xct's notes
Search…
Red Team
Blue Team
Templates
Find Basic Block with Angr
1
import angr
2
import sys
3
​
4
def main(argv):
5
path_to_binary = "<binary>"
6
project = angr.Project(path_to_binary)
7
initial_state = project.factory.entry_state()
8
sm = project.factory.simgr(initial_state)
9
# list of basic blocks to find or to avoid
10
sm.explore(find=[], avoid=[])
11
for state in sm.deadended:
12
print(state.posix.dumps(sys.stdin.fileno()))
13
else:
14
raise Exception('Could not find the solution')
15
​
16
if __name__ == '__main__':
17
main(sys.argv)
Copied!
Pwntools Template
1
from pwn import *
2
import struct
3
​
4
context.terminal = ['alacritty', '-e', 'zsh', '-c']
5
target = '<target>'
6
context.binary = target
7
binary = ELF(target)
8
libc = ELF("./libc.so.6")
9
​
10
ssh_host = '<ip>'
11
ssh_user = '<user>'
12
ssh_pass = '<pass>'
13
ssh_port = 22
14
​
15
if args['SSH']:
16
sh = ssh(host=ssh_host, user=ssh_user, password=ssh_pass, port=ssh_port)
17
p = sh.run('/bin/bash')
18
junk = p.recv(4096,timeout=2)
19
p.sendline(target)
20
else:
21
p = process(target,setuid=True)
22
​
23
#gdb.attach(p, gdbscript='continue')
24
p.interactive()
Copied!
Extract value after string
1
get = lambda x: [sh.recvuntil('{} : '.format(x)), int(sh.recvline())][1]
2
p = get('p')
Copied!
LD_Preload in pwntools
1
libc = ELF(<name>)
2
main = ELF(<name>)
3
r = main.process(env={'LD_PRELOAD' : libc.path})
Copied!
Generate shellcode on commandline
1
pwn shellcraft -f d amd64.linux.setreuid 1002
Copied!
Last modified 1yr ago