CTF常用python库PwnTools的使用学习
之前主要是使用zio库,对pwntools的了解仅限于DynELF,以为zio就可以取代pwntools。后来发现pwntools有很多的高级用法都不曾听说过,这次学习一下用法,希望可以在以后的exp编写中能提供效率。
PwnTools的官网如下:http://pwntools.com/
安装方法是使用pip命令,pip install pwn。这样就可以安装上pwn库了。使用时用from pwn import *来进行调用。
连接
本地process()、远程remote()。对于remote函数可以接url并且指定端口。
IO模块
下面给出了PwnTools中的主要IO函数。这个比较容易跟zio搞混,记住zio是read、write,pwn是recv、send就可以了。
send(data) : 发送数据 sendline(data) : 发送一行数据,相当于在末尾加\n recv(numb=4096, timeout=default) : 给出接收字节数,timeout指定超时 recvuntil(delims, drop=False) : 接收到delims的pattern (以下可以看作until的特例) recvline(keepends=True) : 接收到\n,keepends指定保留\n recvall() : 接收到EOF recvrepeat(timeout=default) : 接收到EOF或timeout interactive() : 与shell交互
ELF模块
ELF模块用于获取ELF文件的信息,首先使用ELF()获取这个文件的句柄,然后使用这个句柄调用函数,和IO模块很相似。
下面演示了:获取基地址、获取函数地址(基于符号)、获取函数got地址、获取函数plt地址
>>> e = ELF('/bin/cat') >>> print hex(e.address) # 文件装载的基地址 0x400000 >>> print hex(e.symbols['write']) # 函数地址 0x401680 >>> print hex(e.got['write']) # GOT表的地址 0x60b070 >>> print hex(e.plt['write']) # PLT的地址 0x401680
数据处理
主要是对整数进行打包,就是转换成二进制的形式,比如转换成地址。p32、p64是打包,u32、u64是解包。
DynELF
DynELF是leak信息的神器。前提条件是要提供一个输入地址,输出此地址最少1byte数的函数。官网给出的说明是:Given a function which can leak data at an arbitrary address, any symbol in any loaded library can be resolved.
很叼啊,有木有。以下是官方例程
# Assume a process or remote connection p = process('./pwnme') # Declare a function that takes a single address, and # leaks at least one byte at that address. def leak(address): data = p.read(address, 4) log.debug("%#x => %s" % (address, (data or '').encode('hex'))) return data # For the sake of this example, let's say that we # have any of these pointers. One is a pointer into # the target binary, the other two are pointers into libc main = 0xfeedf4ce libc = 0xdeadb000 system = 0xdeadbeef # With our leaker, and a pointer into our target binary, # we can resolve the address of anything. # # We do not actually need to have a copy of the target # binary for this to work. d = DynELF(leak, main) assert d.lookup(None, 'libc') == libc assert d.lookup('system', 'libc') == system # However, if we *do* have a copy of the target binary, # we can speed up some of the steps. d = DynELF(leak, main, elf=ELF('./pwnme')) assert d.lookup(None, 'libc') == libc assert d.lookup('system', 'libc') == system # Alternately, we can resolve symbols inside another library, # given a pointer into it. d = DynELF(leak, libc + 0x1234) assert d.lookup('system') == system