对pwntools生成的exp模版做了一些修改

安装pwntools后,有一些命令行的工具可以用

~ pwn template -h
usage: pwn template [-h] [--host HOST] [--port PORT] [--user USER]
                    [--pass PASSWORD] [--path PATH]
                    [exe]

positional arguments:
  exe              Target binary

optional arguments:
  -h, --help       show this help message and exit
  --host HOST      Remote host / SSH server
  --port PORT      Remote port / SSH port
  --user USER      SSH Username
  --pass PASSWORD  SSH Password
  --path PATH      Remote path of file on SSH server

但是他生成的模版有些问题,直接返回了gdb.debug启动的程序,在某些情况下gdb进程结束了会得不到正常的响应

~ pwn template
#!/usr/bin/env python2
# -*- coding: utf-8 -*-
from pwn import *

# Set up pwntools for the correct architecture
context.update(arch='i386')
exe = './path/to/binary'

# Many built-in settings can be controlled on the command-line and show up
# in "args".  For example, to dump all data sent/received, and disable ASLR
# for all created processes...
# ./exploit.py DEBUG NOASLR

# Specify your GDB script here for debugging
# GDB will be launched if the exploit is run via e.g.
# ./exploit.py GDB
gdbscript = '''
continue
'''.format(**locals())


def start(argv=[], *a, **kw):
    if args.GDB:
        return gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)
    else:
        return process([exe] + argv, *a, **kw)

#===========================================================
#                    EXPLOIT GOES HERE
#===========================================================
io = start()

# shellcode = asm(shellcraft.sh())
# payload = fit({
#     32: 0xdeadbeef,
#     'iaaa': [1, 2, 'Hello', 3]
# }, length=128)
# io.send(payload)
# flag = io.recv(...)
# log.success(flag)

io.interactive()

于是做了一些修改

# -*- coding: utf-8 -*-
from pwn import *
exe = context.binary = ELF('./level32-2')
host = '127.0.0.1'
port = 10003
gdbscript = '''
b main
'''
if args.I:
    context.log_level='debug'
def local():
     return process(exe.path)
def remote():
    return connect(host, port)
start = remote if args.R else local
#===========================================================

#===========================================================
io = start()
if args.D:
    gdb.attach(io, gdbscript)
io.interactive()

 

posted @ 2017-09-18 23:10 君莫笑hhhhhh 阅读(...) 评论(...) 编辑 收藏