Binary Exploit Initscript

Binary exploit problems generally involve sending data to a binary and interpreting the output. This script uses the pwntools framework to automate much of the setup.

  1. Fill in the binary name, libc name, and whatever variables are needed for the remote binary.
  2. Start a tmux window. The tmux window will split into two after the script runs - the left will have your binary’s output, and the right will have GDB.
  3. Run python run.py --<mode> where mode indicates how you want to run the binary. Not putting a mode automatically runs the binary in GDB.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
import argparse
from pwn import *
context.terminal = ['tmux', 'splitw', '-h']

# cmdline argument - how to connect to binary
parser = argparse.ArgumentParser()
parser.add_argument("--local", help="Run exploit locally", action="store_true")
parser.add_argument("--attach", help="Run exploit locally and attach debugger", action="store_true")
parser.add_argument("--remote", help="Run exploit on remote service", action="store_true")
parser.add_argument("--ssh", help="Run exploit on SSH server", action="store_true")
args = parser.parse_args()

# GDB commands
debugging = False
gdb_cmd = [
"c"
]

# Binary names
bin_fname = ''
libc_fname = ''

# Remote
IP = ''
PORT = 0

# SSH
URL = ''
username = ''
password = ''
bin_abs_path = ''

# Create ELF objects
e = ELF(bin_fname)
libc = ELF(libc_fname) if libc_fname else None
x64 = e.bits != 32

# Command line args
# e.g. arg1 = cyclic_find('ahaa') * 'a' + '\xbd\x86\x04\x08' + 'a' * 4 + p32(next(e.search('/bin/sh')))
arg1 = ''
proc_args = [bin_fname, arg1]

if args.remote:
p = remote(IP, PORT)
elif args.local or args.attach:
p = process(proc_args)
if args.attach:
gdb.attach(p, gdbscript="\n".join(gdb_cmd))
elif args.ssh:
s = ssh(host=URL, user=username, password=password)
s.set_working_directory(bin_abs_path)
p = s.process(proc_args)
else:
p = gdb.debug(proc_args, gdbscript="\n".join(gdb_cmd))
debugging = True

"""
Exploit

Examples:
func_offset = libc.symbols['puts'] # Offset in libc
puts_addr = p32(e.got['puts'])
main = e.symbols['main']
addr_string = next(e.search('/bin/cat flag.txt'))
"""

p.sendline(cyclic(100, n=8 if x64 else 4))
# buf = cyclic_find('', n=8 if x64 else 4) * 'a'
p.interactive()