Last active
February 22, 2024 08:53
-
-
Save plvhx/b7d0b0282770974396b831651062d062 to your computer and use it in GitHub Desktop.
pwn.college are mad as hell..
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # this is an implementation of creating mad and stupid yet concurrent | |
| # web server with only 65535 iteration before calling fork() syscall. | |
| # | |
| # fyi: this is pwn.college web server challenge | |
| # | |
| # Paulus Gandung Prakosa <[email protected]> | |
| # | |
| .section .rodata | |
| .resp: | |
| .asciz "HTTP/1.0 200 OK\r\n\r\n" | |
| .get_verb: | |
| .ascii "GET" | |
| .post_verb: | |
| .ascii "POST" | |
| .dcrlf: | |
| .ascii "\r\n\r\n" | |
| .section .bss | |
| .lcomm cbuf, 1025 | |
| .lcomm fbuf, 1025 | |
| .lcomm dbuf, 1025 | |
| .lcomm xbuf, 1025 | |
| .lcomm tbuf, 1025 | |
| .section .data | |
| .sfd: | |
| .int 0 | |
| .cfd: | |
| .int 0 | |
| .ffd: | |
| .int 0 | |
| .flen: | |
| .int 0 | |
| .pid: | |
| .int 0 | |
| .is_get: | |
| .int 0 | |
| .is_post: | |
| .int 0 | |
| .is_dcrlf: | |
| .int 0 | |
| .section .text | |
| .globl _start | |
| _start: | |
| # socket(2, 1, 0) | |
| xorq %rdi, %rdi | |
| incq %rdi | |
| incq %rdi | |
| xorq %rsi, %rsi | |
| incq %rsi | |
| xorq %rdx, %rdx | |
| xorq %rax, %rax | |
| addq $41, %rax | |
| syscall | |
| # backup fd | |
| movq %rax, .sfd | |
| movq .sfd, %r9 | |
| # initialize socket structure | |
| movw $0x02, (%rsp) | |
| movw $0x5000, 2(%rsp) | |
| movl $0x00, 4(%rsp) | |
| # save socket address | |
| movq %rsp, %r10 | |
| # bind(fd, <sockaddr>, 16) | |
| xorq %rdi, %rdi | |
| addq %r9, %rdi | |
| leaq (%r10), %rsi | |
| xorq %rdx, %rdx | |
| addq $0x10, %rdx | |
| xorq %rax, %rax | |
| addq $49, %rax | |
| syscall | |
| # listen(fd, 0) | |
| xorq %rdi, %rdi | |
| addq %r9, %rdi | |
| xorq %rsi, %rsi | |
| xorq %rax, %rax | |
| addq $50, %rax | |
| syscall | |
| xorq %r13, %r13 | |
| .iter: | |
| cmpq $0xffff, %r13 | |
| je .eop | |
| # accept(fd, 0, 0) | |
| xorq %rdi, %rdi | |
| addq %r9, %rdi | |
| xorq %rsi, %rsi | |
| xorq %rdx, %rdx | |
| xorq %rax, %rax | |
| addq $43, %rax | |
| syscall | |
| # save client fd | |
| movq %rax, .cfd | |
| movq .cfd, %r10 | |
| # fork() | |
| xorq %rax, %rax | |
| addq $57, %rax | |
| syscall | |
| # save pid | |
| movq %rax, .pid | |
| # compare and jump to branch | |
| cmpq $0x00, .pid | |
| je .core | |
| jg .cleanup_child | |
| .core: | |
| # close(sfd) | |
| xorq %rdi, %rdi | |
| addq .sfd, %rdi | |
| xorq %rax, %rax | |
| incq %rax | |
| incq %rax | |
| incq %rax | |
| syscall | |
| # read(cfd, buffer, 1024) | |
| xorq %rdi, %rdi | |
| addq %r10, %rdi | |
| xorq %rsi, %rsi | |
| leaq (cbuf), %rsi | |
| xorq %rdx, %rdx | |
| addq $1024, %rdx | |
| xorq %rax, %rax | |
| syscall | |
| .PCG0: | |
| leaq (cbuf), %rsi | |
| leaq (.get_verb), %rdi | |
| xorq %rcx, %rcx | |
| .ICG0: | |
| incq .is_get | |
| incq %rsi | |
| incq %rdi | |
| incq %rcx | |
| .LCG0: | |
| cmpq $0x03, %rcx | |
| je .check0 | |
| movb (%rsi), %al | |
| cmpb %al, (%rdi) | |
| je .ICG0 | |
| incq %rsi | |
| incq %rdi | |
| incq %rcx | |
| jmp .LCG0 | |
| .check0: | |
| movq .is_get, %rax | |
| cmpq $0x03, %rax | |
| je .hget | |
| .PCP0: | |
| leaq (cbuf), %rsi | |
| leaq (.post_verb), %rdi | |
| xorq %rcx, %rcx | |
| .ICP0: | |
| incq .is_post | |
| incq %rsi | |
| incq %rdi | |
| incq %rcx | |
| .LCP0: | |
| cmpq $0x04, %rcx | |
| je .check1 | |
| movb (%rsi), %al | |
| cmpb %al, (%rdi) | |
| je .ICP0 | |
| incq %rsi | |
| incq %rdi | |
| incq %rcx | |
| jmp .LCP0 | |
| .check1: | |
| movq .is_post, %rax | |
| cmpq $0x04, %rax | |
| je .hpost | |
| jne .term_child | |
| .hget: | |
| leaq (cbuf), %rdi | |
| leaq (fbuf), %rsi | |
| addq $0x04, %rdi | |
| xorq %rcx, %rcx | |
| .loop: | |
| cmpb $0x20, (%rdi) | |
| je .out | |
| .storebuf: | |
| movb (%rdi), %dl | |
| movb %dl, (%rsi) | |
| incq %rdi | |
| incq %rsi | |
| jmp .loop | |
| .out: | |
| # open(pfile, O_RDONLY) | |
| xorq %rdi, %rdi | |
| leaq (fbuf), %rdi | |
| xorq %rsi, %rsi | |
| xorq %rax, %rax | |
| incq %rax | |
| incq %rax | |
| syscall | |
| # save fd | |
| movq %rax, .ffd | |
| # read(fd, dbuf, 1024) | |
| xorq %rdi, %rdi | |
| addq .ffd, %rdi | |
| xorq %rsi, %rsi | |
| leaq (dbuf), %rsi | |
| xorq %rdx, %rdx | |
| addq $1024, %rdx | |
| xorq %rax, %rax | |
| syscall | |
| # save file contents length | |
| movq %rax, .flen | |
| # close(fd) | |
| xorq %rdi, %rdi | |
| addq .ffd, %rdi | |
| xorq %rax, %rax | |
| incq %rax | |
| incq %rax | |
| incq %rax | |
| syscall | |
| # write(cfd, buffer, 19) | |
| xorq %rdi, %rdi | |
| addq %r10, %rdi | |
| xorq %rsi, %rsi | |
| leaq (.resp), %rsi | |
| xorq %rdx, %rdx | |
| addq $19, %rdx | |
| xorq %rax, %rax | |
| incq %rax | |
| syscall | |
| # write(cfd, dbuf, len) | |
| xorq %rdi, %rdi | |
| addq %r10, %rdi | |
| xorq %rsi, %rsi | |
| leaq (dbuf), %rsi | |
| xorq %rdx, %rdx | |
| addq .flen, %rdx | |
| xorq %rax, %rax | |
| incq %rax | |
| syscall | |
| jmp .term_child | |
| .hpost: | |
| leaq (cbuf), %rdi | |
| leaq (fbuf), %rsi | |
| addq $0x05, %rdi | |
| .ploop: | |
| cmpb $0x20, (%rdi) | |
| je .xstep | |
| .pstorebuf: | |
| movb (%rdi), %dl | |
| movb %dl, (%rsi) | |
| incq %rdi | |
| incq %rsi | |
| jmp .ploop | |
| .xstep: | |
| leaq (cbuf), %rdi | |
| leaq (tbuf), %rsi | |
| .xloop: | |
| movb (%rdi), %dl | |
| movb %dl, (%rsi) | |
| movb 1(%rdi), %dl | |
| movb %dl, 1(%rsi) | |
| movb 2(%rdi), %dl | |
| movb %dl, 2(%rsi) | |
| movb 3(%rdi), %dl | |
| movb %dl, 3(%rsi) | |
| leaq (.dcrlf), %rax | |
| xorq %rcx, %rcx | |
| jmp .XCL0 | |
| .XIL0: | |
| incq %rax | |
| incq %rsi | |
| incq %rcx | |
| incq .is_dcrlf | |
| jmp .XCL0 | |
| .XCL0: | |
| cmpq $0x04, %rcx | |
| je .XFL0 | |
| movb (%rax), %dl | |
| cmpb %dl, (%rsi) | |
| je .XIL0 | |
| incq %rax | |
| incq %rsi | |
| incq %rcx | |
| .XFL0: | |
| subq $0x03, %rsi | |
| subq $0x03, %rax | |
| xorq %rdx, %rdx | |
| addq .is_dcrlf, %rdx | |
| cmpq $0x04, %rdx | |
| je .pcbuf | |
| incq %rdi | |
| movq $0x00, .is_dcrlf | |
| jmp .xloop | |
| .pcbuf: | |
| addq $0x04, %rdi | |
| leaq (xbuf), %rsi | |
| .cloop: | |
| cmpb $0x00, (%rdi) | |
| je .pout | |
| movb (%rdi), %dl | |
| movb %dl, (%rsi) | |
| incq %rdi | |
| incq %rsi | |
| jmp .cloop | |
| .pout: | |
| # open(pfile, O_CREAT | O_WRONLY, 0777) | |
| xorq %rdi, %rdi | |
| leaq (fbuf), %rdi | |
| xorq %rsi, %rsi | |
| addq $65, %rsi | |
| xorq %rdx, %rdx | |
| addq $0x1ff, %rdx | |
| xorq %rax, %rax | |
| incq %rax | |
| incq %rax | |
| syscall | |
| # save fd | |
| movq %rax, .ffd | |
| leaq (xbuf), %rdi | |
| xorq %rcx, %rcx | |
| .cntloop: | |
| cmpb $0x00, (%rdi) | |
| je .pdone | |
| incq %rcx | |
| incq %rdi | |
| jmp .cntloop | |
| .pdone: | |
| # write(pfile, xbuf, len(xbuf)) | |
| xorq %rdi, %rdi | |
| addq .ffd, %rdi | |
| xorq %rsi, %rsi | |
| leaq (xbuf), %rsi | |
| xorq %rdx, %rdx | |
| addq %rcx, %rdx | |
| xorq %rax, %rax | |
| incq %rax | |
| syscall | |
| # close(pfile) | |
| xorq %rdi, %rdi | |
| addq .ffd, %rdi | |
| xorq %rax, %rax | |
| incq %rax | |
| incq %rax | |
| incq %rax | |
| syscall | |
| # write(cfd, "HTTP/1.0 200 OK\r\n\r\n", 19) | |
| xorq %rdi, %rdi | |
| addq %r10, %rdi | |
| xorq %rsi, %rsi | |
| leaq (.resp), %rsi | |
| xorq %rdx, %rdx | |
| addq $19, %rdx | |
| xorq %rax, %rax | |
| incq %rax | |
| syscall | |
| .term_child: | |
| # exit(0) | |
| xorq %rdi, %rdi | |
| xorq %rax, %rax | |
| addq $60, %rax | |
| syscall | |
| .cleanup_child: | |
| # close(cfd) | |
| xorq %rdi, %rdi | |
| addq %r10, %rdi | |
| xorq %rax, %rax | |
| incq %rax | |
| incq %rax | |
| incq %rax | |
| syscall | |
| incq %r13 | |
| jmp .iter | |
| .eop: | |
| # exit(0) | |
| xorq %rdi, %rdi | |
| xorq %rax, %rax | |
| addq $60, %rax | |
| syscall |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment