Pwn utils
This commit is contained in:
parent
0b1c78ab56
commit
ca2da8bbd4
3
__init__.py
Normal file
3
__init__.py
Normal file
@ -0,0 +1,3 @@
|
||||
__doc__ = __doc__ or ""
|
||||
|
||||
__all__ = ["util"]
|
72
util.py
72
util.py
@ -2,6 +2,7 @@ import random
|
||||
import socket
|
||||
import netifaces as ni
|
||||
import sys
|
||||
from pwn import *
|
||||
|
||||
def getAddress(interface="tun0"):
|
||||
if not interface in ni.interfaces():
|
||||
@ -37,13 +38,78 @@ def openServer(address, ports=None):
|
||||
print("Unable to listen on port %d: %s" % (listenPort, str(e)))
|
||||
raise e
|
||||
|
||||
class Stack:
|
||||
def __init__(self, startAddress):
|
||||
self.buffer = b""
|
||||
self.address = startAddress
|
||||
|
||||
def pushString(self, data):
|
||||
addr = self.address
|
||||
data = pad(data.encode() + b"\x00", 8)
|
||||
self.buffer += data
|
||||
self.address += len(data)
|
||||
return addr
|
||||
|
||||
def pushAddr(self, addr):
|
||||
ptr = self.address
|
||||
data = p64(addr)
|
||||
self.buffer += data
|
||||
self.address += len(data)
|
||||
return ptr
|
||||
|
||||
def pushArray(self, arr):
|
||||
addresses = []
|
||||
for arg in arr:
|
||||
arg_addr = self.pushString(arg)
|
||||
addresses.append(arg_addr)
|
||||
addresses.append(0x0)
|
||||
|
||||
addr = self.address
|
||||
for arg_addr in addresses:
|
||||
self.pushAddr(arg_addr)
|
||||
|
||||
return addr
|
||||
|
||||
def genSyscall(elf, syscall, registers):
|
||||
rop = ROP(elf)
|
||||
registers["rax"] = syscall
|
||||
for t in rop.setRegisters(registers):
|
||||
value = t[0]
|
||||
gadget = t[1]
|
||||
if type(gadget) == pwnlib.rop.gadgets.Gadget:
|
||||
rop.raw(gadget.address)
|
||||
for reg in gadget.regs:
|
||||
if reg in registers:
|
||||
rop.raw(registers[reg])
|
||||
else:
|
||||
rop.raw(0)
|
||||
|
||||
syscall_gadget = "syscall" if elf.arch == "amd64" else "int 0x80"
|
||||
rop.raw(rop.find_gadget([syscall_gadget]).address)
|
||||
return rop
|
||||
|
||||
def pad(x, n):
|
||||
if len(x) % n != 0:
|
||||
x += (n-(len(x)%n))*b"\x00"
|
||||
return x
|
||||
|
||||
if __name__ == "__main__":
|
||||
bin = sys.argv[0]
|
||||
if len(sys.argv) < 2:
|
||||
print("Usage: %s [command]" % sys.argv[0])
|
||||
print("Usage: %s [command]" % bin)
|
||||
exit(1)
|
||||
|
||||
if sys.argv[1] == "getAddress":
|
||||
if len(sys.argv) > 2:
|
||||
command = sys.argv[1]
|
||||
if command == "getAddress":
|
||||
if len(sys.argv) >= 2:
|
||||
print(getAddress(sys.argv[2]))
|
||||
else:
|
||||
print(getAddress())
|
||||
elif command == "pad":
|
||||
if len(sys.argv) >= 3:
|
||||
n = 8
|
||||
if len(sys.argv) >= 4:
|
||||
n = int(sys.argv[3])
|
||||
print(pad(sys.argv[2].encode(), n))
|
||||
else:
|
||||
print("Usage: %s pad <str> [n=8]" % bin)
|
||||
|
Loading…
Reference in New Issue
Block a user