zoukankan      html  css  js  c++  java
  • 对pwntools生成的exp模版做了一些修改

    安装pwntools后,有一些命令行的工具可以用

    ~ pwn template -h
    usage: pwn template [-h] [--host HOST] [--port PORT] [--user USER]
                        [--pass PASSWORD] [--path PATH]
                        [exe]
    
    positional arguments:
      exe              Target binary
    
    optional arguments:
      -h, --help       show this help message and exit
      --host HOST      Remote host / SSH server
      --port PORT      Remote port / SSH port
      --user USER      SSH Username
      --pass PASSWORD  SSH Password
      --path PATH      Remote path of file on SSH server

    但是他生成的模版有些问题,直接返回了gdb.debug启动的程序,在某些情况下gdb进程结束了会得不到正常的响应

    ~ pwn template
    #!/usr/bin/env python2
    # -*- coding: utf-8 -*-
    from pwn import *
    
    # Set up pwntools for the correct architecture
    context.update(arch='i386')
    exe = './path/to/binary'
    
    # Many built-in settings can be controlled on the command-line and show up
    # in "args".  For example, to dump all data sent/received, and disable ASLR
    # for all created processes...
    # ./exploit.py DEBUG NOASLR
    
    # Specify your GDB script here for debugging
    # GDB will be launched if the exploit is run via e.g.
    # ./exploit.py GDB
    gdbscript = '''
    continue
    '''.format(**locals())
    
    
    def start(argv=[], *a, **kw):
        if args.GDB:
            return gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)
        else:
            return process([exe] + argv, *a, **kw)
    
    #===========================================================
    #                    EXPLOIT GOES HERE
    #===========================================================
    io = start()
    
    # shellcode = asm(shellcraft.sh())
    # payload = fit({
    #     32: 0xdeadbeef,
    #     'iaaa': [1, 2, 'Hello', 3]
    # }, length=128)
    # io.send(payload)
    # flag = io.recv(...)
    # log.success(flag)
    
    io.interactive()

    于是做了一些修改

    # -*- coding: utf-8 -*-
    from pwn import *
    exe = context.binary = ELF('./level32-2')
    host = '127.0.0.1'
    port = 10003
    gdbscript = '''
    b main
    '''
    if args.I:
        context.log_level='debug'
    def local():
         return process(exe.path)
    def remote():
        return connect(host, port)
    start = remote if args.R else local
    #===========================================================
    
    #===========================================================
    io = start()
    if args.D:
        gdb.attach(io, gdbscript)
    io.interactive()
  • 相关阅读:
    根据指定月份,打印该月份所属的季节
    求出1~100之间,既是3又是7的倍数的自然数出现的次数
    打印所有的水仙花数
    升景坊单间短期出租
    找出1000以内的所有完数
    ssh config host
    shell获取ip
    mongodb sharding 简单部署记录
    tcp转发
    openssl和Java的keytool证书相关的命令总结
  • 原文地址:https://www.cnblogs.com/junmoxiao/p/7545869.html
Copyright © 2011-2022 走看看