zoukankan      html  css  js  c++  java

  • pwntools使用简介3

    连接

    本地process()、远程remote()。对于remote函数可以接url并且指定端口。

    IO模块

    下面给出了PwnTools中的主要IO函数。这个比较容易跟zio搞混,记住zio是read、write,pwn是recv、send就可以了。

    复制代码
    send(data) : 发送数据
sendline(data) : 发送一行数据,相当于在末尾加


recv(numb=4096, timeout=default) : 给出接收字节数,timeout指定超时
recvuntil(delims, drop=False) : 接收到delims的pattern
(以下可以看作until的特例)
recvline(keepends=True) : 接收到
,keepends指定保留

recvall() : 接收到EOF
recvrepeat(timeout=default) : 接收到EOF或timeout

interactive() : 与shell交互
    复制代码

    ELF模块

    ELF模块用于获取ELF文件的信息,首先使用ELF()获取这个文件的句柄,然后使用这个句柄调用函数,和IO模块很相似。

    下面演示了:获取基地址、获取函数地址(基于符号)、获取函数got地址、获取函数plt地址

    复制代码
    >>> e = ELF('/bin/cat')
>>> print hex(e.address)  # 文件装载的基地址
0x400000
>>> print hex(e.symbols['write']) # 函数地址
0x401680
>>> print hex(e.got['write']) # GOT表的地址
0x60b070
>>> print hex(e.plt['write']) # PLT的地址
0x401680
    复制代码

    数据处理

    主要是对整数进行打包,就是转换成二进制的形式,比如转换成地址。p32、p64是打包,u32、u64是解包。

    DynELF

    DynELF是leak信息的神器。前提条件是要提供一个输入地址,输出此地址最少1byte数的函数。官网给出的说明是:Given a function which can leak data at an arbitrary address, any symbol in any loaded library can be resolved.

    很叼啊,有木有。以下是官方例程

    复制代码
    # Assume a process or remote connection
p = process('./pwnme')

# Declare a function that takes a single address, and
# leaks at least one byte at that address.
def leak(address):
    data = p.read(address, 4)
    log.debug("%#x => %s" % (address, (data or '').encode('hex')))
    return data

# For the sake of this example, let's say that we
# have any of these pointers.  One is a pointer into
# the target binary, the other two are pointers into libc
main   = 0xfeedf4ce
libc   = 0xdeadb000
system = 0xdeadbeef

# With our leaker, and a pointer into our target binary,
# we can resolve the address of anything.
#
# We do not actually need to have a copy of the target
# binary for this to work.
d = DynELF(leak, main)
assert d.lookup(None,     'libc') == libc
assert d.lookup('system', 'libc') == system

# However, if we *do* have a copy of the target binary,
# we can speed up some of the steps.
d = DynELF(leak, main, elf=ELF('./pwnme'))
assert d.lookup(None,     'libc') == libc
assert d.lookup('system', 'libc') == system

# Alternately, we can resolve symbols inside another library,
# given a pointer into it.
d = DynELF(leak, libc + 0x1234)
assert d.lookup('system')      == system
  • 相关阅读:
    checkbox的checked事件的javascript使用方法
    JSTL标签API(c)的使用
    radios控件的使用
    验证方法判斷input是否为空
    软件课设Day5
    软件课设Day4
    软件课设Day3
    软件课设Day2
    软件课设Day1
    2019/08/23最新进展
  • 原文地址:https://www.cnblogs.com/liuyimin/p/7389606.html
Copyright © 2011-2022 走看看