-
Notifications
You must be signed in to change notification settings - Fork 0
/
pwn_template.py
executable file
·88 lines (64 loc) · 2.14 KB
/
pwn_template.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
#!/usr/bin/python
from pwn import *
# Pass the nc hostname port
CONN = "nc localhost 1337".split(" ")
HOST = CONN[1]
PORT = CONN[2]
# ===========================================================
# WRAPPER FUNCTION
# ===========================================================
def sl(x): io.sendline(x)
def sla(x, y): io.sendlineafter(x, y)
def se(x): io.send(x)
def sa(x, y): io.sendafter(x, y)
def ru(x, drop=False): return io.recvuntil(x, drop=drop)
def rl(): return io.recvline()
def cl(): io.clean()
def un64(x): return u64(x.ljust(8, b'\x00'))
def leak(name, addr): info(f"{name} @ {hex(addr)}")
def start(argv=[], *a, **kw):
if args.GDB:
return gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)
elif args.REMOTE:
return remote(HOST, PORT, *a, **kw)
else:
return process([exe] + argv, *a, **kw)
# ===========================================================
# EXPLOIT GOES HERE
# ===========================================================
def exploit(io):
offset = 64
# Build the payload
payload = flat({offset: []})
# Send the payload
sla(b"> ", payload)
ru(b"Thank you!")
# Got Shell?
io.interactive()
# ===========================================================
# SETUP
# ===========================================================
if __name__ == "__main__":
# Specify GDB script here (breakpoints etc)
gdbscript = """
c
""".format(
**locals()
)
# Binary filename
exe = "./vuln"
# This will automatically get context arch, bits, os etc
elf = context.binary = ELF(exe, checksec=False)
rop = ROP(elf)
# Change logging level to help with debugging (error/warning/info/debug)
context.terminal = "tmux splitw -h".split(" ")
context.log_level = "debug"
# Lib-C library, can use pwninit/patchelf to patch binary
libc = elf.libc
ld = ELF("/lib64/ld-linux-x86-64.so.2", checksec=False)
if args.REMOTE:
pass
# libc = ELF("libc.so.6", checksec=False)
# ld = ELF("ld-linux-x86-64.so.2", checksec=False)
io = start()
exploit(io)