pwntools学习笔记

0

官网doc文档:http://docs.pwntools.com/en/stable/index.html

Installation

Prerequisites

Ubuntu:

For Ubuntu 12.04 through 15.10, you must first add the pwntools Personal Package Archive repository. Ubuntu Xenial (16.04) has official packages for most architectures, and does not require this step.

$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:pwntools/binutils
$ sudo apt-get update

Then, install the binutils for your architecture.

$ sudo apt-get install binutils-$ARCH-linux-gnu

MacOS:

Mac OS X is just as easy, but requires building binutils from source. However, we've made homebrew recipes to make this a single command. After installing brew, grab the appropriate recipe from our binutils repo.

$ brew install https://raw.githubusercontent.com/Gallopsled/pwntools-binutils/master/osx/binutils-$ARCH.rb

Released Version

pwntools is available as a pip package.

$ sudo apt-get install python2.7 python2.7-dev python-pip
$ sudo pip install --upgrade pwntools

Development

If you are hacking on Pwntools locally, you'll want to do something like this:

$ git clone https://github.com/Gallopsled/pwntools
$ sudo pip install --upgrade --editable ./pwntools

Getting Started

To get your feet wet with pwntools, let's first go through a few examples. When writing exploits, pwntools generally follows the “kitchen sink” approach.

>>> from pwn import *

常用模块

  • asm 汇编与反汇编
  • dynelf 用于远程符号泄露,需要提供leak方法
  • elf 对elf文件进行操作
  • gdb 配合gdb进行调试
  • memleak 用于内存泄漏
  • shellcraft shellcode的生成器
  • tubes 包括tubes.sock,tubes.process,tubes.ssh,tubes.serialtube,分别适用于不同场景的PIPE
  • utils 一些实用的小功能,例如CRC计算,cyclic pattern等

tubes读写接口

remote

>>> conn = remote('ftp.debian.org',21)
>>> conn.recvline()
'220 ...'
>>> conn.send('USER anonymous\r\n')
>>> conn.recvuntil(' ',drop = True)
'331'
>>> conn.recvline()
'Please specify the password.\r\n'
>>> conn.close()

SSH

There’s even an SSH module for when you’ve got to SSH into a box to perform a local/setuid exploit with pwnlib.tubes.ssh. You can quickly spawn processes and grab the output, or spawn a process and interact with it like a process tube.

>>> shell = ssh('bandit0', 'bandit.labs.overthewire.org', password='bandit0')
>>> shell['whoami']
'bandit0'
>>> shell.download_file('/etc/motd')
>>> sh = shell.run('sh')
>>> sh.sendline('sleep 3; echo hello world;') 
>>> sh.recvline(timeout=1)
''
>>> sh.recvline(timeout=5)
'hello world\n'
>>> shell.close()

process

>>> sh = process('/bin/sh')
>>> sh.sendline('sleep 3; echo hello world!;')
>>> sh.recvline(timeout=1)
''
>>> sh.recvline(timeout=5)
'hello world!\n'
>>> sh.close()

listen

>>> l = listen()
>>> r = remote('localhost', l.lport)
>>> c = l.wait_for_connection()
>>> r.send('hello')
>>> c.recv()
'hello'

主要读写函数

  • interactive() 直接进行交互
  • recv(numb = 4096, timeout = default) 接收指定字节
  • recvall() 一直接收直到EOF
  • recvline(keepends = True) 接收一行,keepends表示是否接收行尾'\n'
  • recvuntil(delims, drop = False) 一直读到delims的pattern出现为止
  • recvrepeat(timeout = default) 持续接收直到EOF或者timeout
  • send(data) 发送数据
  • sendline(data) 发送一行数据,相当于加上'\n'

Packing Integers

A common task for exploit-writing is converting between integers as Python sees them, and their representation as a sequence of bytes. Usually folks resort to the built-in struct module. pwntools makes this easier with pwnlib.util.packing. No more remembering unpacking codes, and littering your code with helper routines.

>>> import struct
>>> p32(0xdeadbeef) == struct.pack('I', 0xdeadbeef)
True
>>> leet = '37130000'.decode('hex')
>>> u32('abcd') == struct.unpack('I', 'abcd')[0]
True

The packing/unpacking operations are defined for many common bit-widths.

>>> u8('A') == 0x41
True

Assembler functions

使用context来指定cpu类型及操作系统 The os/architecture/endianness/bits the shellcode will run in (default: linux/i386), choose from:

>>> context.os = 'android', 'cgc', 'freebsd', 'linux', 'windows'
>>> context.arch = 'powerpc64', 'aarch64', 'sparc64', 'powerpc', 'mips64', 'msp430', 'thumb', 'amd64', 'sparc', 'alpha', 's390', 'i386', 'm68k', 'mips', 'ia64', 'cris', 'vax', 'avr', 'arm'
>>> context.endian = 'little', 'big', 'el', 'le', 'be', 'eb'
>>> context.word_size = 16, 32, 64

使用asm进行汇编

>>> asm("mov eax, SYS_select", arch = 'i386', os = 'freebsd')
'\xb8]\x00\x00\x00'
>>> asm("mov eax, SYS_select", arch = 'amd64', os = 'linux')
'\xb8\x17\x00\x00\x00'
>>> asm("mov rax, SYS_select", arch = 'amd64', os = 'linux')
'H\xc7\xc0\x17\x00\x00\x00'
>>> asm("mov r0, #SYS_select", arch = 'arm', os = 'linux', bits=32)
'R\x00\xa0\xe3'

使用disasm进行反汇编

>>> print disasm('6a0258cd80ebf9'.decode('hex'))
   0:   6a 02                   push   0x2
   2:   58                      pop    eax
   3:   cd 80                   int    0x80
   5:   eb f9                   jmp    0x0
>>> print disasm('b85d000000'.decode('hex'), arch = 'i386')
   0:   b8 5d 00 00 00          mov    eax,0x5d
>>> print disasm('b85d000000'.decode('hex'), arch = 'i386', byte = 0)
   0:   mov    eax,0x5d
>>> print disasm('b85d000000'.decode('hex'), arch = 'i386', byte = 0, offset = 0)
mov    eax,0x5d
>>> print disasm('b817000000'.decode('hex'), arch = 'amd64')
   0:   b8 17 00 00 00          mov    eax,0x17
>>> print disasm('48c7c017000000'.decode('hex'), arch = 'amd64')
   0:   48 c7 c0 17 00 00 00    mov    rax,0x17
>>> print disasm('04001fe552009000'.decode('hex'), arch = 'arm')
   0:   e51f0004        ldr     r0, [pc, #-4]   ; 0x4
   4:   00900052        addseq  r0, r0, r2, asr r0
>>> print disasm('4ff00500'.decode('hex'), arch = 'thumb', bits=32)
   0:   f04f 0005       mov.w   r0, #5

shellcode生成器

列出所有支持的shellcode,比较多这里就不贴出了。

$ shellcraft --list

简单示例:

>>> print shellcraft.i386.nop().strip('\n')
    nop
>>> print shellcraft.i386.linux.sh()
    /* push argument array ['sh\x00'] */
    /* push 'sh\x00\x00' */
    push 0x1010101
    xor dword ptr [esp], 0x1016972
    xor ecx, ecx
    push ecx /* null terminate */
    push 4
    pop ecx
    add ecx, esp
    push ecx /* 'sh\x00' */
    mov ecx, esp
 
    /* push '/bin///sh\x00' */
    push 0x68
    push 0x732f2f2f
    push 0x6e69622f
 
    /* call execve('esp', 'ecx', 0) */
    push (SYS_execve) /* 0xb */
    pop eax
    mov ebx, esp
    cdq /* edx=0 */
    int 0x80

Leave A Reply

苏ICP备16066660号-1

苏公网安备 32011502010432号