Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/io12/pwninit
pwninit - automate starting binary exploit challenges
https://github.com/io12/pwninit
binary elf exploit init pwn
Last synced: 3 months ago
JSON representation
pwninit - automate starting binary exploit challenges
- Host: GitHub
- URL: https://github.com/io12/pwninit
- Owner: io12
- License: mit
- Created: 2019-11-03T04:24:09.000Z (about 5 years ago)
- Default Branch: master
- Last Pushed: 2024-06-24T08:03:08.000Z (7 months ago)
- Last Synced: 2024-07-08T16:39:08.206Z (7 months ago)
- Topics: binary, elf, exploit, init, pwn
- Language: Rust
- Homepage:
- Size: 466 KB
- Stars: 824
- Watchers: 7
- Forks: 57
- Open Issues: 19
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-rust-security - pwninit - automate starting binary exploit challenges (Vulnerability Assessment / Binary Analysis & Reversing)
README
[](https://github.com/io12/pwninit/actions)
[](https://github.com/io12/pwninit/actions)
[](https://crates.io/crates/pwninit)
[](https://docs.rs/pwninit)
# `pwninit`
A tool for automating starting binary exploit challenges
## Features
- Set challenge binary to be executable
- Download a linker (`ld-linux.so.*`) that can segfaultlessly load the provided libc
- Download debug symbols and unstrip the libc
- Patch the binary with [`patchelf`](https://github.com/NixOS/patchelf) to use
the correct RPATH and interpreter for the provided libc
- Fill in a template pwntools solve script
## Usage
### Short version
Run `pwninit`
### Long version
Run `pwninit` in a directory with the relevant files and it will detect which ones are the binary, libc, and linker. If the detection is wrong, you can specify the locations with `--bin`, `--libc`, and `--ld`.
#### Custom `solve.py` template
If you don't like the default template, you can use your own. Just specify `--template-path `. Check [template.py](src/template.py) for the template format. The names of the `exe`, `libc`, and `ld` bindings can be customized with `--template-bin-name`, `--template-libc-name`, and `--template-ld-name`.
##### Persisting custom `solve.py`
You can make `pwninit` load your custom template automatically by adding an alias to your `~/.bashrc`.
###### Example
```bash
alias pwninit='pwninit --template-path ~/.config/pwninit-template.py --template-bin-name e'
```
## Install
### Arch Linux
Install [`pwninit`](https://aur.archlinux.org/packages/pwninit/) or
[`pwninit-bin`](https://aur.archlinux.org/packages/pwninit-bin/) from the AUR.
### Download
You can download statically-linked [musl](https://www.musl-libc.org/)
binaries from the [releases page](https://github.com/io12/pwninit/releases).
### Using cargo
Run
```sh
cargo install pwninit
```
This places the binary in `~/.cargo/bin`.
Note that `openssl`, `liblzma`, and `pkg-config` are required for the build.
## Example
```sh
$ ls
hunter libc.so.6 readme
$ pwninit
bin: ./hunter
libc: ./libc.so.6
setting ./hunter executable
fetching linker
https://launchpad.net/ubuntu/+archive/primary/+files//libc6_2.23-0ubuntu10_i386.deb
unstripping libc
https://launchpad.net/ubuntu/+archive/primary/+files//libc6-dbg_2.23-0ubuntu10_i386.deb
setting ./ld-2.23.so executable
copying ./hunter to ./hunter_patched
running patchelf on ./hunter_patched
writing solve.py stub
$ ls
hunter hunter_patched ld-2.23.so libc.so.6 readme solve.py
```
`solve.py`:
```python
#!/usr/bin/env python3
from pwn import *
exe = ELF("./hunter_patched")
libc = ELF("./libc.so.6")
ld = ELF("./ld-2.23.so")
context.binary = exe
def conn():
if args.LOCAL:
r = process([exe.path])
if args.GDB:
gdb.attach(r)
else:
r = remote("addr", 1337)
return r
def main():
r = conn()
# good luck pwning :)
r.interactive()
if __name__ == "__main__":
main()
```