学习网址:http://docs.pwntools.com/en/stable/intro.html
This imports a lot of functionality into the global namespace. You can now assemble, disassemble, pack, unpack, and many other things with a single function.
A full list of everything that is imported is available on from pwn import
Making Connections
Pwntools talk to the challenge binary in order with its pwnlib.tubes module.
Remote connect
pwnlib.tubes.remote:
1
2
3
4
5
6
7
8
9
10
| >>> from pwn import *
>>> conn = remote("ftp.ubuntu.com",21)
>>> conn.recvline()
'220 ...'
>>> conn.send('USER anonymous\r\n')
>>> conn.recvuntil(' ', drop=True)
'331'
>>> conn.recvline()
'Please specify the password.\r\n'
>>> conn.close()
|
NOTICE:
The \n at the end of input is important because most c like program treat \n as the sign to flush buffer area.
It’s also easy to spin up a listener:
1
2
3
4
5
6
| >>> from pwn import *
>>> l = listen(8080)
>>> r = remote('localhost', l.lport)
>>> c = l.wait_for_connection()
>>> r.send('hello')
>>> c.recv()
|
Processes connect
pwnlib.tubes.process:
1
2
3
4
5
6
7
| >>> sh = process('/bin/sh')
>>> sh.sendline('sleep 3; echo hello world;')
>>> sh.recvline(timeout=1)
''
>>> sh.recvline(timeout=5)
'hello world\n'
>>> sh.close()
|
Not only can you interact with processes programmatically, but you can actually interact with processes.
1
2
3
| >>> sh.interactive()
$ whoami
user
|
SSH connect
pwnlib.tubes.ssh:
1
2
3
4
5
6
7
8
9
10
11
| >>> shell = ssh('bandit0', 'bandit.labs.overthewire.org', password='bandit0', port=2220)
>>> shell['whoami']
'bandit0'
>>> shell.download_file('/etc/motd')
>>> sh = shell.run('sh')
>>> sh.sendline('sleep 3; echo hello world;')
>>> sh.recvline(timeout=1)
''
>>> sh.recvline(timeout=5)
'hello world\n'
>>> shell.close()
|