#!/usr/bin/python3
from pwn import *
context.terminal = ['tmux', 'splitw', '-v']
binary = './rop'
elf = ELF(binary)
ssh_en = False
if args.R:
host = '2019shell1.picoctf.com'
port = 22
if ssh_en:
user = ''
password = ''
r = ssh(user=user, host=host, port=port, password=password)
def start():
if args.R:
if not ssh_en: return remote(host, port)
else: return r.process(binary, cwd='/problems/leap-frog_1_2944cde4843abb6dfd6afa31b00c703c')
else:
gs = '''
init-gef
c
'''
if args.GDB: return gdb.debug(elf.path, gs)
else: return process(elf.path)
io = start()
io.interactive()
up to date version: https://gist.github.com/Evangelospro/2179002d1bd3a8934cb3e68c1908086e
#!/usr/bin/python3
import sys
import subprocess
NAME = "YOURNAME"
import argparse
all_args = argparse.ArgumentParser()
all_args.add_argument("-ip", "--ip-address", required=True,
help="IP Address (remote)")
all_args.add_argument("-p", "--port", required=True,
help="Port (remote)")
all_args.add_argument("-b", "--binary", required=True,
help="Binary file (Local)")
all_args.add_argument("--patch", required=False,
help="Patch with patchelf)")
args = vars(all_args.parse_args())
host = args['ip_address']
port = args['port']
binary = args['binary']
patch = args['patch']
print(args)
path = input("PWN solution filename(Default is 'autopwn_(binary_name).py': ")
if path == "" or path == " ":
path = f"autopwn_{binary}.py"
with open(path, 'w') as f:
f.write(f"""
#!/usr/bin/python3
# Writeup by {NAME}
import os
from pwn import *
dir_path = os.path.dirname(__file__)
patch = {patch}
if patch is not None:
subprocess.call(f"PATH_TO_THE_PWNINIT_BINRY_FOR_LIBC_PATCHING(<https://github.com/io12/pwninit>) --no-template --bin {binary}", shell=True)
binary_path = dir_path + f"/{binary}_patched"
else:
binary_path = dir_path + f"/{binary}"
elf = context.binary = ELF(binary_path, checksec=True)
def pwn_ssh():
host = "{host}"
port = "{port}"
user = input("ssh user:")
password = input("ssh password: ")
return ssh(user=user, host=host, port=port, password=password)
def pwn_remote():
host = "{host}"
port = "{port}"
return remote(host, port)
def pwn_gdb():
gdbscript = '''
init-pwndbg
continue
'''
return gdb.debug(elf.path, gdbscript)
def pwn_local():
return process(elf.path, cwd=dir_path)
# Find offset to EIP/RIP for buffer overflows
def find_xip(payload, arch):
print(arch)
# Launch process and send the payload
io = process(elf.path)
io.sendlineafter(b'>', payload)
# Wait for the process to crash
io.wait()
# Print out the address of EIP/RIP at the time of crashing
if "i386" in arch:
xip_offset = cyclic_find(io.corefile.pc) # x86
elif "64" in arch:
xip_offset = cyclic_find(io.corefile.read(io.corefile.sp, 4)) # x64
info('The EIP/RIP offset is ')
success(str(xip_offset))
return int(xip_offset)
def start():
if args.R:
return pwn_remote()
elif args.S:
return pwn_ssh()
elif args.L:
return pwn_local()
elif args.GDB:
return pwn_gdb()
else:
print("Please select an argument from [remote(R), local(L), ssh(S), GDB(GDB)]")
quit()
padding = find_xip(cyclic(250), elf.get_machine_arch())
io = start()
# ===============================================================================================
# !!!EXPLOIT GOES HERE!!!
# ===============================================================================================
io.interactive()""")