tin-z/CTF-pwn-template.py

## CTF-pwn-template.py
#!/usr/bin/env python3
from pwn import *
import signal
import sys
import subprocess

# requirements:
# $ python3 -m pip install pwntools --user

# UTILS
pop_rdi=0x0000000000400783  # pop rdi; ret;
pop_rbp=0x0000000000400608  # pop rbp; ret;
puts_plt=0x400550


# Init config
def signal_handler(sig, frame):
        print('You pressed Ctrl+C!')
        sys.exit(0)
#signal.signal(signal.SIGINT, signal_handler)
#print('Press Ctrl+C')

# context.log_level = logging.DEBUG #with debug output
prog_name = '/bin/bash'
context.binary = prog_name
elfaz = context.binary
context.terminal = ["tmux", "splitw", "-v"]

debug = int(sys.argv[1])
online = False
if( debug == 0):
  r = remote("127.0.0.1", 9000)
  libcz = ELF("./libc.so.6")
  online=True
elif(debug == 1):
  # libcz = ELF("libc-2.28.so")
  # ldz = ELF("ld-2.28.so")
  # r = process([ldz.path, elfaz.path], env={"LD_PRELOAD":libcz.path})
  libcz = ELF("/lib/x86_64-linux-gnu/libc.so.6")
  r = process(prog_name) #,aslr=False, env={'LD_PRELOAD':'./libc.so.6'})


# Runtime config
def halt():
  while True:
    log.info( r.recvline() )

def interactive():
  if not online:
    print( """/usr/bin/gdb -q  {0} {1}""".format( r.argv[0], r.pid ) )
  r.interactive()

def one_gadget(libc_path=libcz.path):
  return [ int(x) for x in subprocess.check_output(['one_gadget', '--raw', libc_path]).decode('cp437').rstrip().split(" ") ]

def fmt():
  pass
  # r.sendline("%4198486u%10$n  \x58\x40\x40\x00\x00\x00\x00\x00")

def init_shortcuts():
  globals()['ru']=lambda x: r.recvuntil(x)
  globals()['rc']=lambda : r.recv()
  globals()['se']=lambda x: r.send(x)
  globals()['sl']=lambda x: r.sendline(x)
  globals()['sla']=lambda x, y: r.sendlineafter(x, y)

def init_breaks():
  ## Breakpoints list
  breaks = []#0x400715]
  breaks = "\n".join([ "b *({})".format(x) for x in breaks ])
  ##
  global r, online
  if not online:
    gdb.attach(r, '''
      set follow-fork-mode parent
      {}
      catch syscall exit_group
      b system
      c
      '''.format(breaks))

def skel(index, data=None, newline=True, timeout=False):
  pass


# Pwn
def pwn():
  init_shortcuts()
  init_breaks()
  sl("echo '你好'")
  rets = ru('你好'.encode('utf-8'))
  log.info(rets.decode('utf-8') )
  log.info(rets.decode('cp437') )
  r.interactive()

  # example of leak use case
  # leak_printf = int(leak,16)
  # libc_base = leak_printf - libcz.symbols['printf']
  # system = libc_base + libcz.symbols['system']
  # bin_sh_string = libc_base + list(libcz.search(b"sh\0"))[0]
  # log.info("Leak printf@got: 0x{:x}".format(leak_printf))
  # log.info("Libc base: 0x{:x}".format(libc_base))
  # log.info("System: 0x{:x}".format(system))
  # log.info("Sh string: 0x{:x}".format(bin_sh_string))


pwn()
	#!/usr/bin/env python3
	from pwn import *
	import signal
	import sys
	import subprocess

	# requirements:
	# $ python3 -m pip install pwntools --user

	# UTILS
	pop_rdi=0x0000000000400783 # pop rdi; ret;
	pop_rbp=0x0000000000400608 # pop rbp; ret;
	puts_plt=0x400550


	# Init config
	def signal_handler(sig, frame):
	print('You pressed Ctrl+C!')
	sys.exit(0)
	#signal.signal(signal.SIGINT, signal_handler)
	#print('Press Ctrl+C')

	# context.log_level = logging.DEBUG #with debug output
	prog_name = '/bin/bash'
	context.binary = prog_name
	elfaz = context.binary
	context.terminal = ["tmux", "splitw", "-v"]

	debug = int(sys.argv[1])
	online = False
	if( debug == 0):
	r = remote("127.0.0.1", 9000)
	libcz = ELF("./libc.so.6")
	online=True
	elif(debug == 1):
	# libcz = ELF("libc-2.28.so")
	# ldz = ELF("ld-2.28.so")
	# r = process([ldz.path, elfaz.path], env={"LD_PRELOAD":libcz.path})
	libcz = ELF("/lib/x86_64-linux-gnu/libc.so.6")
	r = process(prog_name) #,aslr=False, env={'LD_PRELOAD':'./libc.so.6'})


	# Runtime config
	def halt():
	while True:
	log.info( r.recvline() )

	def interactive():
	if not online:
	print( """/usr/bin/gdb -q {0} {1}""".format( r.argv[0], r.pid ) )
	r.interactive()

	def one_gadget(libc_path=libcz.path):
	return [ int(x) for x in subprocess.check_output(['one_gadget', '--raw', libc_path]).decode('cp437').rstrip().split(" ") ]

	def fmt():
	pass
	# r.sendline("%4198486u%10$n \x58\x40\x40\x00\x00\x00\x00\x00")

	def init_shortcuts():
	globals()['ru']=lambda x: r.recvuntil(x)
	globals()['rc']=lambda : r.recv()
	globals()['se']=lambda x: r.send(x)
	globals()['sl']=lambda x: r.sendline(x)
	globals()['sla']=lambda x, y: r.sendlineafter(x, y)

	def init_breaks():
	## Breakpoints list
	breaks = []#0x400715]
	breaks = "\n".join([ "b *({})".format(x) for x in breaks ])
	##
	global r, online
	if not online:
	gdb.attach(r, '''
	set follow-fork-mode parent
	{}
	catch syscall exit_group
	b system
	c
	'''.format(breaks))

	def skel(index, data=None, newline=True, timeout=False):
	pass


	# Pwn
	def pwn():
	init_shortcuts()
	init_breaks()
	sl("echo '你好'")
	rets = ru('你好'.encode('utf-8'))
	log.info(rets.decode('utf-8') )
	log.info(rets.decode('cp437') )
	r.interactive()

	# example of leak use case
	# leak_printf = int(leak,16)
	# libc_base = leak_printf - libcz.symbols['printf']
	# system = libc_base + libcz.symbols['system']
	# bin_sh_string = libc_base + list(libcz.search(b"sh\0"))[0]
	# log.info("Leak printf@got: 0x{:x}".format(leak_printf))
	# log.info("Libc base: 0x{:x}".format(libc_base))
	# log.info("System: 0x{:x}".format(system))
	# log.info("Sh string: 0x{:x}".format(bin_sh_string))



	pwn()