pwntools 模板

Install

pip install pwntools

Usage

python3 ./exploit.py GDB # REMOTE

可以善用 pwntools 內建的工具來寫 exploit 會事半功倍：

利用 ELF.symbols["main"] 來取得函式 address
利用 ROP.find_gadget(['pop eax', 'ret']).address 來取得 gadget
`fmt

Script

1
#!/usr/bin/env python3
2
# -*- coding: utf-8 -*-
3
import re
4
from pwn import *
5

6
BINARY = "./vuln"
7
REMOTE = "chall.yuto0226.dev:1337`"
8

9
# Set up pwntools for the correct architecture
10
elf = context.binary = ELF(BINARY, False)
11

12
context.clear(arch='i386')
13
# ['CRITICAL', 'DEBUG', 'ERROR', 'INFO', 'NOTSET', 'WARN', 'WARNING']
14
context.log_level = "info"
15
context.terminal = ["tmux", "splitw", "-h"]  # -v, -h
16
# context.terminal = ["tmux", "neww"] # open new window
17
context.delete_corefiles = True
18

19

20
def start(argv=[], *a, **kw):
21
    """Start the exploit against the target."""
22
    if args.GDB:
23
        return gdb.debug([BINARY] + argv, gdbscript=gdbscript, *a, **kw)
24
    elif args.REMOTE:
25
        host, port = REMOTE.split(":")
26
        return remote(host, int(port))
27
    else:
28
        return process([BINARY] + argv, *a, **kw)
29

30

31
def flag(output, pattern):
32
    match = re.search(pattern, output)
33
    if match:
34
        flag = match.group(1).decode()
35
        success(f"flag: {flag}")
36
    else:
37
        warn("flag not found in output")
38
        info(f"raw output: {output}")
39

40

41
gdbscript = """
42
init-pwndbg
43
b main
44
c
45
""".format(**locals())
46

47
rop = ROP(elf)
48
sym = elf.symbols # e.g. sym["main"]
49

50
# ===========================================================
51
#                    EXPLOIT GOES HERE
52
# ===========================================================
53

54
io = start()
55

56
io.interactive()
57
data = io.recvall()
58
flag(data, rb"(FLAG\{.*?\})")
59
io.close()