对pwntools生成的exp模版做了一些修改

安装pwntools后,有一些命令行的工具可以用

~ pwn template -h
usage: pwn template [-h] [--host HOST] [--port PORT] [--user USER]
                    [--pass PASSWORD] [--path PATH]
                    [exe]

positional arguments:
  exe              Target binary

optional arguments:
  -h, --help       show this help message and exit
  --host HOST      Remote host / SSH server
  --port PORT      Remote port / SSH port
  --user USER      SSH Username
  --pass PASSWORD  SSH Password
  --path PATH      Remote path of file on SSH server

但是他生成的模版有些问题,直接返回了gdb.debug启动的程序,在某些情况下gdb进程结束了会得不到正常的响应

~ pwn template
#!/usr/bin/env python2
# -*- coding: utf-8 -*-
from pwn import *

# Set up pwntools for the correct architecture
context.update(arch='i386')
exe = './path/to/binary'

# Many built-in settings can be controlled on the command-line and show up
# in "args".  For example, to dump all data sent/received, and disable ASLR
# for all created processes...
# ./exploit.py DEBUG NOASLR

# Specify your GDB script here for debugging
# GDB will be launched if the exploit is run via e.g.
# ./exploit.py GDB
gdbscript = '''
continue
'''.format(**locals())


def start(argv=[], *a, **kw):
    if args.GDB:
        return gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)
    else:
        return process([exe] + argv, *a, **kw)

#===========================================================
#                    EXPLOIT GOES HERE
#===========================================================
io = start()

# shellcode = asm(shellcraft.sh())
# payload = fit({
#     32: 0xdeadbeef,
#     'iaaa': [1, 2, 'Hello', 3]
# }, length=128)
# io.send(payload)
# flag = io.recv(...)
# log.success(flag)

io.interactive()

于是做了一些修改

# -*- coding: utf-8 -*-
from pwn import *
exe = context.binary = ELF('./level32-2')
host = '127.0.0.1'
port = 10003
gdbscript = '''
b main
'''
if args.I:
    context.log_level='debug'
def local():
     return process(exe.path)
def remote():
    return connect(host, port)
start = remote if args.R else local
#===========================================================

#===========================================================
io = start()
if args.D:
    gdb.attach(io, gdbscript)
io.interactive()

 

转载于:https://www.cnblogs.com/junmoxiao/p/7545869.html

  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值