首页
论坛
课程
招聘
雪    币: 5382
活跃值: 活跃值 (1912)
能力值: (RANK:220 )
在线值:
发帖
回帖
粉丝

[分享]Exploit利器-welpwn

2020-5-1 21:48 4277

[分享]Exploit利器-welpwn

2020-5-1 21:48
4277

前言

welpwn是国防科技大学弄的一个项目,对pwntools进行了一些封装,可以节省很多的时间.包括加载指定版本的libc,自动获取魔数,调试增强等功能,这里简单记录一下用法,帮助更多和我一样的新手学习,更详细的内容请参见项目地址.

 

项目地址:https://github.com/matrix1001/welpwn

安装

git clone https://github.com/matrix1001/welpwn
cd welpwn
sudo python setup.py install

具体使用

welpwn使用ctx来管理二进制文件,libc文件,gdb等.

  • ctx.start()

对于一次攻击而言前提就是与目标服务器或者程序进行交互,这里就可以使用ctx.start()产生一个远程的socket然后就可以读写了

In [1]: from PwnContext import *

In [2]: ctx.remote = ('chall.pwnable.tw', 10205)

In [3]: ctx.start('remote')
[x] Opening connection to chall.pwnable.tw on port 10205
[x] Opening connection to chall.pwnable.tw on port 10205: Trying 139.162.123.119
[+] Opening connection to chall.pwnable.tw on port 10205: Done
Out[3]: <pwnlib.tubes.remote.remote at 0x7f97b158da10>

In [4]: print (ctx.recv())
>>

In [5]: ctx.sendline('test')

In [6]: print (ctx.recv())
Invalid choice
>>

同样的,我们也可以打开一个本地程序并进行交互

In [1]: from PwnContext import *

In [2]: ctx.binary = './test'
[*] '/home/0x2l/test'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)

In [3]: ctx.start()
[x] Starting local process '/home/0x2l/test'
[+] Starting local process '/home/0x2l/test': pid 5234
Out[3]: <pwnlib.tubes.process.process at 0x7fa9edb001d0>

In [4]: print(ctx.recv())
Input your name:
$

In [5]: ctx.sendline('0x2l')

In [6]: print(ctx.recv())
Hello 0x2l

******************************
Welcome to my black weapon storage!
Now you can use it to do some evil things
1. create exploit
2. delete exploit
3. edit exploit
4. show exploit
5. exit
******************************
$

In [7]: ctx.sendline('5')

In [8]: print(ctx.recv())
[*] Process '/home/0x2l/test' stopped with exit code 0 (pid 5234)
bye~bye~ young hacker

ctx同样可以用于gdb,类似于pwntools的gdb.debug,可以很轻松的断在程序入口

In [1]: ctx.start('gdb', gdbscript='b *0x602010\nc')
  • ctx.remote_libc

ctx.remote_libc用来指定题目需要加载的libc文件,这样就可以在本地调用其他版本的libc.so文件了.指定了libc文件之后还需要将ctx.debug_remote_libc设置为True:

In [1]: from PwnContext.core import *

In [2]: ctx.binary = '/home/0x2l/desktop/the_world/Noleak/timu'
[*] '/home/0x2l/desktop/the_world/Noleak/timu'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    Canary found
    NX:       NX disabled
    PIE:      No PIE (0x400000)
    RWX:      Has RWX segments

In [3]: ctx.remote_libc = '/home/0x2l/desktop/the_world/Noleak/libc.so'
[*] '/home/0x2l/desktop/the_world/Noleak/libc.so'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled

In [4]: ctx.debug_remote_libc = True

In [5]: ctx.start()
[*] Removing exist file /tmp/pwn/timu_debug
[+] PT_INTERP has changed from /lib64/ld-linux-x86-64.so.2 to /tmp/ld.so.2. Using temp file /tmp/pwn/timu_debug
[*] '/tmp/pwn/timu_debug'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    Canary found
    NX:       NX disabled
    PIE:      No PIE (0x400000)
    RWX:      Has RWX segments
[*] set env={'LD_PRELOAD': '/home/0x2l/desktop/the_world/Noleak/libc.so'} for debugging remote libc
[x] Starting local process '/tmp/pwn/timu_debug'
[+] Starting local process '/tmp/pwn/timu_debug': pid 7300
Out[5]: <pwnlib.tubes.process.process at 0x7fd156729b50>

In [6]: print ctx.libc.path
[*] loading libc with start address: 0x0
/home/0x2l/desktop/the_world/Noleak/libc.so

哦对,这有一个很重要的点,题目和libc.so文件所处的路径绝对不能有中文,不然的话会报错,提示ld.so版本有问题.

  • ctx.custom_lib_dir

ctx.custom_lib_dir也是用来指定库文件的,不过经常用来加载其他的库文件,只需要指出路径就可以了

In [1]: from PwnContext.core import *

In [2]: ctx.binary = '/home/0x2l/desktop/the_world/Noleak/timu'
[*] '/home/0x2l/desktop/the_world/Noleak/timu'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    Canary found
    NX:       NX disabled
    PIE:      No PIE (0x400000)
    RWX:      Has RWX segments

In [3]: ctx.custom_lib_dir = '/lib/x86_64-linux-gnu'
[*] libc.so.6 found in custom_lib_dir, loading now
[*] '/lib/x86_64-linux-gnu/libc.so.6'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled

In [4]: ctx.debug_remote_libc = True

In [5]: ctx.start()
[*] Removing exist file /tmp/pwn/timu_debug
[+] PT_INTERP has changed from /lib64/ld-linux-x86-64.so.2 to /tmp/ld.so.2. Using temp file /tmp/pwn/timu_debug
[*] '/tmp/pwn/timu_debug'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    Canary found
    NX:       NX disabled
    PIE:      No PIE (0x400000)
    RWX:      Has RWX segments
[*] set env={'LD_PRELOAD': '/lib/x86_64-linux-gnu/libc.so.6', 'LD_LIBRARY_PATH': '/lib/x86_64-linux-gnu'} for debugging remote libc
[x] Starting local process '/tmp/pwn/timu_debug'
[+] Starting local process '/tmp/pwn/timu_debug': pid 7444
Out[5]: <pwnlib.tubes.process.process at 0x7f2573fca6d0>

In [6]: print ctx.libc.path
[*] '/lib/x86_64-linux-gnu/libc-2.23.so'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
[*] loading libc with start address: 0x0
/lib/x86_64-linux-gnu/libc-2.23.so
  • one_gadget

one_gadget也被封装了

In [1]: from PwnContext.core import *

In [2]: print one_gadgets('/lib/x86_64-linux-gnu/libc.so.6')
[+] dump one_gadgets from /lib/x86_64-linux-gnu/libc.so.6 : [283158, 283242, 983716, 987463]
[283158, 283242, 983716, 987463]

In [3]: print 'now we run it again.it will use cache to speed up'
now we run it again.it will use cache to speed up

In [4]: print one_gadgets('/lib/x86_64-linux-gnu/libc.so.6')
[+] using cached gadgets /home/dylan/.one_gadgets/238e834fc5baa8094f5db0cde465385917be4c6a
[283158, 283242, 983716, 987463]
  • libc-database

还支持libc-database的查找,但是我感觉不如LibcSearcher好用,这里推荐用LibcSearcher替代.

 

项目地址:https://github.com/lieanu/LibcSearcher

  • Template

使用下面的命令可以生成一个exp模板:

python start.py --template

模板如下:

#https://github.com/matrix1001/welpwn
from PwnContext import *

try:
    from IPython import embed as ipy
except ImportError:
    print ('IPython not installed.')

if __name__ == '__main__':        
    # context.terminal = ['tmux', 'splitw', '-h'] # uncomment this if you use tmux
    context.log_level = 'debug'
    # functions for quick script
    s       = lambda data               :ctx.send(str(data))        #in case that data is an int
    sa      = lambda delim,data         :ctx.sendafter(str(delim), str(data)) 
    st      = lambda delim,data         :ctx.sendthen(str(delim), str(data)) 
    sl      = lambda data               :ctx.sendline(str(data)) 
    sla     = lambda delim,data         :ctx.sendlineafter(str(delim), str(data)) 
    slt     = lambda delim,data         :ctx.sendlinethen(str(delim), str(data)) 
    r       = lambda numb=4096          :ctx.recv(numb)
    ru      = lambda delims, drop=True  :ctx.recvuntil(delims, drop)
    irt     = lambda                    :ctx.interactive()
    rs      = lambda *args, **kwargs    :ctx.start(*args, **kwargs)
    leak    = lambda address, count=0   :ctx.leak(address, count)
    dbg     = lambda *args, **kwargs    :ctx.debug(*args, **kwargs)
    # misc functions
    uu32    = lambda data   :u32(data.ljust(4, '\0'))
    uu64    = lambda data   :u64(data.ljust(8, '\0'))

    ctx.binary = './pwn'
    ctx.remote_libc = './libc.so'
    ctx.remote = ('1.1.1.1', 1111)
    ctx.debug_remote_libc = False # True for debugging remote libc, false for local.

    rs()
    # rs('remote') # uncomment this for exploiting remote target

    libc = ctx.libc # ELF object of the corresponding libc.

    # ipy() # if you have ipython, you can use this to check variables.

这个见仁见智吧,毕竟每个人的编码习惯不一样,因为我一直在用pwntools自带的模板,所以这个我也用不习惯233

关于我

blog:https://0x2l.github.io/

[公告]SDC2020 看雪安全者开发者峰会10月23日将在上海举行!欢迎参加!

最后于 2020-5-1 21:49 被0x2l编辑 ,原因: 修改
最新回复 (0)
游客
登录 | 注册 方可回帖
返回