-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathpwn-template.py
More file actions
64 lines (53 loc) · 2.04 KB
/
Copy pathpwn-template.py
File metadata and controls
64 lines (53 loc) · 2.04 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
# A custom template for binary exploitation that uses pwntools.
# Examples:
# python exploit.py DEBUG NOASLR GDB
# python exploit.py DEBUG REMOTE
from pwn import *
# Set up pwntools for the correct architecture. See `context.binary/arch/bits/endianness` for more
context.binary = elfexe = ELF('./path/to/binary') #FIXME
if args['REMOTE']:
libc = ELF('<libc-used-by-target>') #FIXME
else:
libc = ELF('<local-machine-libc>') # Can be found via $ ldd exe #FIXME
# Many built-in settings can be controlled on the command-line and show up
# in "args". For example, to dump all data sent/received, disable ASLR and run through GDB
# for all created processes:
# $ ./exploit.py DEBUG NOASLR GDB
# You can also run the remote or local target with the option REMOTE
# Feasibility of remote debugging is possible only via ssh (not netcat) and depends from the remote system
def start(argv=[], *a, **kw):
'''Start the exploit against the target.'''
if args.GDB:
return gdb.debug([elfexe.path] + argv, gdbscript, elfexe.path, *a, *kw)
else:
target = process([elfexe.path] + argv, *a, **kw)
return target
# Specify your gdb script here for debugging. gdb will be launched the GDB argument is given.
gdbscript = '''
# init-gef
# target record-full # Not supported with AVX instructions yet
# b *main
# command
# printf "argv ptr: %p\\n",$rsi
# end
# continue
'''.format(**locals())
if args.GDB:
log.info('Using gdb script:\n'+gdbscript)
#===========================================================
# EXPLOIT GOES HERE
#===========================================================
arguments = []
if args['REMOTE']:
remote_server = '<remote-server>' #FIXME
remote_port = <remote-port> #FIXME
if args['SSH']:
raise NotImplementedError
# s = ssh('<username>', remote_server, remote_port, '<password>')
# io = s.process([elfexe] + arguments)
else: # e.g. netcat
io = remote(remote_server, remote_port)
else:
io = start(arguments)
io.interactive()
io.close()