18h] [ebp-10h]
unsigned int canary; // [esp+1Ch] [ebp-Ch]
canary = __readgsdword(0x14u);
setvbuf(stdout, 0, 2, 0);
sc = (unsigned int)malloc(0x1000u);
puts("========== ez shellcode ver2 ==========");
printf("> ");
for ( i = 0; i <= 4095; ++i )
{
v4 = read(0, &buf, 1u);
if ( v4 == -1 )
exit(0);
if ( (buf > 90 || buf <= 64) && (buf <= 47 || buf > 57) )
break;
*(_BYTE *)(sc + i) = buf;
}
if ( mprotect((void *)(sc & 0xFFFFF000), 0x1000u, 7) == -1 )
{
puts("error ,tell admin");
}
else
{
puts("exec shellcode...");
((void (*)(void))sc)();
}
return 0;
}
程序很简单, 只要找到仅有大写字母数字组成的shellcode(也叫做 alphanumeric shellcode)组成就可以成功pwn. 我们使用alpha3将普通的shellcode转化成alphanumeric shellcode, 不过alpha3 实在难用, 而且网上教程非常少, 这也是我写这个文章的主要原因.
破解过程
我们首先在github上面搜索 alpha3 找到代码的仓库, 然后下载到本地再build之后就可以使用了,过程十分麻烦...... 这儿就直接提供build之后的给大家下载(密码mmdj). 然后我们先找一个普通的可以getshell的shellcode, 然后我们需要将对应的机器码写入到一个文件中(例如sc.bin), 然后我们在cmd中cd到apha3的文件夹中执行alpha3来得到alphanumeric shellcode, 在之前我们先执行python ./ALPHA3.py看一下帮助:
[Usage]
ALPHA3.py [ encoder settings | I/O settings | flags ]
[Encoder setting]
architecture Which processor architecture to target (x86,
x64).
character encoding Which character encoding to use (ascii, cp437,
latin-1, utf-16).
casing Which character casing to use (uppercase,
mixedcase, lowercase).
base address How to determine the base address in the decoder
code (each encoder has its own set of valid
values).
[I/O Setting]
--input="file" Path to a file that contains the shellcode to be
encoded (Optional, default is to read input from
stdin).
--output="file" Path to a file that will receive the encoded
shellcode (Optional, default is to write output
to stdout).
[Flags]
--verbose Display verbose information while executing. Use
this flag twice to output progress during
encoding.
--help Display this message and quit.
--test Run all available tests for all encoders.
(Useful while developing/testing new encoders).
--int3 Trigger a breakpoint before executing the result
of a test. (Use in combination with --test).
[Notes]
You can provide encoder settings in combination with the --help and --test
switches to filter which encoders you get help information for and which
get tested, respectively.
Valid base address examples for each encoder, ordered by encoder settings,
are:
[x64 ascii mixedcase]
AscMix (r64) RAX RCX RDX RBX RSP RBP RSI RDI
[x86 ascii lowercase]
AscLow 0x30 (rm32) ECX EDX EBX
[x86 ascii mixedcase]
AscMix 0x30 (rm32) EAX ECX EDX EBX ESP EBP ESI EDI [EAX] [ECX]
[EDX] [EBX] [ESP] [EBP] [ESI] [EDI] [ESP-4]
ECX+2 ESI+4 ESI+8
AscMix 0x30 (i32) (address)
AscMix Countslide (rm32) countslide:EAX+offset~uncertainty
countslide:EBX+offset~uncertainty
countslide:ECX+offset~uncertainty
countslide:EDX+offset~uncertainty
countslide:ESI+offset~uncertainty
countslide:EDI+offset~uncertainty
AscMix Countslide (i32) countslide:address~uncertainty
AscMix SEH GetPC (XPsp3) seh_getpc_xpsp3
[x86 ascii uppercase]
AscUpp 0x30 (rm32) EAX ECX EDX EBX ESP EBP ESI EDI [EAX] [ECX]
[EDX] [EBX] [ESP] [EBP] [ESI] [EDI]
[x86 latin-1 mixedcase]
Latin1Mix CALL GetPC call
[x86 utf-16 uppercase]
UniUpper 0x10 (rm32) EAX ECX EDX EBX ESP EBP ESI EDI [EAX] [ECX]
[EDX] [EBX] [ESP] [EBP] [ESI] [EDI]
我们这题是32位的, 所以architecture是X86; 因为main函数中是按字节检测的, 所以character encoding 选择 ascii; 而且题目中要求的是大写字母, 所以casing 自然就是upper. 但是最后的base address 是什么呢? 这个alpha会利用shellcode基址来重定位shellcode,相当于在shellcode运行过程中重新组装shellcode. 而查看ida中返回编的代码可知调用shellcode的汇编指令是call eax 所以base 就是EAX 在结合我们之前得到的普通shellcode就可以用python ./PYTHON.py x86 ascii uppercase eax --input="sc.bin" > out.bin就可以在out.bin中得到一个 alphanumeric shellcode, 然后再用pwntools输入这个alphanumeric shellcode 即可成功getshell !
总结
打这次hgame才知道pwn原来有这么多骚操作, 真的是太有意思了. 还是要多多学习呀.
网友评论