pwntools脚本模板

对于每次研究pwn的时候,如果没有一个初始脚本的话,要写一个完整的pwntools脚本还是比较花费时间的,下面是通用脚本。

pwntools模板

#!/usr/bin/python2
# -*- coding:utf-8 -*-

from pwn import *
import os
import struct
import random
import time
import sys
import signal

def clear(signum=None, stack=None):
    print('Strip  all debugging information')
    os.system('rm -f /tmp/gdb_symbols* /tmp/gdb_pid /tmp/gdb_script')
    exit(0)

for sig in [signal.SIGINT, signal.SIGHUP, signal.SIGTERM]: 
    signal.signal(sig, clear)

# # Create a symbol file for GDB debugging
# try:
#     gdb_symbols = '''

#     '''

#     f = open('/tmp/gdb_symbols.c', 'w')
#     f.write(gdb_symbols)
#     f.close()
#     os.system('gcc -g -shared /tmp/gdb_symbols.c -o /tmp/gdb_symbols.so')
#     # os.system('gcc -g -m32 -shared /tmp/gdb_symbols.c -o /tmp/gdb_symbols.so')
# except Exception as e:
#     pass

context.arch = 'amd64'
# context.arch = 'i386'
context.log_level = 'debug'
execve_file = './a.out'
# sh = process(execve_file, env={'LD_PRELOAD': '/tmp/gdb_symbols.so'})
sh = process(execve_file)
# sh = remote('', 0)
elf = ELF(execve_file)
# libc = ELF('./libc-2.27.so')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')

# Create temporary files for GDB debugging
try:
    gdbscript = '''

    '''

    f = open('/tmp/gdb_pid', 'w')
    f.write(str(proc.pidof(sh)[0]))
    f.close()

    f = open('/tmp/gdb_script', 'w')
    f.write(gdbscript)
    f.close()
except Exception as e:
    pass

sh.interactive()
clear()

配合下面这条命令使用,支持本地,同样支持远程。

gdb -q -p $(cat /tmp/gdb_pid) -x /tmp/gdb_script

gdbs_cript是gdb自启动脚本,可以声明或者定义自己的变量,或者下断点。

gdb_symbols可以在二进制程序中加入结构体,或者全局变量,也可以写动态库劫持函数进行程序的一些初始化操作。

注意加入gdb_symbols.so可能会导致程序一遍变量产生偏移,所以调试完成之后,建议去掉gdb_symbols.so再进行测试。

循环爆破脚本

#!/usr/bin/python2
# -*- coding:utf-8 -*-

from pwn import *
import time, signal, os, struct, random, sys

interval = 60
execve_file = './a.out'
libc_file = '/lib/x86_64-linux-gnu/libc.so.6'
# libc_file = './libc-2.27.so'

def end_handle(signum=None, stack=None): exit(0)

for sig in [signal.SIGINT, signal.SIGHUP, signal.SIGTERM]: signal.signal(sig, end_handle)

context.arch = 'amd64'
# context.arch = 'i386'
context.log_level = 'error'
elf = ELF(execve_file)
libc = ELF(libc_file)

while(True):
    sh = process(execve_file)
    # sh = remote('', 0)
    try:

        sh.interactive()
        break
    except Exception as e: 
        sh.close()

exp.sh

专门用于爆破部分覆盖,其原理就是监控错误流。

#!/bin/sh

EXP_FILE=$1
INTERPRETER="python2"
STDERR_FILE="/tmp/exp.sh.err"

times=0
trap   " rm -f $STDERR_FILE ; exit "  INT

if [ ! $1 ]
then
    echo "Usage: ./exp.sh ./your_file.py"
    exit
fi

ulimit -c 0

while ((!(test -e $STDERR_FILE) || (test -s $STDERR_FILE)))
do
    times=$((times+1))
    printf "times %d\n\n" $times
    $INTERPRETER $EXP_FILE 2>$STDERR_FILE
done

rm -f $STDERR_FILE

当爆破概率很小时,这种方法会显得过于臃肿,不建议用这种方法,推荐直接用while循环,速度会更块一点。

说点什么

avatar
  Subscribe  
提醒