pwnlib.tubes.ssh
— SSH¶
-
class
pwnlib.tubes.ssh.
ssh
(user, host, port=22, password=None, key=None, keyfile=None, proxy_command=None, proxy_sock=None, level=None, cache=True, ssh_agent=False, *a, **kw)[源代码]¶ Creates a new ssh connection.
参数: - user (str) – The username to log in with
- host (str) – The hostname to connect to
- port (int) – The port to connect to
- password (str) – Try to authenticate using this password
- key (str) – Try to authenticate using this private key. The string should be the actual private key.
- keyfile (str) – Try to authenticate using this private key. The string should be a filename.
- proxy_command (str) – Use this as a proxy command. It has approximately the same semantics as ProxyCommand from ssh(1).
- proxy_sock (str) – Use this socket instead of connecting to the host.
- timeout – Timeout, in seconds
- level – Log level
- cache – Cache downloaded files (by hash/size/timestamp)
- ssh_agent – If
True
, enable usage of keys via ssh-agent
NOTE: The proxy_command and proxy_sock arguments is only available if a fairly new version of paramiko is used.
-
checksec
()[源代码]¶ Prints a helpful message about the remote system.
参数: banner (bool) – Whether to print the path to the ELF binary.
-
connect_remote
(host, port, timeout = Timeout.default) → ssh_connecter[源代码]¶ Connects to a host through an SSH connection. This is equivalent to using the
-L
flag onssh
.Returns a
pwnlib.tubes.ssh.ssh_connecter
object.Examples
>>> from pwn import * >>> l = listen() >>> s = ssh(host='example.pwnme', ... user='travis', ... password='demopass') >>> a = s.connect_remote(s.host, l.lport) >>> b = l.wait_for_connection() >>> a.sendline('Hello') >>> print repr(b.recvline()) 'Hello\n'
-
connected
()[源代码]¶ Returns True if we are connected.
Example
>>> s = ssh(host='example.pwnme', ... user='travis', ... password='demopass') >>> s.connected() True >>> s.close() >>> s.connected() False
-
download
(file_or_directory, local=None)[源代码]¶ Download a file or directory from the remote host.
参数:
-
download_data
(remote)[源代码]¶ Downloads a file from the remote server and returns it as a string.
参数: remote (str) – The remote filename to download. Examples
>>> with file('/tmp/bar','w+') as f: ... f.write('Hello, world') >>> s = ssh(host='example.pwnme', ... user='travis', ... password='demopass', ... cache=False) >>> s.download_data('/tmp/bar') 'Hello, world' >>> s._sftp = None >>> s._tried_sftp = True >>> s.download_data('/tmp/bar') 'Hello, world'
-
download_dir
(remote=None, local=None)[源代码]¶ Recursively downloads a directory from the remote server
参数: - local – Local directory
- remote – Remote directory
-
download_file
(remote, local=None)[源代码]¶ Downloads a file from the remote server.
The file is cached in /tmp/pwntools-ssh-cache using a hash of the file, so calling the function twice has little overhead.
参数:
-
get
(file_or_directory, local=None)[源代码]¶ download(file_or_directory, local=None)
Download a file or directory from the remote host.
参数:
-
getenv
(variable, **kwargs)[源代码]¶ Retrieve the address of an environment variable on the remote system.
注解
The exact address will differ based on what other environment variables are set, as well as argv[0]. In order to ensure that the path is exactly the same, it is recommended to invoke the process with
argv=[]
.
-
interactive
(shell=None)[源代码]¶ Create an interactive session.
This is a simple wrapper for creating a new
pwnlib.tubes.ssh.ssh_channel
object and callingpwnlib.tubes.ssh.ssh_channel.interactive()
on it.
-
libs
(remote, directory=None)[源代码]¶ Downloads the libraries referred to by a file.
This is done by running ldd on the remote server, parsing the output and downloading the relevant files.
The directory argument specified where to download the files. This defaults to ‘./$HOSTNAME’ where $HOSTNAME is the hostname of the remote server.
-
listen
(port=0, bind_address='', timeout=pwnlib.timeout.Timeout.default)[源代码]¶ listen_remote(port = 0, bind_address = ‘’, timeout = Timeout.default) -> ssh_connecter
Listens remotely through an SSH connection. This is equivalent to using the
-R
flag onssh
.Returns a
pwnlib.tubes.ssh.ssh_listener
object.Examples
>>> from pwn import * >>> s = ssh(host='example.pwnme', ... user='travis', ... password='demopass') >>> l = s.listen_remote() >>> a = remote(s.host, l.port) >>> b = l.wait_for_connection() >>> a.sendline('Hello') >>> print repr(b.recvline()) 'Hello\n'
-
listen_remote
(port = 0, bind_address = '', timeout = Timeout.default) → ssh_connecter[源代码]¶ Listens remotely through an SSH connection. This is equivalent to using the
-R
flag onssh
.Returns a
pwnlib.tubes.ssh.ssh_listener
object.Examples
>>> from pwn import * >>> s = ssh(host='example.pwnme', ... user='travis', ... password='demopass') >>> l = s.listen_remote() >>> a = remote(s.host, l.port) >>> b = l.wait_for_connection() >>> a.sendline('Hello') >>> print repr(b.recvline()) 'Hello\n'
-
process
(argv=None, executable=None, tty=True, cwd=None, env=None, timeout=pwnlib.timeout.Timeout.default, run=True, stdin=0, stdout=1, stderr=2, preexec_fn=None, preexec_args=[], raw=True, aslr=None, setuid=None, shell=False)[源代码]¶ Executes a process on the remote server, in the same fashion as pwnlib.tubes.process.process.
To achieve this, a Python script is created to call
os.execve
with the appropriate arguments.As an added bonus, the
ssh_channel
object returned has apid
property for the process pid.参数: - argv (list) – List of arguments to pass into the process
- executable (str) – Path to the executable to run.
If
None
,argv[0]
is used. - tty (bool) – Request a tty from the server. This usually fixes buffering problems by causing libc to write data immediately rather than buffering it. However, this disables interpretation of control codes (e.g. Ctrl+C) and breaks .shutdown.
- cwd (str) – Working directory. If
None
, uses the working directory specified oncwd
or set viaset_working_directory()
. - env (dict) – Environment variables to set in the child. If
None
, inherits the default environment. - timeout (int) – Timeout to set on the tube created to interact with the process.
- run (bool) – Set to
True
to run the program (default). IfFalse
, returns the path to an executable Python script on the remote server which, when executed, will do it. - stdin (int, str) – If an integer, replace stdin with the numbered file descriptor.
If a string, a open a file with the specified path and replace
stdin with its file descriptor. May also be one of
sys.stdin
,sys.stdout
,sys.stderr
. IfNone
, the file descriptor is closed. - stdout (int, str) – See
stdin
. - stderr (int, str) – See
stdin
. - preexec_fn (callable) – Function which is executed on the remote side before execve(). This MUST be a self-contained function – it must perform all of its own imports, and cannot refer to variables outside its scope.
- preexec_args (object) – Argument passed to
preexec_fn
. This MUST only consist of native Python objects. - raw (bool) – If
True
, disable TTY control code interpretation. - aslr (bool) – See
pwnlib.tubes.process.process
for more information. - setuid (bool) – See
pwnlib.tubes.process.process
for more information. - shell (bool) – Pass the command-line arguments to the shell.
返回: A new SSH channel, or a path to a script if
run=False
.Notes
Requires Python on the remote server.
Examples
>>> s = ssh(host='example.pwnme', ... user='travis', ... password='demopass') >>> sh = s.process('/bin/sh', env={'PS1':''}) >>> sh.sendline('echo Hello; exit') >>> sh.recvall() 'Hello\n' >>> s.process(['/bin/echo', '\xff']).recvall() '\xff\n' >>> s.process(['readlink', '/proc/self/exe']).recvall() '/bin/readlink\n' >>> s.process(['LOLOLOL', '/proc/self/exe'], executable='readlink').recvall() '/bin/readlink\n' >>> s.process(['LOLOLOL\x00', '/proc/self/cmdline'], executable='cat').recvall() 'LOLOLOL\x00/proc/self/cmdline\x00' >>> sh = s.process(executable='/bin/sh') >>> sh.pid in pidof('sh') True >>> s.process(['pwd'], cwd='/tmp').recvall() '/tmp\n' >>> p = s.process(['python','-c','import os; print os.read(2, 1024)'], stderr=0) >>> p.send('hello') >>> p.recv() 'hello\n' >>> s.process(['/bin/echo', 'hello']).recvall() 'hello\n' >>> s.process(['/bin/echo', 'hello'], stdout='/dev/null').recvall() '' >>> s.process(['/usr/bin/env'], env={}).recvall() '' >>> s.process('/usr/bin/env', env={'A':'B'}).recvall() 'A=B\n'
>>> s.process('false', preexec_fn=1234) Traceback (most recent call last): ... PwnlibException: preexec_fn must be a function
>>> s.process('false', preexec_fn=lambda: 1234) Traceback (most recent call last): ... PwnlibException: preexec_fn cannot be a lambda
>>> def uses_globals(): ... foo = bar >>> print s.process('false', preexec_fn=uses_globals).recvall().strip() Traceback (most recent call last): ... NameError: global name 'bar' is not defined
>>> s.process('echo hello', shell=True).recvall() 'hello\n'
-
put
(file_or_directory, remote=None)[源代码]¶ upload(file_or_directory, remote=None)
Upload a file or directory to the remote host.
参数:
-
read
(path)[源代码]¶ Wrapper around download_data to match
pwnlib.util.misc.read()
-
remote
(host, port, timeout=pwnlib.timeout.Timeout.default)[源代码]¶ connect_remote(host, port, timeout = Timeout.default) -> ssh_connecter
Connects to a host through an SSH connection. This is equivalent to using the
-L
flag onssh
.Returns a
pwnlib.tubes.ssh.ssh_connecter
object.Examples
>>> from pwn import * >>> l = listen() >>> s = ssh(host='example.pwnme', ... user='travis', ... password='demopass') >>> a = s.connect_remote(s.host, l.lport) >>> b = l.wait_for_connection() >>> a.sendline('Hello') >>> print repr(b.recvline()) 'Hello\n'
-
run
(process, tty=True, wd=None, env=None, timeout=None, raw=True)[源代码]¶ Backward compatibility. Use
system()
-
run_to_end
(process, tty = False, timeout = Timeout.default, env = None) → str[源代码]¶ Run a command on the remote server and return a tuple with (data, exit_status). If tty is True, then the command is run inside a TTY on the remote server.
Examples
>>> s = ssh(host='example.pwnme', ... user='travis', ... password='demopass') >>> print s.run_to_end('echo Hello; exit 17') ('Hello\n', 17)
-
set_working_directory
(wd=None, symlink=False)[源代码]¶ Sets the working directory in which future commands will be run (via ssh.run) and to which files will be uploaded/downloaded from if no path is provided
注解
This uses
mktemp -d
under the covers, sets permissions on the directory to0700
. This means that setuid binaries will not be able to access files created in this directory.In order to work around this, we also
chmod +x
the directory.参数: - wd (string) – Working directory. Default is to auto-generate a directory based on the result of running ‘mktemp -d’ on the remote machine.
- symlink (bool,str) –
Create symlinks in the new directory.
The default value,
False
, implies that no symlinks should be created.A string value is treated as a path that should be symlinked. It is passed directly to the shell on the remote end for expansion, so wildcards work.
Any other value is treated as a boolean, where
True
indicates that all files in the “old” working directory should be symlinked.
Examples
>>> s = ssh(host='example.pwnme', ... user='travis', ... password='demopass') >>> cwd = s.set_working_directory() >>> s.ls() '' >>> s.pwd() == cwd True
>>> s = ssh(host='example.pwnme', ... user='travis', ... password='demopass') >>> homedir = s.pwd() >>> _=s.touch('foo')
>>> _=s.set_working_directory() >>> assert s.ls() == ''
>>> _=s.set_working_directory(homedir) >>> assert 'foo' in s.ls().split()
>>> _=s.set_working_directory(symlink=True) >>> assert 'foo' in s.ls().split() >>> assert homedir != s.pwd()
>>> symlink=os.path.join(homedir,'*') >>> _=s.set_working_directory(symlink=symlink) >>> assert 'foo' in s.ls().split() >>> assert homedir != s.pwd()
-
shell
(shell = None, tty = True, timeout = Timeout.default) → ssh_channel[源代码]¶ Open a new channel with a shell inside.
参数: 返回: Return a
pwnlib.tubes.ssh.ssh_channel
object.Examples
>>> s = ssh(host='example.pwnme', ... user='travis', ... password='demopass') >>> sh = s.shell('/bin/sh') >>> sh.sendline('echo Hello; exit') >>> print 'Hello' in sh.recvall() True
-
system
(process, tty = True, wd = None, env = None, timeout = Timeout.default, raw = True) → ssh_channel[源代码]¶ Open a new channel with a specific process inside. If tty is True, then a TTY is requested on the remote server.
If raw is True, terminal control codes are ignored and input is not echoed back.
Return a
pwnlib.tubes.ssh.ssh_channel
object.Examples
>>> s = ssh(host='example.pwnme', ... user='travis', ... password='demopass') >>> py = s.run('python -i') >>> _ = py.recvuntil('>>> ') >>> py.sendline('print 2+2') >>> py.sendline('exit') >>> print repr(py.recvline()) '4\n'
-
upload_data
(data, remote)[源代码]¶ Uploads some data into a file on the remote server.
参数: Example
>>> s = ssh(host='example.pwnme', ... user='travis', ... password='demopass') >>> s.upload_data('Hello, world', '/tmp/upload_foo') >>> print file('/tmp/upload_foo').read() Hello, world >>> s._sftp = False >>> s._tried_sftp = True >>> s.upload_data('Hello, world', '/tmp/upload_bar') >>> print file('/tmp/upload_bar').read() Hello, world
-
upload_dir
(local, remote=None)[源代码]¶ Recursively uploads a directory onto the remote server
参数: - local – Local directory
- remote – Remote directory
-
upload_file
(filename, remote=None)[源代码]¶ Uploads a file to the remote server. Returns the remote filename.
Arguments: filename(str): The local filename to download remote(str): The remote filename to save it to. Default is to infer it from the local filename.
-
which
(program) → str[源代码]¶ Minor modification to just directly invoking
which
on the remote system which adds the current working directory to the end of$PATH
.
-
write
(path, data)[源代码]¶ Wrapper around upload_data to match
pwnlib.util.misc.write()
-
aslr
[源代码]¶ bool
– Whether ASLR is enabled on the system.Example
>>> s = ssh("travis", "example.pwnme") >>> s.aslr True
-
class
pwnlib.tubes.ssh.
ssh_channel
[源代码]¶ Bases:
pwnlib.tubes.sock.sock
-
interactive
(prompt = pwnlib.term.text.bold_red('$') + ' ')[源代码]¶ If not in TTY-mode, this does exactly the same as meth:pwnlib.tubes.tube.tube.interactive, otherwise it does mostly the same.
An SSH connection in TTY-mode will typically supply its own prompt, thus the prompt argument is ignored in this case. We also have a few SSH-specific hacks that will ideally be removed once the
pwnlib.term
is more mature.
-
-
class
pwnlib.tubes.ssh.
ssh_connecter
[源代码]¶ Bases:
pwnlib.tubes.sock.sock
-
class
pwnlib.tubes.ssh.
ssh_listener
[源代码]¶ Bases:
pwnlib.tubes.sock.sock