pwntools
http://docs.pwntools.com/en/stable/index.html
Tubes
- recv(numb=4096, timeout=default)
- recvline(keepends=True) : keepends为是否保留行尾的\n
- recvuntil(delims, drop=False) : 一直读到delims的pattern出现为止
- recvrepeat(timeout=default) : 持续接受直到EOF或timeout
- recvline_contains(items, keepends=False, timeout=pwnlib.timeout.Timeout.default)
- recvline_pred(pred, keepends = False)
- sendlineafter(delim, data, timeout = default)
asm
1 | asm('nop') |
ROP
http://docs.pwntools.com/en/stable/rop.html
gdb
1 | s = process('./pwnme') |
DynELF
http://docs.pwntools.com/en/stable/dynelf.html
format
http://docs.pwntools.com/en/stable/fmtstr.html#
构造格式化字符串
fmtstr_payload(offset, writes, numbwritten=0, write_size=’byte’) → str
自动构造格式化的函数
FmtStr(execute_fmt, offset=None, padlen=0, numbwritten=0)
other
log等级
context.log_level = 'debug'
加载指定libc
p = process('./pwn',env= {"LD_PRELOAD":"./libc.so"})
多个:
p = process('./glibc_2.26/tcache_dup',env= {"LD_PRELOAD":'./glibc_versions/ld-2.26.so ./glibc_versions/libc-2.26.so'})
kali - libc
libc = ELF('/lib/x86_64-linux-gnu/libc-2.27.so')
heap
doc
ctf-wiki
https://ctf-wiki.github.io/ctf-wiki/pwn/heap/heap_structure/
Heap Exploitation
https://heap-exploitation.dhavalkapil.com
Glibc Heap简介
http://brieflyx.me/2016/heap/glibc-heap/
how2heap
https://github.com/shellphish/how2heap
bins
Ptmalloc 一共 维护了 128 个 bin,并使用一个数组来存储这些 bin。数组中的第一个为 unsorted bin,数组中从 2 开始编号的前 64 个 bin 称为 small bins,同 一个small bin中的chunk具有相同的大小。两个相邻的small bin中的chunk大小相差8bytes。Small bins后面的bin被称作large bins。large bins中的每一个bin分别包含了一个给定范围 内的 chunk,其中的 chunk 按大小序排列。ptmalloc 使用“smallest-first,best-fit”原则在空闲 large bins 中查找合适的 chunk。除了fast bin是单向链表LIFO外,其余都是双向循环链表且为FIFO。
gcc
-m32, 编译成32位-s, 删除符号表-g, 加入调试信息-no-pie-fno-stack-protector-Wno-format-security
gdb
tips
指定libcLD_PRELOAD=glibc_versions/libc-2.26.so glibc_versions/ld-2.26.so ./glibc_2.26/tcache_dup
gdb预加载libcgdb -iex 'set exec-wrapper env LD_PRELOAD="./glibc_versions/libc-2.26.so" "./glibc_versions/ld-2.26.so"' ./glibc_2.26/tcache_dup
pwndbg
https://github.com/pwndbg/pwndbg
usage:
https://github.com/pwndbg/pwndbg/blob/dev/FEATURES.md
Docker
查看所有容器docker ps -a
查看所有容器IDdocker ps -a -q
stop停止所有容器docker stop $(docker ps -a -q)
remove删除所有容器docker rm $(docker ps -a -q)
删除所有镜像docker rmi $(docker images -q)
启动容器docker run --name="pwn" --privileged -v ~/Downloads/:/home/dir -it d001um3/pwn /bin/zsh
启动shelldocker exec -it pwn /bin/zsh
设置代理,走宿主机ss的http代理export http_proxy=http://192.1.1.141:1087
更新镜像docker commit -a 'd001um3' -m 'messages' container_id d001um3/pwn
Dockerfile
1 | FROM ubuntu:16.04 |
解决中文乱码
1 | apt-get install locales |
tools
LibcSearcher
https://github.com/lieanu/LibcSearcher
1 | from LibcSearcher import * |
ROPgadget
https://github.com/JonathanSalwan/ROPgadget
ROPgadget --binary rop --only 'pop|ret' | grep 'eax'
socat
新建一个 run.sh
socat tcp-l:5002,reuseaddr,fork exec:"python server.py"
后台启动
nohup ./run.sh &
tmux
https://www.cnblogs.com/kevingrace/p/6496899.html
ctrl+b "模向分隔窗口ctrl+b %纵向分隔窗口ctrl+b 方向键移动光标以选择面板ctrl+b o在当前窗口中选择下一面板ctrl+b d脱离当前会话tmux attach能够重新进入之前的会话ctrl+b fn+↑向上翻页