pwntools - ROP类

为了更好，更快的构造rop-payload。研究一下用法

常用

• 创建ROP类实例

贴一下ROP类的注释

简单的创建

rop = ROP([elf1,elf2,...]) 
#base rop.base 
#badchars

• 直接调用函数

rop = ROP(libc) #自动加载ELF类的base
rop.base = orw_addr + 0x8 #添加rop的所在地址，方便字符串的传入
rop.open(b'flag',0,0) #直接向rop类中添加函数
rop.read(3,heap_base+0x200,0x20)
rop.write(1,heap_base+0x200,0x20)

• rop.dump()

  可视化输出构造的rop的str

  

info(rop.dump())

交互

• rop.chain()

  输出rop的bytes

r.send(rop.chain())
#交互

• rop.build()

  def build(self, base = None, description = None):
  #Construct the ROP chain into a list of elements which can be passed to :func:.flat.

  rop.build()

  flat交互

• rop.raw()

  手动添加数据进rop链

  

  rop.raw(b'A'*0x8 + p64(0x2333333)) 
  #[*] 0x0000:          b'AAAA' b'AAAAAAAA333\x02\x00\x00\x00\x00'
  #    0x0004:          b'AAAA'
  #    0x0008:       b'333\x02'
  #    0x000c: b'\x00\x00\x00\x00'

  rop.raw(b'A'*0x8)
  rop.call(0x2333333)
  #[*] 0x0000:          b'AAAA' b'AAAAAAAA'
  #    0x0004:          b'AAAA'
  #    0x0008:        0x2333333 0x2333333()

  效果

  

杂项

• 关于寄存器

  info(rop.rdi)
  #[*] Gadget(0x2858f, ['pop rdi', 'ret'], ['rdi'], 0x8)

  info(rop.rdi[0])
  #[*] 165263

  #>>> r = ROP(e)
  #>>> r({'rax': 0xdead, 'rdi': 0xbeef, 'rsi': 0xcafe})
  #>>> print(r.dump())

• 关于函数

  

  rop.resolve('read') 
  #[*] 4436

  info(rop.unresolve(4436))
  #[*] read

  • 杂项

  rop.migrate(0x233)
  #[*] 0x0000:          0x3418a pop rsp; ret
  #    0x0004:            0x233

  #[*] 0x0000:           0x1273 pop rbp; ret
  #    0x0004:            0x22f
  #    0x0008:           0x13c0 leave; ret

  如果要使用函数rbp + leave的话，个人觉得不是很好用

  rop.call(0x233)
  #[*] 0x0000:            0x233 0x233()

  添加地址进rop链

  rop.find_gadget(['leave','ret'])
  #[*] Gadget(0x13c0, ['leave', 'ret'], ['ebp', 'esp'], 0x2540be403)

  像ropgadget的查询

  rop.setRegisters(<!--swig0-->)

  设置寄存器

  rop.seach()
  
  def search(self, move = 0, regs = None, order = 'size'):
          """Search for a gadget which matches the specified criteria.
  
          Arguments:
              move(int): Minimum number of bytes by which the stack
                  pointer is adjusted.
              regs(list): Minimum list of registers which are popped off the
                  stack.
              order(str): Either the string 'size' or 'regs'. Decides how to
                  order multiple gadgets the fulfill the requirements.
  
          The search will try to minimize the number of bytes popped more than
          requested, the number of registers touched besides the requested and
          the address.
  
          If ``order == 'size'``, then gadgets are compared lexicographically
          by ``(total_moves, total_regs, addr)``, otherwise by ``(total_regs, total_moves, addr)``.
  
          Returns:
              A :class:`.Gadget` object
          """

最近研究到就大概就这么多，欢迎纠错补充。

• ← Previous Post
• Next Post →