반응형
pwntools install 및 Getting Started(ftp 접속)
ref : https://media.readthedocs.org/pdf/pwntools/2.2/pwntools.pdf
1.설치
apt-get install python2.7 python2.7-dev python pip install --upgrade pwntools
1.1 ndk때문에 binutils이 충돌나거나 안깔린경우
$ sudo apt-get remvoe binutils $ sudo apt-get install libssl-dev $ sudo apt-get install git $ sudo apt-get install libc6-armel-cross libc6-dev-armel-cross $ sudo apt-get install binutils-arm-linux-gnueabi $ sudo apt-get install libncurses5-dev $ sudo apt-get install gcc-arm-linux-gnueabi $ sudo apt-get install g++-arm-linux-gnueabi $ sudo apt-get install u-boot-tools $ sudo apt-get install emdebian-archive-keyring git clone https://github.com/Gallopsled/pwntools.git
2.Getting Started(ftp 접속)
hacker@ubuntu:~/pwntools/test$ python Python 2.7.12+ (default, Sep 1 2016, 20:27:38) [GCC 6.2.0 20160927] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> from pwn import * >>> conn = remote('ftp.debian.org',21) [x] Opening connection to ftp.debian.org on port 21 [x] Opening connection to ftp.debian.org on port 21: Trying 130.89.148.12 [+] Opening connection to ftp.debian.org on port 21: Done >>> conn.recvline() '220 ftp.debian.org FTP server\r\n' >>> conn.send('USER anonymous\r\n') >>> conn.recvuntil(' ', drop=True) '331' >>> conn.recvline() 'Please specify the password.\r\n' >>> conn.close() [*] Closed connection to ftp.debian.org port 21 >>> >>>
3.Getting Started(ssh 접속)
hacker@ubuntu:~/pwntools/test$ python Python 2.7.12+ (default, Sep 1 2016, 20:27:38) [GCC 6.2.0 20160927] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> from pwn import * >>> shell = ssh('hacker', '127.0.0.1', password='hacker') [x] Connecting to 127.0.0.1 on port 22 [+] Connecting to 127.0.0.1 on port 22: Done >>> shell.download_file('/etc/passwd') [x] Downloading '/etc/passwd' to 'passwd' [x] Downloading '/etc/passwd' to 'passwd': 2.29KB/2.29KB [+] Downloading '/etc/passwd' to 'passwd': Done >>> sh = shell.run('sh') [x] Opening new channel: 'sh' [+] Opening new channel: 'sh': Done >>> sh.sendline('sleep 3; echo hello world;') >>> sh.recvline(timeout=1) '$ hello world\n' >>> sh.recvline(timeout=5) '' >>> shell.close() [*] Closed connection to '127.0.0.1' >>> >>>
3.Getting Started(listener)
>>> >>> >>> l = listen() [x] Trying to bind to 0.0.0.0 on port 0 [x] Trying to bind to 0.0.0.0 on port 0: Trying 0.0.0.0 [+] Trying to bind to 0.0.0.0 on port 0: Done [x] Waiting for connections on 0.0.0.0:46449 >>> r =remote('localhost', l.lport) [x] Opening connection to localhost on port 46449 [x] Opening connection to localhost on port 46449: Trying 127.0.0.1 [+] Waiting for connections on 0.0.0.0:46449: Got connection from 127.0.0.1 on port 39064 [+] Opening connection to localhost on port 46449: Done >>> c = l.wait_for_connection() >>> r.send('hello') >>> c.recv() 'hello' >>> >>>
3.Getting Started(기타)
>>> >>> sh = process('/bin/sh') [x] Starting local process '/bin/sh' [+] Starting local process '/bin/sh': Done >>> sh.sendline('sleep 3; echo hello world;') >>> sh.recvline(timeout=1) 'hello world\n' >>> sh.recvline(timeout=5) '' >>> sh.close() [*] Stopped program '/bin/sh' >>>
>>> asm('nop') '\x90' >>> enhex(asm('mov eax, 0')) 'b800000000' >>> print(disasm(unhex('6a0258cd80ebf9'))) 0: 6a 02 push 0x2 2: 58 pop eax 3: cd 80 int 0x80 5: eb f9 jmp 0x0 >>> enhex(asm(shellcraft.setreuid() + shellcraft.dupsh(4))) '6a3158cd8089c36a465889d9cd806a045b6a0359496a3f58cd8075f868010101018134247269010131d2526a045a01e25289e26a68682f2f2f73682f62696e6a0b5889e389d199cd80' >>> print(cyclic(20)) aaaabaaacaaadaaaeaaa >>> print(cyclic_find('faab')) 120 >>> e = ELF('/bin/cat') [*] '/bin/cat' Arch: amd64-64-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: No PIE FORTIFY: Enabled >>> print(hex(e.symbols['write'])) 0x401620 >>> print(hex(e.got['write'])) 0x60c068 >>> print(hex(e.plt['write'])) 0x401620 >>> e = ELF('/bin/cat') >>> e.read(e.address+1, 3) 'ELF' >>> e.asm(e.address, 'ret') >>> e.save('/tmp/quiet-cat') >>> disasm(open('/tmp/quiet-cat', 'rb').read(1)) ' 0: c3 ret' >>>
** pip 설치에 대한 자세한 내용은 아래 링크 참조
반응형
'debug > 0x0a-pwn' 카테고리의 다른 글
CToFileAndroid (0) | 2016.11.24 |
---|---|
CFdManager(파일 관리자 ) (0) | 2016.11.22 |
간단한 자동명령 수행(ssh version) (0) | 2016.11.08 |
스마트폰에 원하는 파일 자동 업로드 (0) | 2016.11.02 |