say2

from subprocess import check_output

>>> int(check_output(["pidof","-s","movie_talk"]))

from pwn import *

elf = ELF('./a.out')
#rop = ROP(elf)
libc = ELF("/lib/i386-linux-gnu/libc.so.6")

printf_system_offset = libc.symbols['printf'] - libc.symbols['system']

printf_plt = elf.plt['printf']
printf_got = elf.got['printf']

write_plt = elf.plt['write']
write_got = elf.got['write']

libc_start_main = elf.plt['__libc_start_main']

진짜 강력한 것 같다.

import subprocess

subprocess.popen(args, bufsize=0, executable=None, stdin=None, stdout=None, stderr=None, preexec_fn=None, close_fds=False, shell=False, cwd=None,env=None, universal_newlines=False, startupinfo=None, creationflags=0)

개사기 args에 command가 들어갈 수 있는데 shell=True로 하면 문자열로 전달도 된다고 한다

args는 [argc,argv[0],,,,]이렇게 전달

args ['/bin/sh','-c',args[0],args[1]...] 일케도 가능

나머지 옵션들에 관한 reference

출처는 docs.python.org 이다

bufsize, if given, has the same meaning as the corresponding argument to the built-in open() function: 0 means unbuffered, 1 means line buffered, any other positive value means use a buffer of (approximately) that size. A negative bufsize means to use the system default, which usually means fully buffered. The default value for bufsize is 0 (unbuffered).

The executable argument specifies a replacement program to execute. It is very seldom needed. When shell=False, executable replaces the program to execute specified by args. However, the original args is still passed to the program. Most programs treat the program specified by args as the command name, which can then be different from the program actually executed. On Unix, the args name becomes the display name for the executable in utilities such as ps. If shell=True, on Unix the executable argument specifies a replacement shell for the default /bin/sh.

stdin, stdout and stderr specify the executed program’s standard input, standard output and standard error file handles, respectively. Valid values are PIPE, an existing file descriptor (a positive integer), an existing file object, and None. PIPE indicates that a new pipe to the child should be created. With the default settings of None, no redirection will occur; the child’s file handles will be inherited from the parent. Additionally, stderr can be STDOUT, which indicates that the stderr data from the child process should be captured into the same file handle as for stdout.

If preexec_fn is set to a callable object, this object will be called in the child process just before the child is executed. (Unix only)

If close_fds is true, all file descriptors except 0, 1 and 2 will be closed before the child process is executed. (Unix only). Or, on Windows, if close_fds is true then no handles will be inherited by the child process. Note that on Windows, you cannot set close_fds to true and also redirect the standard handles by setting stdin,stdout or stderr.

If cwd is not None, the child’s current directory will be changed to cwd before it is executed. Note that this directory is not considered when searching the executable, so you can’t specify the program’s path relative to cwd.

If env is not None, it must be a mapping that defines the environment variables for the new process; these are used instead of inheriting the current process’ environment, which is the default behavior.

If universal_newlines is True, the file objects stdout and stderr are opened as text files in universal newlines mode. Lines may be terminated by any of '\n', the Unix end-of-line convention, '\r', the old Macintosh convention or '\r\n', the Windows convention. All of these external representations are seen as '\n' by the Python program.

If given, startupinfo will be a STARTUPINFO object, which is passed to the underlying CreateProcess function. creationflags, if given, can be CREATE_NEW_CONSOLE orCREATE_NEW_PROCESS_GROUP. (Windows only)