본문 바로가기
debug/0x0a-pwn

pwntools install 및 Getting Started(ftp 접속)

by SpeeDr00t 2016. 11. 2.
반응형

pwntools install 및 Getting Started(ftp 접속)


ref : https://media.readthedocs.org/pdf/pwntools/2.2/pwntools.pdf

pwntools.pdf

1.설치

  apt-get install python2.7 python2.7-dev python
  pip install --upgrade pwntools

 

1.1 ndk때문에 binutils이 충돌나거나 안깔린경우

  
  $ sudo apt-get remvoe binutils 
  $ sudo apt-get install libssl-dev 
  $ sudo apt-get install git
  $ sudo apt-get install libc6-armel-cross libc6-dev-armel-cross
  $ sudo apt-get install binutils-arm-linux-gnueabi
  $ sudo apt-get install libncurses5-dev
  $ sudo apt-get install gcc-arm-linux-gnueabi
  $ sudo apt-get install g++-arm-linux-gnueabi
  $ sudo apt-get install u-boot-tools
  $ sudo apt-get install emdebian-archive-keyring

  git clone https://github.com/Gallopsled/pwntools.git

 

2.Getting Started(ftp 접속)

  
hacker@ubuntu:~/pwntools/test$ python
Python 2.7.12+ (default, Sep  1 2016, 20:27:38) 
[GCC 6.2.0 20160927] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from pwn import *
>>> conn = remote('ftp.debian.org',21)
[x] Opening connection to ftp.debian.org on port 21
[x] Opening connection to ftp.debian.org on port 21: Trying 130.89.148.12
[+] Opening connection to ftp.debian.org on port 21: Done
>>> conn.recvline()
'220 ftp.debian.org FTP server\r\n'
>>> conn.send('USER anonymous\r\n')
>>> conn.recvuntil(' ', drop=True)
'331'
>>> conn.recvline()
'Please specify the password.\r\n'
>>> conn.close()
[*] Closed connection to ftp.debian.org port 21
>>> 
>>> 


3.Getting Started(ssh 접속)


  
hacker@ubuntu:~/pwntools/test$ python
Python 2.7.12+ (default, Sep  1 2016, 20:27:38) 
[GCC 6.2.0 20160927] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from pwn import *
>>> shell = ssh('hacker', '127.0.0.1', password='hacker')
[x] Connecting to 127.0.0.1 on port 22
[+] Connecting to 127.0.0.1 on port 22: Done
>>> shell.download_file('/etc/passwd')
[x] Downloading '/etc/passwd' to 'passwd'
[x] Downloading '/etc/passwd' to 'passwd': 2.29KB/2.29KB
[+] Downloading '/etc/passwd' to 'passwd': Done
>>> sh = shell.run('sh')
[x] Opening new channel: 'sh'
[+] Opening new channel: 'sh': Done
>>> sh.sendline('sleep 3; echo hello world;') 
>>> sh.recvline(timeout=1)
'$ hello world\n'
>>> sh.recvline(timeout=5)
''
>>> shell.close()
[*] Closed connection to '127.0.0.1'
>>> 
>>> 


3.Getting Started(listener)

  
>>> 
>>> 
>>> l = listen()
[x] Trying to bind to 0.0.0.0 on port 0
[x] Trying to bind to 0.0.0.0 on port 0: Trying 0.0.0.0
[+] Trying to bind to 0.0.0.0 on port 0: Done
[x] Waiting for connections on 0.0.0.0:46449
>>> r =remote('localhost', l.lport)
[x] Opening connection to localhost on port 46449
[x] Opening connection to localhost on port 46449: Trying 127.0.0.1
[+] Waiting for connections on 0.0.0.0:46449: Got connection from 127.0.0.1 on port 39064
[+] Opening connection to localhost on port 46449: Done
>>> c = l.wait_for_connection()
>>> r.send('hello')
>>> c.recv()
'hello'
>>> 
>>> 



3.Getting Started(기타)

  
>>> 
>>> sh = process('/bin/sh')
[x] Starting local process '/bin/sh'
[+] Starting local process '/bin/sh': Done
>>> sh.sendline('sleep 3; echo hello world;')
>>> sh.recvline(timeout=1)
'hello world\n'
>>> sh.recvline(timeout=5)
''
>>> sh.close()
[*] Stopped program '/bin/sh'
>>> 

  
>>> asm('nop')
'\x90'
>>> enhex(asm('mov eax, 0'))
'b800000000'
>>> print(disasm(unhex('6a0258cd80ebf9')))
   0:   6a 02                   push   0x2
   2:   58                      pop    eax
   3:   cd 80                   int    0x80
   5:   eb f9                   jmp    0x0
>>> enhex(asm(shellcraft.setreuid() + shellcraft.dupsh(4)))
'6a3158cd8089c36a465889d9cd806a045b6a0359496a3f58cd8075f868010101018134247269010131d2526a045a01e25289e26a68682f2f2f73682f62696e6a0b5889e389d199cd80'
>>> print(cyclic(20))
aaaabaaacaaadaaaeaaa
>>> print(cyclic_find('faab'))
120
>>> e = ELF('/bin/cat')
[*] '/bin/cat'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      No PIE
    FORTIFY:  Enabled
>>> print(hex(e.symbols['write'])) 
0x401620
>>> print(hex(e.got['write']))
0x60c068
>>> print(hex(e.plt['write'])) 
0x401620
>>> e = ELF('/bin/cat')
>>> e.read(e.address+1, 3)
'ELF'
>>> e.asm(e.address, 'ret')
>>> e.save('/tmp/quiet-cat')
>>> disasm(open('/tmp/quiet-cat', 'rb').read(1))
'   0:   c3                      ret'
>>> 


** pip 설치에 대한 자세한 내용은 아래 링크 참조

http://speedr00t.tistory.com/entry/windows10-%EC%97%90%EC%84%9C-setuptools-%EB%B0%8F-pip-%EC%84%A4%EC%B9%98

반응형

'debug > 0x0a-pwn' 카테고리의 다른 글

CToFileAndroid  (0) 2016.11.24
CFdManager(파일 관리자 )  (0) 2016.11.22
간단한 자동명령 수행(ssh version)  (0) 2016.11.08
스마트폰에 원하는 파일 자동 업로드  (0) 2016.11.02