From a6ddd79aeebf55255c860ed260f499032e985d3d Mon Sep 17 00:00:00 2001 From: eioake01 Date: Sun, 25 Dec 2022 23:16:22 +0200 Subject: [PATCH] remove unnecessary brackets in pwn arm template --- files/templates/pwn_template.py | 62 ++++++++++++------- files/templates/pwn_template32.py | 62 ++++++++++++------- files/templates/pwn_templateARM.py | 62 ++++++++++++------- .../templates/pwn_templateKernel/transfer.py | 14 +++-- 4 files changed, 125 insertions(+), 75 deletions(-) diff --git a/files/templates/pwn_template.py b/files/templates/pwn_template.py index 9bc34c9..c01d37f 100644 --- a/files/templates/pwn_template.py +++ b/files/templates/pwn_template.py @@ -2,52 +2,68 @@ from pwn import * -context.terminal = ['tmux', 'splitw', '-v'] +context.terminal = ["tmux", "splitw", "-v"] context.arch = "amd64" -binary = '[binary]' +binary = "[binary]" elf = context.binary = ELF(binary) ssh_en = False if args.R: - host = args.HOST or '' + host = args.HOST or "" port = args.PORT or 0 - + if ssh_en: - user = '' - password = '' + user = "" + password = "" r = ssh(user=user, host=host, port=port, password=password) def start(): if args.R: - if not ssh_en: return remote(host, port) - else: return r.process(binary, cwd='') + if not ssh_en: + return remote(host, port) + else: + return r.process(binary, cwd="") else: - gs = ''' + gs = """ init-pwndbg c - ''' - if args.GDB: return gdb.debug(elf.path, gs) - else: return process(elf.path) + """ + if args.GDB: + return gdb.debug(elf.path, gs) + else: + return process(elf.path) + def one_gadget(filename, base_addr=0): - return [(int(i)+base_addr) for i in subprocess.check_output(['one_gadget', '--raw', filename]).decode().split(' ')] + return [ + (int(i) + base_addr) + for i in subprocess.check_output(["one_gadget", "--raw", filename]) + .decode() + .split(" ") + ] + def log_addr(name, addr): - log.info('{}: 0x{:x}'.format(name, addr)) + log.info("{}: 0x{:x}".format(name, addr)) + io = start() -sl = lambda x : io.sendline(x.encode() if type(x) == str else x) -sla = lambda x, y : io.sendlineafter(x.encode() if type(x) == str else x, y.encode() if type(y) == str else y) -se = lambda x : io.send(x.encode() if type(x) == str else x) -sa = lambda x, y : io.sendafter(x.encode() if type(x) == str else x, y.encode() if type(y) == str else y) -ru = lambda x : io.recvuntil(x.encode() if type(x) == str else x) -rl = lambda : io.recvline() -cl = lambda : io.clean() -uu32 = lambda x : u32(x.ljust(4, b'\x00')) -uu64 = lambda x : u64(x.ljust(8, b'\x00')) +sl = lambda x: io.sendline(x.encode() if type(x) == str else x) +sla = lambda x, y: io.sendlineafter( + x.encode() if type(x) == str else x, y.encode() if type(y) == str else y +) +se = lambda x: io.send(x.encode() if type(x) == str else x) +sa = lambda x, y: io.sendafter( + x.encode() if type(x) == str else x, y.encode() if type(y) == str else y +) +ru = lambda x: io.recvuntil(x.encode() if type(x) == str else x) +rl = lambda: io.recvline() +cl = lambda: io.clean() +uu32 = lambda x: u32(x.ljust(4, b"\x00")) +uu64 = lambda x: u64(x.ljust(8, b"\x00")) io.interactive() diff --git a/files/templates/pwn_template32.py b/files/templates/pwn_template32.py index 1efa527..5705122 100644 --- a/files/templates/pwn_template32.py +++ b/files/templates/pwn_template32.py @@ -2,53 +2,69 @@ from pwn import * -context.terminal = ['tmux', 'splitw', '-v'] +context.terminal = ["tmux", "splitw", "-v"] context.arch = "i386" -binary = '[binary]' +binary = "[binary]" elf = context.binary = ELF(binary) ssh_en = False if args.R: - host = args.HOST or '' + host = args.HOST or "" port = args.PORT or 0 if ssh_en: - user = '' - password = '' + user = "" + password = "" r = ssh(user=user, host=host, port=port, password=password) def start(): if args.R: - if not ssh_en: return remote(host, port) - else: return r.process(binary, cwd='') + if not ssh_en: + return remote(host, port) + else: + return r.process(binary, cwd="") else: - gs = ''' + gs = """ init-pwndbg c - ''' - if args.GDB: return gdb.debug(elf.path, gs) - else: return process(elf.path) + """ + if args.GDB: + return gdb.debug(elf.path, gs) + else: + return process(elf.path) + def one_gadget(filename, base_addr=0): - return [(int(i)+base_addr) for i in subprocess.check_output(['one_gadget', '--raw', filename]).decode().split(' ')] + return [ + (int(i) + base_addr) + for i in subprocess.check_output(["one_gadget", "--raw", filename]) + .decode() + .split(" ") + ] + def log_addr(name, addr): - log.info('{}: 0x{:x}'.format(name, addr)) + log.info("{}: 0x{:x}".format(name, addr)) + io = start() -sl = lambda x : io.sendline(x.encode() if type(x) == str else x) -sla = lambda x, y : io.sendlineafter(x.encode() if type(x) == str else x, y.encode() if type(y) == str else y) -se = lambda x : io.send(x.encode() if type(x) == str else x) -sa = lambda x, y : io.sendafter(x.encode() if type(x) == str else x, y.encode() if type(y) == str else y) -ru = lambda x : io.recvuntil(x.encode() if type(x) == str else x) -rl = lambda : io.recvline() -cl = lambda : io.clean() -i = lambda : io.interactive() -uu32 = lambda x : u32(x.ljust(4, b'\x00')) -uu64 = lambda x : u64(x.ljust(8, b'\x00')) +sl = lambda x: io.sendline(x.encode() if type(x) == str else x) +sla = lambda x, y: io.sendlineafter( + x.encode() if type(x) == str else x, y.encode() if type(y) == str else y +) +se = lambda x: io.send(x.encode() if type(x) == str else x) +sa = lambda x, y: io.sendafter( + x.encode() if type(x) == str else x, y.encode() if type(y) == str else y +) +ru = lambda x: io.recvuntil(x.encode() if type(x) == str else x) +rl = lambda: io.recvline() +cl = lambda: io.clean() +i = lambda: io.interactive() +uu32 = lambda x: u32(x.ljust(4, b"\x00")) +uu64 = lambda x: u64(x.ljust(8, b"\x00")) io.interactive() diff --git a/files/templates/pwn_templateARM.py b/files/templates/pwn_templateARM.py index 96a4d7d..666d118 100644 --- a/files/templates/pwn_templateARM.py +++ b/files/templates/pwn_templateARM.py @@ -2,57 +2,73 @@ from pwn import * -os.environ['QEMU_LD_PREFIX'] = '/usr/arm-linux-gnueabi' +os.environ["QEMU_LD_PREFIX"] = "/usr/arm-linux-gnueabi" -context.terminal = ['tmux', 'splitw', '-v'] +context.terminal = ["tmux", "splitw", "-v"] context.arch = "arm" -binary = '[binary]' +binary = "[binary]" elf = context.binary = ELF(binary) rop = ROP(elf) ssh_en = False if args.R: - host = args.HOST or '' + host = args.HOST or "" port = args.PORT or 0 if ssh_en: - user = '' - password = '' + user = "" + password = "" r = ssh(user=user, host=host, port=port, password=password) def start(): if args.R: - if not ssh_en: return remote(host, port) - else: return r.process(binary, cwd='') + if not ssh_en: + return remote(host, port) + else: + return r.process(binary, cwd="") else: - gs = ''' + gs = """ br _start c init-pwndbg c - ''' - if args.GDB: return gdb.debug(elf.path, gs) - else: return process([f'qemu-arm {elf.path}'.split()]) + """ + if args.GDB: + return gdb.debug(elf.path, gs) + else: + return process(f"qemu-arm {elf.path}".split()) + def one_gadget(filename, base_addr=0): - return [(int(i)+base_addr) for i in subprocess.check_output(['one_gadget', '--raw', filename]).decode().split(' ')] + return [ + (int(i) + base_addr) + for i in subprocess.check_output(["one_gadget", "--raw", filename]) + .decode() + .split(" ") + ] + def log_addr(name, addr): - log.info('{}: 0x{:x}'.format(name, addr)) + log.info("{}: 0x{:x}".format(name, addr)) + io = start() -sl = lambda x : io.sendline(x.encode() if type(x) == str else x) -sla = lambda x, y : io.sendlineafter(x.encode() if type(x) == str else x, y.encode() if type(y) == str else y) -se = lambda x : io.send(x.encode() if type(x) == str else x) -sa = lambda x, y : io.sendafter(x.encode() if type(x) == str else x, y.encode() if type(y) == str else y) -ru = lambda x : io.recvuntil(x.encode() if type(x) == str else x) -rl = lambda : io.recvline() -cl = lambda : io.clean() -uu32 = lambda x : u32(x.ljust(4, b'\x00')) -uu64 = lambda x : u64(x.ljust(8, b'\x00')) +sl = lambda x: io.sendline(x.encode() if type(x) == str else x) +sla = lambda x, y: io.sendlineafter( + x.encode() if type(x) == str else x, y.encode() if type(y) == str else y +) +se = lambda x: io.send(x.encode() if type(x) == str else x) +sa = lambda x, y: io.sendafter( + x.encode() if type(x) == str else x, y.encode() if type(y) == str else y +) +ru = lambda x: io.recvuntil(x.encode() if type(x) == str else x) +rl = lambda: io.recvline() +cl = lambda: io.clean() +uu32 = lambda x: u32(x.ljust(4, b"\x00")) +uu64 = lambda x: u64(x.ljust(8, b"\x00")) io.interactive() diff --git a/files/templates/pwn_templateKernel/transfer.py b/files/templates/pwn_templateKernel/transfer.py index 8d2bcb1..2643045 100644 --- a/files/templates/pwn_templateKernel/transfer.py +++ b/files/templates/pwn_templateKernel/transfer.py @@ -7,25 +7,27 @@ import base64 import os + def run(cmd): sock.sendlineafter("$ ", cmd) sock.recvline() + with open("./initramfs/xpl", "rb") as f: payload = bytes2str(base64.b64encode(f.read())) -host = '' +host = "" port = 0 sock = Socket(host, port) -run('cd /tmp') +run("cd /tmp") logger.info("Uploading...") for i in range(0, len(payload), 512): print(f"Uploading... {i:x} / {len(payload):x}") - run('echo "{}" >> b64exp'.format(payload[i:i+512])) -run('base64 -d b64exp > xpl') -run('rm b64exp') -run('chmod +x xpl') + run('echo "{}" >> b64exp'.format(payload[i : i + 512])) +run("base64 -d b64exp > xpl") +run("rm b64exp") +run("chmod +x xpl") sock.interactive()