From ca2da8bbd46b81e26d0b3f2bb2912344879a124c Mon Sep 17 00:00:00 2001
From: Roman Hergenreder <mail@romanh.de>
Date: Sun, 12 Jul 2020 20:36:14 +0200
Subject: [PATCH] Pwn utils

---
 __init__.py |  3 +++
 util.py     | 72 ++++++++++++++++++++++++++++++++++++++++++++++++++---
 2 files changed, 72 insertions(+), 3 deletions(-)
 create mode 100644 __init__.py

diff --git a/__init__.py b/__init__.py
new file mode 100644
index 0000000..c8033ea
--- /dev/null
+++ b/__init__.py
@@ -0,0 +1,3 @@
+__doc__ = __doc__ or ""
+
+__all__ = ["util"]
diff --git a/util.py b/util.py
index 4b72381..585353f 100644
--- a/util.py
+++ b/util.py
@@ -2,6 +2,7 @@ import random
 import socket
 import netifaces as ni
 import sys
+from pwn import *
 
 def getAddress(interface="tun0"):
     if not interface in ni.interfaces():
@@ -37,13 +38,78 @@ def openServer(address, ports=None):
                 print("Unable to listen on port %d: %s" % (listenPort, str(e)))
             raise e
 
+class Stack:
+    def __init__(self, startAddress):
+        self.buffer = b""
+        self.address = startAddress
+
+    def pushString(self, data):
+        addr = self.address
+        data = pad(data.encode() + b"\x00", 8)
+        self.buffer += data
+        self.address += len(data)
+        return addr
+
+    def pushAddr(self, addr):
+        ptr = self.address
+        data = p64(addr)
+        self.buffer += data
+        self.address += len(data)
+        return ptr
+
+    def pushArray(self, arr):
+        addresses = []
+        for arg in arr:
+            arg_addr = self.pushString(arg)
+            addresses.append(arg_addr)
+        addresses.append(0x0)
+
+        addr = self.address
+        for arg_addr in addresses:
+            self.pushAddr(arg_addr)
+
+        return addr
+
+def genSyscall(elf, syscall, registers):
+    rop = ROP(elf)
+    registers["rax"] = syscall
+    for t in rop.setRegisters(registers):
+        value = t[0]
+        gadget = t[1]
+        if type(gadget) == pwnlib.rop.gadgets.Gadget:
+            rop.raw(gadget.address)
+            for reg in gadget.regs:
+                if reg in registers:
+                    rop.raw(registers[reg])
+                else:
+                    rop.raw(0)
+
+    syscall_gadget = "syscall" if elf.arch == "amd64" else "int 0x80"
+    rop.raw(rop.find_gadget([syscall_gadget]).address)
+    return rop
+
+def pad(x, n):
+    if len(x) % n != 0:
+        x  += (n-(len(x)%n))*b"\x00"
+    return x
+
 if __name__ == "__main__":
+    bin = sys.argv[0]
     if len(sys.argv) < 2:
-        print("Usage: %s [command]" % sys.argv[0])
+        print("Usage: %s [command]" % bin)
         exit(1)
 
-    if sys.argv[1] == "getAddress":
-        if len(sys.argv) > 2:
+    command = sys.argv[1]
+    if command == "getAddress":
+        if len(sys.argv) >= 2:
             print(getAddress(sys.argv[2]))
         else:
             print(getAddress())
+    elif command == "pad":
+        if len(sys.argv) >= 3:
+            n = 8
+            if len(sys.argv) >= 4:
+                n = int(sys.argv[3])
+            print(pad(sys.argv[2].encode(), n))
+        else:
+            print("Usage: %s pad <str> [n=8]" % bin)