pwntools是一个ctf框架,用Python开发,由rapid设计,旨在让使用者简单快速的编写exploit。
安装:
pwntools对Ubuntu 12.04和14.04的支持最好,但是绝大多数的功能也支持Debian, Arch,
FreeBSD, OSX, 等等,徐州软件开发公司徐州徐软信息科技有限公司建议您确保安装以下系统库。
Binutils
Ubuntu
Mac OS X
Alternate OSes
Capstone
Ubuntu
Mac OS X
Python Development
Headers
Ubuntu
Mac OS X
获得发行版本
$ apt-get install python2.7 python2.7-dev python-pip
$ pip install pwntools
获得最新版本
$ git clone https://github.com/Gallopsled/pwntools
$ cd pwntools
$ pip install -e .
模块索引
pwnlib.asm — Assembler functions
pwnlib.atexception — Callbacks on unhandled exception
pwnlib.atexit — Replacement for atexit
pwnlib.constants — Easy access to header file constants
pwnlib.context — Setting runtime variables
pwnlib.dynelf — Resolving remote functions using leaks
pwnlib.elf — Working with ELF binaries
pwnlib.exception — Pwnlib exceptions
pwnlib.gdb — Working with GDB
pwnlib.log and — Logging stuff
pwnlib.memleak — Helper class for leaking memory
pwnlib.replacements — Replacements for various functions
pwnlib.rop — Return Oriented Programming
pwnlib.shellcraft — Shellcode generation
pwnlib.term — Terminal handling
pwnlib.timeout — Timeout handling
pwnlib.tubes — Talking to the World!
pwnlib.ui — Functions for user interaction
pwnlib.useragents — A database of useragent strings
pwnlib.util.crc — Calculating CRC-sums
pwnlib.util.cyclic — Generation of unique sequences
pwnlib.util.fiddling — Utilities bit fiddling
pwnlib.util.hashes — Hashing functions
pwnlib.util.iters — Extension of standard module itertools
pwnlib.util.lists — Operations on lists
pwnlib.util.misc — We could not fit it any other place
pwnlib.util.net — Networking interfaces
pwnlib.util.packing — Packing and unpacking of strings
pwnlib.util.proc — Working with /proc/
pwnlib.util.safeeval — Safe evaluation of python code
pwnlib.util.web — Utilities for working with the WWW
1 context 设置运行时变量
context.log_level = 'debug'
2
remote,listen,ssh,process
支持常见操作recvline, recvuntil, clean 可以通过.interactive()直接与程序交互
3 p32 and u32
前者将数字转化为字符串,后者反之
4 log
输出消息
log.info('Hello, world!')
p = log.progress('Working')
p.status('Reticulating splines')
time.sleep(1)
p.success('Got a shell!')
5 cyclic and cyclic_find
对于直接的缓冲区溢出,可以很方便的确认再偏移多少可以控制eip
cyclic(20)
cyclic_find('aafb')
6 asm and disasm
快速的汇编和反汇编代码
asm('mov eax, 0')
asm(shellcraft.sh())
disasm('\xb8\x0b\x00\x00\x00')
7 shellcraft
提供了很多现成shellcode
8 ELF 用来操作ELF文件的工具
elf = ELF('pwn')
hex(elf.address)
hex(elf.symbols['write'])
hex(elf.got['write'])
hex(elf.plt['write'])
9 DynELF
通过信息泄露获得远程函数地址
1 可以没有程序
p = process('./pwnme')
def leak(address):
data = p.read(address, 4)
return data
main = 0xfeedf4ce
d = DynELF(leak, main)
d.lookup('system', 'libc')
2 如果有程序,速度会更快
d = DynELF(leak, main, elf=ELF('./pwnme'))
10 ROP 简化产生ROP链的操作
11 gdb.debug 和
gdb.attach
1 用gdb启动程序,并弹出新窗口与其交互
2 附加到一个程序上,pid/pwnlibs.tubes/socket都可以
12 args 快速访问所有的命令行参数
python foo.py REMOTE=1
args['REMOTE'] == '1'
13 一些实用工具
b64d('dGVzdA==')
b64e("test")
bits(511, zero = "+", one = "-") 把参数转换为位
bits_str(511) 得到'0000000111111111'
enhex("test") 得到'74657374'
isprint(c) 判断一个字符是否可打印
randoms(10) 返回'evafjilupm'
rol('abcdefg', 2) 得到'cdefgab'
unhex("74657374") 得到'test'
urldecode("test A")
urlencode
14 net 查询网络借口
15 proc 查询进程
16 pause
17 safeeval 执行python代码,但不会产生副作用
18 其他
hexdump
read and write
enhex and unhex
more
group
align and align_down
urlencode and urldecode
which
wget
————————————–
与pwnlib.tubes的常见交互方式
recv()
recvuntil()
recvline()读取到'\n'
recvlines(n)
recvall() 读取到EOF
send()
sendline()会自动加换行符
——————————-
>>> 'b800000000'.decode('hex')
'\xb8\x00\x00\x00\x00'
>>> '\xb8\x00\x00\x00\x00'.encode('hex')
'b800000000'