【Pwn 工具】Zeratool

这两天碰巧看到这个工具，于是就记录一下它的安装流程了

项目源码：https://github.com/ChrisTheCoolHut/Zeratool

运行环境：

Python 2

工具介绍：

This tool uses angr to concolically analyze binaries by hooking printf and looking for unconstrained paths. These program states are then weaponized for remote code execution through pwntools and a series of script tricks. Finally the payload is tested locally then submitted to a remote CTF server to recover the flag.

说白了就是 auto pwn，不过能打的只有那种很简单的漏洞，算是垃圾 pwn 题检测器了

安装方法：

根据 github 上面的提示是直接运行 install.sh 就行了，但是的确有很多需要修改的地方

测了一晚，我补充了一下，这里可以适用于 Ubuntu 16.04 和 Ubuntu 18.04

用以下内容替换 install.sh 的内容即可

#!/bin/bash
sudo apt-get install python-pip python-dev build-essential rubygems-integration ruby-dev rubygems python-dev libffi-dev -y
#Ubuntu 12 -> rubygems
#Ubuntu 14 -> rubygems-integration
#Ubuntu 16,18 -> ruby-dev

sudo dpkg --add-architecture i386
sudo apt-get update
sudo apt-get install libc6:i386 libstdc++6:i386 -y

git clone https://github.com/radare/radare2.git
sudo chmod -R +x *

sudo ./radare2/sys/install.sh
sudo pip install importlib-metadata==0.23
sudo pip install virtualenv virtualenvwrapper
 
sudo pip install --upgrade pip
sudo pip install --upgrade setuptools
  
printf '\n%s\n%s\n%s' '# virtualenv' 'export WORKON_HOME=~/virtualenvs' 'source /usr/local/bin/virtualenvwrapper.sh' >> ~/.bashrc

export WORKON_HOME=~/virtualenvs
source /usr/local/bin/virtualenvwrapper.sh
 
mkvirtualenv zeratool

workon zeratool

sudo gem install one_gadget

# Ubuntu 16.04
sudo pip install aim 

# Ubuntu 18.04
# sudo pip install aim --ignore-installed PyYAML

sudo pip install paramiko==2.4.2 future==0.16.0 ana==0.05 pycparser==2.18 angr==7.8.2.21 arp pycparser==2.18
sudo pip install IPython==5.0 psutil r2pipe psutil timeout_decorator pwn ropper

echo "####################"
echo "run: . ~/.bashrc"
echo "run: workon zeratool"

使用方法：

usage: zeratool.py [-h] [-l LIBC] [-u URL] [-p PORT] [-v] file

positional arguments:
  file                  File to analyze

optional arguments:
  -h, --help            show this help message and exit
  -l LIBC, --libc LIBC  libc to use
  -u URL, --url URL     Remote URL to pwn
  -p PORT, --port PORT  Remote port to pwn
  -v, --verbose         Verbose mode

挺清晰的，不多做描述了