0x00 写在前面
由于如今各种ELF文件libc版本跨度比较大,采用虚拟机模式显得过于冗余,于是准备将做题环境都放到docker中。原本打算是每个版本的libc找个docker,但很幸运地发现了一个名为skysider/pwndocker的docker,该docker为libc-2.27版本,其上除了正常的做题环境外还集成了多个libc的版本,可以用LD_PRELOAD来选择不同的libc版本,用习惯了之后还是挺方便的。就是每次要加载不同的libc时,process函数写的太长了,比较麻烦,然后以及原来写exp时pwntools的各种函数都时敲全名,借此机会封装了个傻逼库,以后更新博客也就都用这个库了。目前是函数的形式进行封装,等以后的功能多了可以考虑改成对象的形式进行封装。
0x01 Fish.py
from pwn import *
def get_shell(binary_name , libc_version , OSbit):
global p , version , OS , libc , elf
version = libc_version
OS = OSbit
libc_path = '/glibc/' + str(version) + '/' + str(OS) + '/lib/libc-' + str(version) + '.so'
ld_path = '/glibc/' + str(version) + '/' + str(OS) + '/lib/ld-' + str(version) + '.so'
if(binary_name.find(':') != -1):
p = remote(binary_name.split(':')[1] , int(binary_name.split(':')[2]))
binary_name = binary_name.split(':')[0]
elif(version == 2.27):
p = process('./' + binary_name)
else:
p = process([ld_path,"./"+binary_name],env={"LD_PRELOAD":libc_path})
elf = ELF(binary_name)
libc = ELF(libc_path)
def get_gadget():
if(OS == 64):
if(version == 2.19):
gadget = [0x403ff , 0x40453 , 0xd806f]
if(version == 2.23):
gadget = [0x3f3d6 , 0x3f42a , 0xd5bf7]
if(version == 2.24):
gadget = [0x3f4b6 , 0x3f50a , 0xd6635]
if (version == 2.27):
gadget = [0x4f2c5 , 0x4f322 , 0x10a38c]
if (version == 2.28):
gadget = [0x41982 , 0x419d6 , 0xdf882]
if (version == 2.29):
gadget = [0xc1710 , 0xdf202 , 0xdf20e]
else:
if(version == 2.19):
gadget = [0x3b056 , 0x3b058 , 0x3b05c , 0x3b063 , 0x64729 , 0x6472a , 0x123e6c , 0x123e6d]
if(version == 2.23):
gadget = [0x3a61c , 0x3a61e , 0x3a622 , 0x3a629 , 0x5ee65 , 0x5ee66]
if(version == 2.24):
gadget = [0x3a32c , 0x3a32e , 0x3a332 , 0x3a339 , 0x5f6b5 , 0x5f6b6]
if (version == 2.27):
gadget = [0x3d0d3 , 0x3d0d5 , 0x3d0d9 , 0x3d0e0 , 0x67a7f , 0x67a80 , 0x137e5e , 0x137e5f]
if (version == 2.28):
gadget = [0x3c43b , 0x3c43d , 0x3c441 , 0x3c448 , 0x65a04 , 0x65a05 , 0x12e82c , 0x12e82d]
if (version == 2.29):
gadget = [0x12de0c , 0x12de0d]
for i in range(len(gadget)):
gadget[i] += libc.address
success('Gadget[' + str(i) + '] => ' + hex(gadget[i]))
return gadget
def ru(text):
return p.recvuntil(text)
def rcv(count):
return p.recv(count)
def sl(text):
return p.sendline(str(text))
def sd(text):
return p.send(str(text))
def Esym(func):
success('{0}_addr => {1}'.format(func.lstrip('_') , hex(elf.symbols[func])))
return elf.symbols[func]
def got(func):
success('{0}_got => {1}'.format(func , hex(elf.got[func])))
return elf.got[func]
def plt(func):
success('{0}_plt => {1}'.format(func , hex(elf.plt[func])))
return elf.plt[func]
def LeakStrFormat(text):
return u64(text.rjust(8 , '\x00'))
def LeakCharFormat(text):
return u64(text.ljust(8 , '\x00'))
def SetELFBase(ELFBase):
elf.address = ELFBase
success('ELF_base => {0}'.format(hex(ELFBase)))
return elf.address
def SetLibcBase(LibcBase):
libc.address = LibcBase
success('Libc_base => {0}'.format(hex(LibcBase)))
return libc.address
def SetHeapBase(HeapBase):
success('Heap_base => {0}'.format(hex(HeapBase)))
return HeapBase
def sym(func):
success('{0}_addr => {1}'.format(func.lstrip('_') , hex(libc.symbols[func])))
return libc.symbols[func]
def binsh():
binsh_addr = libc.search('/bin/sh\x00').next()
success('binsh_addr => {0}'.format(hex(binsh_addr)))
return binsh_addr
def debug():
print pidof(p)
raw_input()
def active():
return p.interactive()
def close():
return p.close()
def dbglog():
context.log_level = 'debug'
网友评论