Skip to content

Instantly share code, notes, and snippets.

@hzshang

hzshang/example.py

Last active February 28, 2019 03:18
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 2 You must be signed in to fork a gist
  • Save hzshang/d7bd0fd2569513cc814f2272a036c574 to your computer and use it in GitHub Desktop.
Save hzshang/d7bd0fd2569513cc814f2272a036c574 to your computer and use it in GitHub Desktop.
Download ZIP
how to use pwntools
Raw
example.py
from pwn import *
#启用调试模式,会将以后的交互信息打印出来
context.log_level="debug"
# 连接
# 和127.0.0.1的9999端口建立tcp连接
r=remote("127.0.0.1",9999)
# 运行一个可执行程序,方便本地调试
r=process("./binary")
# 发送 aaaa
r.send("aaaa")
# 发送 aaaa加一个回车符
r.sendline("aaaa")
# 接收0x100长度的输出
data=r.recv(0x100)
# 接收一行输出
data=r.recvline()
# 接收输出直到遇到 aaa停止
data=r.recvuntil("aaa")
# 收到aaa后发送bbb
r.sendafter("aaa","bbb")
# 收到aaa后发送bbb加回车符
r.sendlineafter("aaa","bbb")
#打开交互模式
r.interactive()
# 调试
# 让脚本在这暂停,并打印进程的pid
print r.pid# 注意这里只有r是使用process开启时才有效
pause()
# 打开gdb 并输入一下命令可以附加到进程上进行调试
# attach 1234 # 1234是上面r.pid返回的进程号
# 静态分析
# 读取一个elf文件
elf=ELF("./binary")
# 获取elf的read got表地址
print hex(elf.got["read"])
# 读取一个libc文件
libc=ELF("./libc.so.6")
# 设置libc的基地址
libc.address=0x7fff00000000
# 获取libc里的system地址
print hex(libc.sym["system"])
# 方便输入不可显示的字符
# 32位模式
p32(0x12345678) == "\x78\x56\x34\x12"
# 64位模式
p64(0x12345678) == "\x00\x00\x00\x00\x78\x56\x34\x12"
# 编译
code="""
push eax
pop ebx
int 0x80
"""
shellcode=asm(code,arch="x86")# 将32位的汇编代码转为机器码
code="""
push rax
pop rbx
syscall
"""
shellcode=asm(code,arch="amd64")# 将64位的汇编代码转为机器码
print disasm(shellcode,arch="amd64")# 将机器码反汇编成64位汇编代码
# pwntool的其他使用方法还有很多,具体可以参考
# http://docs.pwntools.com/en/stable/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment