首页 发现 帮助
登录
decadanse
/
reverse_writeups
关注 1
点赞 0
派生 0
文件 工单管理 0 合并请求 0 Wiki
分支: master
分支列表 标签列表
reverse_writ...
/
spbctf
/
splo.py

splo.py 2.0 KB
永久链接 文件历史 原始文件

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182 
  1. #!/usr/bin/env python3
    2. 

  2. # -*- coding: utf-8 -*-
    3. 

  3. # This exploit template was generated via:
    4. 

  4. # $ pwn template ./demo2 --host 127.0.0.1 --port 1234
    5. 

  5. from pwn import *
    6. 

  6. 

  7. # Set up pwntools for the correct architecture
    8. 

  8. exe = context.binary = ELF('./task_name')
    9. 

  9. 

  10. if exe.bits == 32:
    11. 

  11.     lindbg = "/root/linux_server"
    12. 

  12. else:
    13. 

  13.     lindbg = "/root/linux_server64"
    14. 

  14. 

  15. 

  16. # Many built-in settings can be controlled on the command-line and show up
    17. 

  17. # in "args".  For example, to dump all data sent/received, and disable ASLR
    18. 

  18. # for all created processes...
    19. 

  19. # ./exploit.py DEBUG NOASLR
    20. 

  20. # ./exploit.py GDB HOST=example.com PORT=4141
    21. 

  21. host = args.HOST or '10.0.2.15'
    22. 

  22. port = int(args.PORT or 1234)
    23. 

  23. 

  24. def local(argv=[], *a, **kw):
    25. 

  25.     '''Execute the target binary locally'''
    26. 

  26.     if args.GDB:
    27. 

  27.         return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)
    28. 

  28.     elif args.EDB:
    29. 

  29.         return process(['edb', '--run', exe.path] + argv, *a, **kw)
    30. 

  30.     elif args.QIRA:
    31. 

  31.         return process(['qira', exe.path] + argv, *a, **kw)
    32. 

  32.     elif args.IDA:
    33. 

  33.         return process([lindbg], *a, **kw)
    34. 

  34.     else:
    35. 

  35.         return process([exe.path] + argv, *a, **kw)
    36. 

  36. 

  37. def remote(argv=[], *a, **kw):
    38. 

  38.     '''Connect to the process on the remote host'''
    39. 

  39.     io = connect(host, port)
    40. 

  40.     if args.GDB:
    41. 

  41.         gdb.attach(io, gdbscript=gdbscript)
    42. 

  42.     return io
    43. 

  43. 

  44. def start(argv=[], *a, **kw):
    45. 

  45.     '''Start the exploit against the target.'''
    46. 

  46.     if args.LOCAL:
    47. 

  47.         return local(argv, *a, **kw)
    48. 

  48.     else:
    49. 

  49.         return remote(argv, *a, **kw)
    50. 

  50. 

  51. # Specify your GDB script here for debugging
    52. 

  52. # GDB will be launched if the exploit is run via e.g.
    53. 

  53. # ./exploit.py GDB
    54. 

  54. gdbscript = '''
    55. 

  55. tbreak main
    56. 

  56. continue
    57. 

  57. '''.format(**locals())
    58. 

  58. 

  59. #===========================================================
    60. 

  60. #                    EXPLOIT GOES HERE
    61. 

  61. #===========================================================
    62. 

  62. # Arch:     amd64-64-little
    63. 

  63. # RELRO:    Partial RELRO
    64. 

  64. # Stack:    No canary found
    65. 

  65. # NX:       NX disabled
    66. 

  66. # PIE:      No PIE (0x400000)
    67. 

  67. # RWX:      Has RWX segments
    68. 

  68. 

  69. 

  70. io = start()
    71. 

  71. 

  72. 

  73. io.interactive()
    74. 

  74. 

  75. 

  76. 

  77. 

  78. 

  79. 

  80. 

  81. 

  82.