PwnTools的使用学习

之前用的是zio库但是后来发现pwntools有很多高级用法，是zio所没有的，所以果断的学习下用法，以便在以后能用的到。 = =
安装方法：
[mw_shl_code=shell,true]pip install pwn[/mw_shl_code]

在使用时可以
[mw_shl_code=python,true]from pwn import *[/mw_shl_code]
来调用
连接

本地process()、远程remote()。对于remote函数可以接url并指定端口。

IO模块 这里是容易与zio搞混的， zio是read　write pwn是recv send
[mw_shl_code=applescript,true]send(data) : 发送数据
sendline(data) : 发送一行数据，相当于在末尾加\n

recv(numb=4096, timeout=default) : 给出接收字节数,timeout指定超时
recvuntil(delims, drop=False) : 接收到delims的pattern
（以下可以看作until的特例）
recvline(keepends=True) : 接收到\n，keepends指定保留\n
recvall() : 接收到EOF
recvrepeat(timeout=default) : 接收到EOF或timeout

interactive() : 与shell交互[/mw_shl_code]
ELF模块
首先ELF()获取下句柄，然后用句柄调用函数，和io相似。

[mw_shl_code=applescript,true]>>> e = ELF('/bin/cat')
>>> print hex(e.address)  # 文件装载的基地址
0x400000
>>> print hex(e.symbols['write']) # 函数地址
0x401680
>>> print hex(e.got['write']) # GOT表的地址
0x60b070
>>> print hex(e.plt['write']) # PLT的地址
0x401680[/mw_shl_code]


数据处理
    主要是对整数打包，换成2进制。 p32.p64 都是打包。 u32 u64是解包 (缩写：pack unpack)
DynELF

DynELF是leak信息的神器。前提条件是要提供一个输入地址，输出此地址最少1byte数的函数。官网给出的说明是：Given a function which can leak data at an arbitrary address, any symbol in any loaded library can be resolved.

很叼啊，有木有。以下是官方例程

[mw_shl_code=python,true]# Assume a process or remote connection
p = process('./pwnme')

# Declare a function that takes a single address, and
# leaks at least one byte at that address.
def leak(address):
    data = p.read(address, 4)
    log.debug("%#x => %s" % (address, (data or '').encode('hex')))
    return data

# For the sake of this example, let's say that we
# have any of these pointers.  One is a pointer into
# the target binary, the other two are pointers into libc
main   = 0xfeedf4ce
libc   = 0xdeadb000
system = 0xdeadbeef

# With our leaker, and a pointer into our target binary,
# we can resolve the address of anything.
#
# We do not actually need to have a copy of the target
# binary for this to work.
d = DynELF(leak, main)
assert d.lookup(None,     'libc') == libc
assert d.lookup('system', 'libc') == system

# However, if we *do* have a copy of the target binary,
# we can speed up some of the steps.
d = DynELF(leak, main, elf=ELF('./pwnme'))
assert d.lookup(None,     'libc') == libc
assert d.lookup('system', 'libc') == system

# Alternately, we can resolve symbols inside another library,
# given a pointer into it.
d = DynELF(leak, libc + 0x1234)
assert d.lookup('system')      == system[/mw_shl_code]

嘿嘿。www.bugku.com CTF社区