http://p4.qhimg.com/t01616d84e50b029337.png

pwntools是一个ctf框架，用Python开发，由rapid设计，旨在让使用者简单快速的编写exploit。

安装：

pwntools对Ubuntu 12.04和14.04的支持最好，但是绝大多数的功能也支持Debian, Arch, FreeBSD, OSX, 等等，徐州软件开发公司徐州徐软信息科技有限公司建议您确保安装以下系统库。

Binutils

Ubuntu

Mac OS X

Alternate OSes

Capstone

Ubuntu

Mac OS X

Python Development Headers

Ubuntu

Mac OS X

获得发行版本

$   apt-get install python2.7 python2.7-dev python-pip
$   pip install pwntools

获得最新版本

$   git clone https://github.com/Gallopsled/pwntools
$   cd pwntools
$   pip install -e .

模块索引

pwnlib.asm — Assembler functions

pwnlib.atexception — Callbacks on unhandled exception

pwnlib.atexit — Replacement for atexit

pwnlib.constants — Easy access to header file constants

pwnlib.context — Setting runtime variables

pwnlib.dynelf — Resolving remote functions using leaks

pwnlib.elf — Working with ELF binaries

pwnlib.exception — Pwnlib exceptions

pwnlib.gdb — Working with GDB

pwnlib.log and — Logging stuff

pwnlib.memleak — Helper class for leaking memory

pwnlib.replacements — Replacements for various functions

pwnlib.rop — Return Oriented Programming

pwnlib.shellcraft — Shellcode generation

pwnlib.term — Terminal handling

pwnlib.timeout — Timeout handling

pwnlib.tubes — Talking to the World!

pwnlib.ui — Functions for user interaction

pwnlib.useragents — A database of useragent strings

pwnlib.util.crc — Calculating CRC-sums

pwnlib.util.cyclic — Generation of unique sequences

pwnlib.util.fiddling — Utilities bit fiddling

pwnlib.util.hashes — Hashing functions

pwnlib.util.iters — Extension of standard module itertools

pwnlib.util.lists — Operations on lists

pwnlib.util.misc — We could not fit it any other place

pwnlib.util.net — Networking interfaces

pwnlib.util.packing — Packing and unpacking of strings

pwnlib.util.proc — Working with /proc/

pwnlib.util.safeeval — Safe evaluation of python code

pwnlib.util.web — Utilities for working with the WWW

1 context 设置运行时变量

context.log_level = 'debug'

2 remote,listen,ssh,process

支持常见操作recvline, recvuntil, clean 可以通过.interactive()直接与程序交互

3 p32 and u32

前者将数字转化为字符串,后者反之

4 log

输出消息

log.info('Hello, world!')

p = log.progress('Working')
p.status('Reticulating splines')
time.sleep(1)
p.success('Got a shell!')

5 cyclic and cyclic_find 对于直接的缓冲区溢出,可以很方便的确认再偏移多少可以控制eip

cyclic(20)
cyclic_find('aafb')

6 asm and disasm 快速的汇编和反汇编代码

asm('mov eax, 0')
asm(shellcraft.sh())
disasm('\xb8\x0b\x00\x00\x00')

7 shellcraft 提供了很多现成shellcode

8 ELF 用来操作ELF文件的工具

elf = ELF('pwn')
hex(elf.address)
hex(elf.symbols['write'])
hex(elf.got['write'])
hex(elf.plt['write'])

9 DynELF 通过信息泄露获得远程函数地址

1 可以没有程序

p = process('./pwnme')
def leak(address):
data = p.read(address, 4)
return data
main   = 0xfeedf4ce
d = DynELF(leak, main)
d.lookup('system', 'libc')
2 如果有程序,速度会更快
d = DynELF(leak, main, elf=ELF('./pwnme'))

10 ROP 简化产生ROP链的操作

11 gdb.debug 和 gdb.attach

1 用gdb启动程序,并弹出新窗口与其交互
2 附加到一个程序上,pid/pwnlibs.tubes/socket都可以

12 args 快速访问所有的命令行参数

python foo.py REMOTE=1
args['REMOTE'] == '1'

13 一些实用工具

b64d('dGVzdA==')
b64e("test")
bits(511, zero = "+", one = "-") 把参数转换为位
bits_str(511) 得到'0000000111111111'
enhex("test") 得到'74657374'
isprint(c) 判断一个字符是否可打印
randoms(10) 返回'evafjilupm'
rol('abcdefg', 2) 得到'cdefgab'
unhex("74657374") 得到'test'
urldecode("test A")
urlencode

14 net 查询网络借口
15 proc 查询进程
16 pause
17 safeeval 执行python代码,但不会产生副作用
18 其他

hexdump
read and write
enhex and unhex
more
group
align and align_down
urlencode and urldecode
which
wget

————————————–
与pwnlib.tubes的常见交互方式

recv()
recvuntil()
recvline()读取到'\n'
recvlines(n)
recvall() 读取到EOF

send()
sendline()会自动加换行符

——————————-

>>> 'b800000000'.decode('hex')
'\xb8\x00\x00\x00\x00'
>>> '\xb8\x00\x00\x00\x00'.encode('hex')
'b800000000'

查看原文：http://www.xuzhousoft.com/?p=6355