Pwn utils

This commit is contained in:
Roman Hergenreder 2020-07-12 20:36:14 +02:00
parent 0b1c78ab56
commit ca2da8bbd4
2 changed files with 72 additions and 3 deletions

3
__init__.py Normal file

@ -0,0 +1,3 @@
__doc__ = __doc__ or ""
__all__ = ["util"]

72
util.py

@ -2,6 +2,7 @@ import random
import socket import socket
import netifaces as ni import netifaces as ni
import sys import sys
from pwn import *
def getAddress(interface="tun0"): def getAddress(interface="tun0"):
if not interface in ni.interfaces(): if not interface in ni.interfaces():
@ -37,13 +38,78 @@ def openServer(address, ports=None):
print("Unable to listen on port %d: %s" % (listenPort, str(e))) print("Unable to listen on port %d: %s" % (listenPort, str(e)))
raise e raise e
class Stack:
def __init__(self, startAddress):
self.buffer = b""
self.address = startAddress
def pushString(self, data):
addr = self.address
data = pad(data.encode() + b"\x00", 8)
self.buffer += data
self.address += len(data)
return addr
def pushAddr(self, addr):
ptr = self.address
data = p64(addr)
self.buffer += data
self.address += len(data)
return ptr
def pushArray(self, arr):
addresses = []
for arg in arr:
arg_addr = self.pushString(arg)
addresses.append(arg_addr)
addresses.append(0x0)
addr = self.address
for arg_addr in addresses:
self.pushAddr(arg_addr)
return addr
def genSyscall(elf, syscall, registers):
rop = ROP(elf)
registers["rax"] = syscall
for t in rop.setRegisters(registers):
value = t[0]
gadget = t[1]
if type(gadget) == pwnlib.rop.gadgets.Gadget:
rop.raw(gadget.address)
for reg in gadget.regs:
if reg in registers:
rop.raw(registers[reg])
else:
rop.raw(0)
syscall_gadget = "syscall" if elf.arch == "amd64" else "int 0x80"
rop.raw(rop.find_gadget([syscall_gadget]).address)
return rop
def pad(x, n):
if len(x) % n != 0:
x += (n-(len(x)%n))*b"\x00"
return x
if __name__ == "__main__": if __name__ == "__main__":
bin = sys.argv[0]
if len(sys.argv) < 2: if len(sys.argv) < 2:
print("Usage: %s [command]" % sys.argv[0]) print("Usage: %s [command]" % bin)
exit(1) exit(1)
if sys.argv[1] == "getAddress": command = sys.argv[1]
if len(sys.argv) > 2: if command == "getAddress":
if len(sys.argv) >= 2:
print(getAddress(sys.argv[2])) print(getAddress(sys.argv[2]))
else: else:
print(getAddress()) print(getAddress())
elif command == "pad":
if len(sys.argv) >= 3:
n = 8
if len(sys.argv) >= 4:
n = int(sys.argv[3])
print(pad(sys.argv[2].encode(), n))
else:
print("Usage: %s pad <str> [n=8]" % bin)