pwntools脚本模板

对于每次研究pwn的时候，如果没有一个初始脚本的话，要写一个完整的pwntools脚本还是比较花费时间的，下面是通用脚本。

pwntools模板

#!/usr/bin/python3
# -*- coding:utf-8 -*-

from pwn import *
import os, struct, random, time, sys, signal

context.arch = 'amd64'
# context.arch = 'i386'
context.log_level = 'debug'
execve_file = './a.out'
sh = process(execve_file)
# sh = remote('', 0)
elf = ELF(execve_file)
# libc = ELF('./libc-2.31.so')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')

# Create temporary files for GDB debugging
try:
    gdbscript = '''
    define pr
        x/16gx $rebase(0x0)
        end

    b *$rebase(0x0)
    '''

    f = open('/tmp/gdb_pid', 'w')
    f.write(str(proc.pidof(sh)[0]))
    f.close()

    f = open('/tmp/gdb_script', 'w')
    f.write(gdbscript)
    f.close()
except Exception as e:
    pass

sh.interactive()

os.remove('/tmp/gdb_pid')
os.remove('/tmp/gdb_script')

配合下面这条命令使用，支持本地，同样支持远程。

gdb -q -p $(cat /tmp/gdb_pid) -x /tmp/gdb_script

gdbs_cript是gdb自启动脚本，可以声明或者定义自己的变量，或者下断点。

gdb_symbols可以在二进制程序中加入结构体，或者全局变量，也可以写动态库劫持函数进行程序的一些初始化操作。

注意加入gdb_symbols.so可能会导致程序一遍变量产生偏移，所以调试完成之后，建议去掉gdb_symbols.so再进行测试。

循环爆破脚本

#!/usr/bin/python2
# -*- coding:utf-8 -*-

from pwn import *
import time, signal, os, struct, random, sys

interval = 60
execve_file = './a.out'
libc_file = '/lib/x86_64-linux-gnu/libc.so.6'
# libc_file = './libc-2.27.so'

def end_handle(signum=None, stack=None): exit(0)

for sig in [signal.SIGINT, signal.SIGHUP, signal.SIGTERM]: signal.signal(sig, end_handle)

context.arch = 'amd64'
# context.arch = 'i386'
context.log_level = 'error'
elf = ELF(execve_file)
libc = ELF(libc_file)



while(True):
    sh = process(execve_file)
    # sh = remote('', 0)
    try:


        sh.interactive()
        break
    except Exception as e: 
        sh.close()

exp.sh

专门用于爆破部分覆盖，其原理就是监控错误流。

#!/bin/sh

EXP_FILE=$1
INTERPRETER="python3"
STDERR_FILE="/tmp/exp.sh.err"

times=0
trap   " rm -f $STDERR_FILE ; exit "  INT

if [ ! $1 ]
then
    echo "Usage: ./exp.sh ./your_file.py"
    exit
fi

ulimit -c 0

while ((!(test -e $STDERR_FILE) || (test -s $STDERR_FILE)))
do
    times=$((times+1))
    printf "times %d\n\n" $times
    $INTERPRETER $EXP_FILE 2>$STDERR_FILE
done

rm -f $STDERR_FILE

当爆破概率很小时，这种方法会显得过于臃肿，不建议用这种方法，推荐直接用while循环，速度会更块一点。

针对其他机器类型 gdb.sh

#!/bin/sh
FILE_PATH=`cat /tmp/gdb_name`
gdb-multiarch -q \
    -ex "file $FILE_PATH" \
    -ex "set architecture auto" \
    -ex "target remote localhost:1234" \
    -x /tmp/gdb_script

对应exp.py

#!/usr/bin/python3
# -*- coding:utf-8 -*-

from pwn import *
import os, struct, random, time, sys, signal

# context.arch = 'arm'
context.log_level = 'debug'
execve_file = './a.out'
sh = process(execve_file)
# sh = process(["qemu-arm", "-g", "1234", execve_file])
# sh = remote('', 0)
elf = ELF(execve_file)

# Create temporary files for GDB debugging
try:
    gdbscript = '''

    '''

    f = open('/tmp/gdb_name', 'w')
    f.write(execve_file)
    f.close()

    f = open('/tmp/gdb_script', 'w')
    f.write(gdbscript)
    f.close()
except Exception as e:
    pass


sh.interactive()

os.remove('/tmp/gdb_name')
os.remove('/tmp/gdb_script')