0x00 寫在前面

由于如今各種ELF文件libc版本跨度比較大，采用虛擬機(jī)模式顯得過于冗余，于是準(zhǔn)備將做題環(huán)境都放到docker中。原本打算是每個版本的libc找個docker，但很幸運(yùn)地發(fā)現(xiàn)了一個名為skysider/pwndocker的docker，該docker為libc-2.27版本，其上除了正常的做題環(huán)境外還集成了多個libc的版本，可以用LD_PRELOAD來選擇不同的libc版本，用習(xí)慣了之后還是挺方便的。就是每次要加載不同的libc時，process函數(shù)寫的太長了，比較麻煩，然后以及原來寫exp時pwntools的各種函數(shù)都時敲全名，借此機(jī)會封裝了個傻逼庫，以后更新博客也就都用這個庫了。目前是函數(shù)的形式進(jìn)行封裝，等以后的功能多了可以考慮改成對象的形式進(jìn)行封裝。

0x01 Fish.py

from pwn import *

def get_shell(binary_name , libc_version , OSbit):
    global p , version , OS , libc , elf
    version = libc_version
    OS = OSbit

    libc_path = '/glibc/' + str(version) + '/' + str(OS) + '/lib/libc-' + str(version) + '.so'
    ld_path = '/glibc/' + str(version) + '/' + str(OS) + '/lib/ld-' + str(version) + '.so'

    if(binary_name.find(':') != -1):
        p = remote(binary_name.split(':')[1] , int(binary_name.split(':')[2]))
        binary_name = binary_name.split(':')[0]
    elif(version == 2.27):
        p = process('./' + binary_name)
    else:
        p = process([ld_path,"./"+binary_name],env={"LD_PRELOAD":libc_path})

    elf = ELF(binary_name)
    libc = ELF(libc_path)


def get_gadget():
    if(OS == 64):
        if(version == 2.19):
            gadget = [0x403ff , 0x40453 , 0xd806f]
        if(version == 2.23):
            gadget = [0x3f3d6 , 0x3f42a , 0xd5bf7]
        if(version == 2.24):
            gadget = [0x3f4b6 , 0x3f50a , 0xd6635]
        if (version == 2.27):
            gadget = [0x4f2c5 , 0x4f322 , 0x10a38c]
        if (version == 2.28):
            gadget = [0x41982 , 0x419d6 , 0xdf882]
        if (version == 2.29):
            gadget = [0xc1710 , 0xdf202 , 0xdf20e]
    else:
        if(version == 2.19):
            gadget = [0x3b056 , 0x3b058 , 0x3b05c , 0x3b063 , 0x64729 , 0x6472a , 0x123e6c , 0x123e6d]
        if(version == 2.23):
            gadget = [0x3a61c , 0x3a61e , 0x3a622 , 0x3a629 , 0x5ee65 , 0x5ee66]
        if(version == 2.24):
            gadget = [0x3a32c , 0x3a32e , 0x3a332 , 0x3a339 , 0x5f6b5 , 0x5f6b6]
        if (version == 2.27):
            gadget = [0x3d0d3 , 0x3d0d5 , 0x3d0d9 , 0x3d0e0 , 0x67a7f , 0x67a80 , 0x137e5e , 0x137e5f]
        if (version == 2.28):
            gadget = [0x3c43b , 0x3c43d , 0x3c441 , 0x3c448 , 0x65a04 , 0x65a05 , 0x12e82c , 0x12e82d]
        if (version == 2.29):
            gadget = [0x12de0c , 0x12de0d]
    for i in range(len(gadget)):
        gadget[i] += libc.address
        success('Gadget[' + str(i) + '] => ' + hex(gadget[i]))
    return gadget

def ru(text):
    return p.recvuntil(text)

def rcv(count):
    return p.recv(count)

def sl(text):
    return p.sendline(str(text))

def sd(text):
    return p.send(str(text))

def Esym(func):
    success('{0}_addr => {1}'.format(func.lstrip('_') , hex(elf.symbols[func])))
    return elf.symbols[func]

def got(func):
    success('{0}_got => {1}'.format(func , hex(elf.got[func])))
    return elf.got[func]

def plt(func):
    success('{0}_plt => {1}'.format(func , hex(elf.plt[func])))
    return elf.plt[func]

def LeakStrFormat(text):
    return u64(text.rjust(8 , '\x00'))

def LeakCharFormat(text):
    return u64(text.ljust(8 , '\x00'))

def SetELFBase(ELFBase):
    elf.address = ELFBase
    success('ELF_base => {0}'.format(hex(ELFBase)))
    return elf.address

def SetLibcBase(LibcBase):
    libc.address = LibcBase
    success('Libc_base => {0}'.format(hex(LibcBase)))
    return libc.address

def SetHeapBase(HeapBase):
    success('Heap_base => {0}'.format(hex(HeapBase)))
    return HeapBase

def sym(func):
    success('{0}_addr => {1}'.format(func.lstrip('_') , hex(libc.symbols[func])))
    return libc.symbols[func]

def binsh():
    binsh_addr = libc.search('/bin/sh\x00').next()
    success('binsh_addr => {0}'.format(hex(binsh_addr)))
    return binsh_addr

def debug():
    print pidof(p)
    raw_input()

def active():
    return p.interactive()

def close():
    return p.close()

def dbglog():
    context.log_level = 'debug'