Last active
February 1, 2023 15:45
-
-
Save gabrielmocanu/195b9c96774675c106bcba7fc5ee73ee to your computer and use it in GitHub Desktop.
This is a starter script for every binary exploit.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| from ctypes import * | |
| import time | |
| import sys | |
| def generate_random_number(): | |
| LIBC_CODE.srand(int(time.time())) | |
| rand_number = LIBC_CODE.rand() | |
| rand_number |= LIBC_CODE.rand() << 32 | |
| return rand_number | |
| # Input remote exploit | |
| IP = '' | |
| PORT = '' | |
| BIN = '' | |
| local = False | |
| context.binary = BIN | |
| context.log_level = 'debug' | |
| #LIBC functions | |
| LIBC = ELF('') | |
| LIBC_CODE = CDLL("") | |
| ENV = {"LD_PRELOAD": LIBC} if LIBC else {} | |
| system_libc_offset = LIBC.symbols['system'] | |
| log.info("system function at offset {:#x} in libc".format(system_libc_offset)) | |
| puts_libc_offset = LIBC.symbols['puts'] | |
| log.info("puts function at offset {:#x} in libc".format(puts_libc_offset)) | |
| bin_sh_offset = next(LIBC.search(b'/bin/sh')) | |
| log.info("bin_sh at offset {:#x} in libc".format(bin_sh_offset)) | |
| # Address from the binary | |
| ELF_LOADED = ELF(BIN) | |
| ROP_LOADED = ROP(ELF_LOADED) | |
| pop_rdi_ret = (ROP_LOADED.find_gadget(['pop rdi', 'ret']))[0] | |
| main_address = | |
| puts_plt = ELF_LOADED.plt['puts'] | |
| puts_got = ELF_LOADED.got['puts'] | |
| if not local: | |
| io = remote(IP, PORT) | |
| else: | |
| io = process(BIN) | |
| # io = gdb.debug(BIN, 'b main') | |
| # Stage 1 | |
| # Stage 2 | |
| # Stage 3 | |
| io.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment