之前主要是使用zio庫,對pwntools的瞭解僅限於DynELF,以為zio就可以取代pwntools。後來發現pwntools有很多的高階用法都不曾聽說過,這次學習一下用法,希望可以在以後的exp編寫中能提供效率。
send(data) : 傳送資料
sendline(data) : 傳送一行資料,相當於在末尾加\n
recv(numb=4096, timeout=default) : 給出接收位元組數,timeout指定超時
recvuntil(delims, drop=False) : 接收到delims的pattern
(以下可以看作until的特例)
recvline(keepends=True) : 接收到\n,keepends指定保留\n
recvall() : 接收到EOF
recvrepeat(timeout=default) : 接收到EOF或timeout
interactive() : 與shell互動
>>> e = ELF('/bin/cat')
>>> print hex(e.address) # 檔案裝載的基地址
0x400000
>>> print hex(e.symbols['write']) # 函式地址
0x401680
>>> print hex(e.got['write']) # GOT表的地址
0x60b070
>>> print hex(e.plt['write']) # PLT的地址
0x401680
DynELF是leak資訊的神器。前提條件是要提供一個輸入地址,輸出此地址最少1byte數的函式。官網給出的說明是:Given a function which can leak data at an arbitrary address, any symbol in any loaded library can be resolved.
# Assume a process or remote connection
p = process('./pwnme')
# Declare a function that takes a single address, and
# leaks at least one byte at that address.
def leak(address):
data = p.read(address, 4)
log.debug("%#x => %s" % (address, (data or '').encode('hex')))
return data
# For the sake of this example, let's say that we
# have any of these pointers. One is a pointer into
# the target binary, the other two are pointers into libc
main = 0xfeedf4ce
libc = 0xdeadb000
system = 0xdeadbeef
# With our leaker, and a pointer into our target binary,
# we can resolve the address of anything.
#
# We do not actually need to have a copy of the target
# binary for this to work.
d = DynELF(leak, main)
assert d.lookup(None, 'libc') == libc
assert d.lookup('system', 'libc') == system
# However, if we *do* have a copy of the target binary,
# we can speed up some of the steps.
d = DynELF(leak, main, elf=ELF('./pwnme'))
assert d.lookup(None, 'libc') == libc
assert d.lookup('system', 'libc') == system
# Alternately, we can resolve symbols inside another library,
# given a pointer into it.
d = DynELF(leak, libc + 0x1234)
assert d.lookup('system') == system