def test_win_64():
import logging
logging.basicConfig()
logging.root.setLevel(logging.INFO)
test_file = "tests/bin/format_pc_write_64"
properties = {"pwn_type": {}, "pwn": {}, "input_type": "STDIN"}
with suppress():
properties["pwn_type"] = formatDetector.checkFormat(
test_file, inputType=properties["input_type"])
assert properties["pwn_type"]["type"] == "Format"
with suppress():
properties["protections"] = protectionDetector.getProperties(test_file)
assert properties["protections"]["arch"]
with suppress():
properties["win_functions"] = winFunctionDetector.getWinFunctions(
test_file)
assert "sym.secret_function" in properties["win_functions"]
with suppress():
properties["pwn_type"]["results"] = formatExploiter.exploitFormat(
test_file, properties)
assert "flag_found" in properties["pwn_type"]["results"].keys()
def test_leak_64():
test_file = "tests/bin/read_stack_64"
properties = {"pwn_type": {}, "pwn": {}, "input_type": "STDIN"}
with suppress():
properties["protections"] = protectionDetector.getProperties(test_file)
assert properties["protections"]["arch"]
with suppress():
properties["pwn_type"] = formatDetector.checkFormat(
test_file, inputType=properties["input_type"])
assert properties["pwn_type"]["type"] == "Format"
with suppress():
properties["pwn"] = formatLeak.checkLeak(test_file, properties)
assert properties["pwn"]["flag_found"] == True
def test_win_32():
test_file = "tests/bin/format_pc_write_32"
properties = {"pwn_type": {}, "pwn": {}, "input_type": "STDIN"}
with suppress():
properties["protections"] = protectionDetector.getProperties(test_file)
assert properties["protections"]["arch"]
with suppress():
properties["win_functions"] = winFunctionDetector.getWinFunctions(
test_file)
print(properties["win_functions"])
assert "sym.secret_function" in properties["win_functions"]
with suppress():
properties["pwn_type"] = formatDetector.checkFormat(
test_file, inputType=properties["input_type"])
assert properties["pwn_type"]["type"] == "Format"
with suppress():
properties["pwn_type"]["results"] = formatExploiter.exploitFormat(
test_file, properties)
assert "flag_found" in properties["pwn_type"]["results"].keys()
def main():
if not is_radare_installed():
log.info("[-] Error radare2 is not installed.")
exit(1)
parser = argparse.ArgumentParser()
parser.add_argument("file", help="File to analyze")
parser.add_argument("-l", "--libc", help="libc to use")
parser.add_argument("-u", "--url", help="Remote URL to pwn", default="")
parser.add_argument("-p", "--port", help="Remote port to pwn", default="0")
parser.add_argument(
"-v", "--verbose", help="Verbose mode", action="store_true", default=False
)
parser.add_argument(
"--force_shellcode",
default=False,
action="store_true",
help="Set overflow pwn mode to point to shellcode",
)
parser.add_argument(
"--format_only",
default=False,
action="store_true",
help="Only run format strings check",
)
parser.add_argument(
"--overflow_only",
default=False,
action="store_true",
help="Only run overflow check",
)
args = parser.parse_args()
if args.file is None:
log.info("[-] Exitting no file specified")
exit(1)
if args.verbose:
logging.basicConfig(level=logging.DEBUG)
if not args.verbose:
for loud_logger in loud_loggers:
logging.getLogger(loud_logger).setLevel(logging.ERROR)
logging.getLogger("angr.project").disabled = True
# For stack problems where env gets shifted
# based on path, using the abs path everywhere
# makes it consistent
args.file = os.path.abspath(args.file)
# Detect problem type
properties = {}
properties["input_type"] = inputDetector.checkInputType(args.file)
properties["libc"] = args.libc
properties["file"] = args.file
properties["force_shellcode"] = args.force_shellcode
properties["pwn_type"] = {}
properties["pwn_type"]["type"] = None
log.info("[+] Checking pwn type...")
if not args.format_only:
log.info("[+] Checking for overflow pwn type...")
properties["pwn_type"] = overflowDetector.checkOverflow(
args.file, inputType=properties["input_type"]
)
if not args.overflow_only:
if properties["pwn_type"]["type"] is None:
log.info("[+] Checking for format string pwn type...")
properties["pwn_type"] = formatDetector.checkFormat(
args.file, inputType=properties["input_type"]
)
# Get problem mitigations
log.info("[+] Getting binary protections")
properties["protections"] = protectionDetector.getProperties(args.file)
# Is it a leak based one?
if properties["pwn_type"]["type"] == "Format":
log.info("[+] Checking for flag leak")
properties["pwn"] = formatLeak.checkLeak(args.file, properties)
# Launch leak remotely
if properties["pwn"]["flag_found"] and args.url != "":
log.info("[+] Found flag through leaks locally. Launching remote exploit")
log.info("[+] Connecting to {}:{}".format(args.url, args.port))
properties["pwn"]["exploit"] = formatLeak.checkLeak(
args.file,
properties,
remote_server=True,
remote_url=args.url,
port_num=int(args.port),
)
if properties["pwn"]["flag_found"]:
exit(0)
# Is there an easy win function
properties["win_functions"] = winFunctionDetector.getWinFunctions(args.file)
# Exploit overflows
if properties["pwn_type"]["type"] == "Overflow":
log.info("[+] Exploiting overflow")
properties["pwn_type"]["results"] = {}
properties["pwn_type"]["results"] = overflowExploiter.exploitOverflow(
args.file, properties, inputType=properties["input_type"]
)
if properties["pwn_type"]["results"]["type"]:
properties["send_results"] = overflowExploitSender.sendExploit(
args.file, properties
)
if properties["send_results"]["flag_found"] and args.url != "":
properties["remote_results"] = overflowExploitSender.sendExploit(
args.file,
properties,
remote_server=True,
remote_url=args.url,
port_num=int(args.port),
)
elif properties["pwn_type"]["type"] == "Format":
properties["pwn_type"]["results"] = formatExploiter.exploitFormat(
args.file, properties
)
if (
properties["pwn_type"] is not None
and "flag_found" in properties["pwn_type"].keys()
and properties["pwn_type"]["results"]["flag_found"]
and args.url != ""
):
properties["pwn_type"]["send_results"] = formatExploiter.getRemoteFormat(
properties, remote_url=args.url, remote_port=int(args.port)
)
else:
log.info("[-] Can not determine vulnerable type")
def test_detect_64():
with suppress():
test_file = "tests/bin/read_stack_64"
input_type = "STDIN"
pwn_type = formatDetector.checkFormat(test_file, inputType=input_type)
assert pwn_type["type"] == "Format"