Pwn utils
This commit is contained in:
parent
0b1c78ab56
commit
ca2da8bbd4
3
__init__.py
Normal file
3
__init__.py
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
__doc__ = __doc__ or ""
|
||||||
|
|
||||||
|
__all__ = ["util"]
|
72
util.py
72
util.py
@ -2,6 +2,7 @@ import random
|
|||||||
import socket
|
import socket
|
||||||
import netifaces as ni
|
import netifaces as ni
|
||||||
import sys
|
import sys
|
||||||
|
from pwn import *
|
||||||
|
|
||||||
def getAddress(interface="tun0"):
|
def getAddress(interface="tun0"):
|
||||||
if not interface in ni.interfaces():
|
if not interface in ni.interfaces():
|
||||||
@ -37,13 +38,78 @@ def openServer(address, ports=None):
|
|||||||
print("Unable to listen on port %d: %s" % (listenPort, str(e)))
|
print("Unable to listen on port %d: %s" % (listenPort, str(e)))
|
||||||
raise e
|
raise e
|
||||||
|
|
||||||
|
class Stack:
|
||||||
|
def __init__(self, startAddress):
|
||||||
|
self.buffer = b""
|
||||||
|
self.address = startAddress
|
||||||
|
|
||||||
|
def pushString(self, data):
|
||||||
|
addr = self.address
|
||||||
|
data = pad(data.encode() + b"\x00", 8)
|
||||||
|
self.buffer += data
|
||||||
|
self.address += len(data)
|
||||||
|
return addr
|
||||||
|
|
||||||
|
def pushAddr(self, addr):
|
||||||
|
ptr = self.address
|
||||||
|
data = p64(addr)
|
||||||
|
self.buffer += data
|
||||||
|
self.address += len(data)
|
||||||
|
return ptr
|
||||||
|
|
||||||
|
def pushArray(self, arr):
|
||||||
|
addresses = []
|
||||||
|
for arg in arr:
|
||||||
|
arg_addr = self.pushString(arg)
|
||||||
|
addresses.append(arg_addr)
|
||||||
|
addresses.append(0x0)
|
||||||
|
|
||||||
|
addr = self.address
|
||||||
|
for arg_addr in addresses:
|
||||||
|
self.pushAddr(arg_addr)
|
||||||
|
|
||||||
|
return addr
|
||||||
|
|
||||||
|
def genSyscall(elf, syscall, registers):
|
||||||
|
rop = ROP(elf)
|
||||||
|
registers["rax"] = syscall
|
||||||
|
for t in rop.setRegisters(registers):
|
||||||
|
value = t[0]
|
||||||
|
gadget = t[1]
|
||||||
|
if type(gadget) == pwnlib.rop.gadgets.Gadget:
|
||||||
|
rop.raw(gadget.address)
|
||||||
|
for reg in gadget.regs:
|
||||||
|
if reg in registers:
|
||||||
|
rop.raw(registers[reg])
|
||||||
|
else:
|
||||||
|
rop.raw(0)
|
||||||
|
|
||||||
|
syscall_gadget = "syscall" if elf.arch == "amd64" else "int 0x80"
|
||||||
|
rop.raw(rop.find_gadget([syscall_gadget]).address)
|
||||||
|
return rop
|
||||||
|
|
||||||
|
def pad(x, n):
|
||||||
|
if len(x) % n != 0:
|
||||||
|
x += (n-(len(x)%n))*b"\x00"
|
||||||
|
return x
|
||||||
|
|
||||||
if __name__ == "__main__":
|
if __name__ == "__main__":
|
||||||
|
bin = sys.argv[0]
|
||||||
if len(sys.argv) < 2:
|
if len(sys.argv) < 2:
|
||||||
print("Usage: %s [command]" % sys.argv[0])
|
print("Usage: %s [command]" % bin)
|
||||||
exit(1)
|
exit(1)
|
||||||
|
|
||||||
if sys.argv[1] == "getAddress":
|
command = sys.argv[1]
|
||||||
if len(sys.argv) > 2:
|
if command == "getAddress":
|
||||||
|
if len(sys.argv) >= 2:
|
||||||
print(getAddress(sys.argv[2]))
|
print(getAddress(sys.argv[2]))
|
||||||
else:
|
else:
|
||||||
print(getAddress())
|
print(getAddress())
|
||||||
|
elif command == "pad":
|
||||||
|
if len(sys.argv) >= 3:
|
||||||
|
n = 8
|
||||||
|
if len(sys.argv) >= 4:
|
||||||
|
n = int(sys.argv[3])
|
||||||
|
print(pad(sys.argv[2].encode(), n))
|
||||||
|
else:
|
||||||
|
print("Usage: %s pad <str> [n=8]" % bin)
|
||||||
|
Loading…
Reference in New Issue
Block a user