본문 바로가기

Etc/Pwntools reference

1. from pwn import *


번역중.


pwntools 를 사용하는 가장 일반적인 방법은


>>> from pwn import *


이다. 


아래는 위 import 를 통해 가져오는 objects 와 routines 들을 사용 빈도 등에 따라 대충 정리한 것이다.



  • context
    • pwnlib.context.context
    • pwntools 편의성을 위한 거의 대부분의 세팅을 담당한다.
    • 익스플로잇이 뭔가 잘못되었을 때 context.log_level = ‘debug’  를 쓸 수 있다
    • Scope-aware, so you can disable logging for a subsection of code viapwnlib.context.ContextType.local
  • remote, listen, ssh, process
    • pwnlib.tubes
    • CTF 에서 사용하는 거의 대부분의 기능들을 겁니 편히 쓸수 있게 하는 wrapper
    • 어디의 어떤 것에든 접속 가능핟고, 원하는 것들을 할 수 있다.
    • recvline,recvuntil, clean, 등등의 명령어를 사용하자.
    • 어디든 바로 상호 통신하고 싶다면 .interactive()
  • p32 and u32
    • pwnlib.util.packing
    • Useful functions to make sure you never have to remember if '>' means signed or unsigned for struct.pack, and no more ugly [0] index at the end.
    • Set signed and endian in sane manners (also these can be set once on contextand not bothered with again)
    • Most common sizes are pre-defined (u8,u64, etc), and pwnlib.util.packing.pack()lets you define your own.
  • log
  • cyclic and cyclic_func
    • pwnlib.util.cyclic
    • Utilities for generating strings such that you can find the offset of any given substring given only N (usually 4) bytes. This is super useful for straight buffer overflows. Instead of looking at 0x41414141, you could know that 0x61616171 means you control EIP at offset 64 in your buffer.
  • asm and disasm
    • pwnlib.asm
    • Quickly turn assembly into some bytes, or vice-versa, without mucking about
    • Supports any architecture for which you have a binutils installed
    • Over 20 different architectures have pre-built binaries at ppa:pwntools/binutils.
  • shellcraft
    • pwnlib.shellcraft
    • Library of shellcode ready to go
    • asm(shellcraft.sh()) gives you a shell
    • Templating library for reusability of shellcode fragments
  • ELF
    • pwnlib.elf
    • ELF binary manipulation tools, including symbol lookup, virtual memory to file offset helpers, and the ability to modify and save binaries back to disk
  • DynELF
    • pwnlib.dynelf
    • Dynamically resolve functions given only a pointer to any loaded module, and a function which can leak data at any address
  • ROP
    • pwnlib.rop
    • Automatically generate ROP chains using a DSL to describe what you want to do, rather than raw addresses
  • gdb.debug and gdb.attach
    • pwnlib.gdb
    • Launch a binary under GDB and pop up a new terminal to interact with it. Automates setting breakpoints and makes iteration on exploits MUCH faster.
    • Alternately, attach to a running process given a PID, pwnlib.tubes object, or even just a socket that’s connected to it
  • args
    • Dictionary contining all-caps command-line arguments for quick access

    • Run via python foo.py REMOTE=1 andargs['REMOTE'] == '1'.

    • Can also control logging verbosity and terminal fancyness
      • NOTERM
      • SILENT
      • DEBUG
  • randoms, rol, ror, xor, bits
    • pwnlib.util.fiddling
    • Useful utilities for generating random data from a given alphabet, or simplifying math operations that usually require masking off with 0xffffffff or calling ordand chr an ugly number of times
  • net
  • proc
  • pause
    • It’s the new getch
  • safeeval

These are all pretty self explanatory, but are useful to have in the global namespace.

  • hexdump
  • read and write
  • enhex and unhex
  • more
  • group
  • align and align_down
  • urlencode and urldecode
  • which
  • wget

Additionally, all of the following modules are auto-imported for you. You were going to do it anyway.

  • os
  • sys
  • time
  • requests
  • re
  • random


'Etc > Pwntools reference' 카테고리의 다른 글

0. Getting Started  (0) 2015.05.28