PWN入门到入狱

配置调试环境

pwntools 模板

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
# -*- coding: utf-8 -*-

from pwn import *
import sys
from one_gadget import generate_one_gadget

context.terminal = ["tmux","splitw","-h"]
# context.terminal = ["tmux","new-window"]
context.log_level = "debug"
# context.arch=''

DEBUG = 1

LOCAL = True
BIN   = ''
HOST  = '127.0.0.1'
PORT  = 1234

def get_base_address(proc):
    return int(open("/proc/{}/maps".format(proc.pid), 'rb').readlines()[0].split('-')[0],16)

def get_PIE(proc):
    memory_map = open("/proc/{}/maps".format(proc.pid),"rb").readlines()
    return int(memory_map[0].split("-")[0],16)

### GDB调试
def debug(bps, _s):
    script = 'handle SIGALRM ignore\n'
    PIE = get_base_address(p)
    # PIE = get_PIE(p)
    script += "set $_base = 0x{:x}\n".format(PIE)
    for bp in bps:
        script += "b *0x%x\n"%(PIE+bp)
    script += _s
    gdb.attach(p, gdbscript=script)

### 远程本地连接
def ProLoc(elf_addr,libc_addr,pro_libc):
    global sh,elf,libc,one_ggs
    if len(sys.argv) > 1 :
        ip = sys.argv[1]
        prot = sys.argv[2]
        sh = remote(ip,prot)
        libc = pro_libc
    else:
        sh = process(elf_addr) 
    elf = ELF(elf_addr)
    libc = ELF(libc_addr)
    one_ggs = one_gadget(libc_addr)

### Shell_code
def shell_code(fw):
    if fw == 32:
        return asm(shellcraft.sh())
    elif fw == 64:
        return asm(shellcraft.amd64.linux.sh())

### One_Gadget
def one_gadget(libc_addr):
    log.progress("Leak One_Gadgets...")
    path_to_libc=libc_addr
    gadget =[]
    for offset in generate_one_gadget(path_to_libc):
        gadget.append(int(offset))
    return gadget
    #one_gg = one_gadget("/lib/x86_64-linux-gnu/libc.so.6")

def exp(p):
   	"""
   	...EXP...
   	
   	"""
    sh.interactive()
    return

if __name__=="__main__":
    elf = ELF(BIN)
    if len(sys.argv) > 1:
        LOCAL = False
        p = remote(HOST, PORT)
        exp(p)
    else:
        LOCAL = True
        p = process(BIN)
        log.info('PID: ' + str(proc.pidof(p)[0]))
        if DEBUG:
            debug([], "")
    	exp()

# ➜  DA1SY python exp.py  									<= 本地
# ➜  DA1SY python exp.py 192.168.10.10 22520 					<= 远程 [Ip+Port]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
# _*_ coding:utf-8 _*_
from pwn import *


context.log_level = 'debug'
context.terminal=['tmux', 'splitw', '-h']
prog = './'
#elf = ELF(prog)#nc 121.36.194.21 49155
p = process(prog)#,env={"LD_PRELOAD":"./libc-2.27.so"})
libc = ELF("/lib/x86_64-linux-gnu/libc-2.27.so")
# p = remote("124.71.130.185", 49155)#nc 124.71.130.185 49155


def debug(addr,PIE=True): 
	debug_str = ""
	if PIE:
		text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(p.pid)).readlines()[1], 16) 
		for i in addr:
			debug_str+='b *{}\n'.format(hex(text_base+i))
		gdb.attach(p,debug_str) 
	else:
		for i in addr:
			debug_str+='b *{}\n'.format(hex(i))
		gdb.attach(p,debug_str) 

def dbg():
	gdb.attach(p)
#-----------------------------------------------------------------------------------------
s       = lambda data               :p.send((data))        #in case that data is an int
sa      = lambda delim,data         :p.sendafter(str(delim), (data)) 
sl      = lambda data               :p.sendline((data)) 
sla     = lambda delim,data         :p.sendlineafter(str(delim), (data)) 
r       = lambda numb=4096          :p.recv(numb)
ru      = lambda delims, drop=True  :p.recvuntil(delims, drop)
it      = lambda                    :p.interactive()
uu32    = lambda data   :u32(data.ljust(4, '\0'))
uu64    = lambda data   :u64(data.ljust(8, '\0'))
bp      = lambda bkp                :pdbg.bp(bkp)
li      = lambda str1,data1         :log.success(str1+'========>'+hex(data1))

	
def dbgc(addr):
	gdb.attach(p,"b*" + hex(addr) +"\n c")

def lg(s,addr):
    print('\033[1;31;40m%20s-->0x%x\033[0m'%(s,addr))

sh_x86_18="\x6a\x0b\x58\x53\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"
sh_x86_20="\x31\xc9\x6a\x0b\x58\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"
sh_x64_21="\xf7\xe6\x50\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x48\x89\xe7\xb0\x3b\x0f\x05"
#https://www.exploit-db.com/shellcodes
#-----------------------------------------------------------------------------------------

def choice(idx):
	sla("Your choice: ",str(idx))

def add(idx,sz):
    choice(1)
    sla("Index: ",idx)
    sla("Size: ",sz)
    # sa("content?",cno)

def delete(idx):
	choice(4)
	sla("Index: ",idx)

def show(idx):
	choice(3)
	sla("Index: ",idx)

def edit(idx,con):
    choice(2)
    sla("Index: ",idx)
    # sla("size?",sz)
    sa("Content: ",con)





def exp():
	#debug([0x7B9])



	# dbg()
	it()
if __name__ == '__main__':
	exp()

寻址

查找函数地址:

1
readelf -s filename|grep functioname

查找字符串地址:

1
strings -at x filename|grep 字符串(不加引号)