DEV Community

Hyunseung Ha
Hyunseung Ha

Posted on • Edited on

[PWN.02] Open Read Write

Open Read Write

We Open files and Read data from files, Write data into files.

In this section, We learn ORW to exploit and get shell command shell.

Following is ORW Syscall:

Image description

Firs, How to open file?:
file is /tmp/file
We have to Push the file path into Stack.
/tmp/file = 0x6c69662f706d742f65
The above hexadecimal value is written in little-endian basis.

push 0x65
mov rax, 0x6c69662f706d742f
push rax
mov rdi, rsp ; rdi is File name in this code.
xor rsi, rsi ; XOR for setting rsi to 0 means O_RDONLY
xor rdx, rdx ; There is no mode in Open file.
mov rax, 0x05 ; Open file is 0x02.
syscall ; open("/tmp/file", RD_ONLY, NULL)
Enter fullscreen mode Exit fullscreen mode

Second How to read file?:
We can write how to read file with code similar to the above.

mov rdi, rax ; We will get fd(file descriptor)[] rax stored in .
mov rsi, rsp ; a variable for read is set.
sub rsi, 0x30 ; Set bufsize to 0x30.
mov rdx, 0x30 ; Data Length is 0x30
mov rax, 0x3 ; Read file is 0x00
syscall ; read(fd, buf, 0x30)
Enter fullscreen mode Exit fullscreen mode

Finally, We already know how to write file:

mov rdi, 1 ; fd is set to STDOUT or File name.
mov rax, 0x4 ; Write file is 0x01.
syscall ; write(fd, buf, 0x30)
Enter fullscreen mode Exit fullscreen mode

We use syscall to call kernel functions.
We can't use kernel functions in user mode in general. but we can call kernel function by System call.

There are many syscall to use so we can find it out more!
https://faculty.nps.edu/cseagle/assembly/sys_call.html

Top comments (0)