autorop.arutil package
Submodules
autorop.arutil.OpenTarget module
- class autorop.arutil.OpenTarget.OpenTarget[source]
Bases:
autorop.toplevel.Pipe.Pipe
autorop.arutil.addressify module
autorop.arutil.align_call module
- autorop.arutil.align_call.align_call(rop, func, args)[source]
Align the stack prior to making a rop call to it.
- Parameters
rop (
ROP) – Current rop chain, just before making the call to the function.func (
str) – Symbol name of the function to call.args (
List[int]) – Arguments to pass to the function.
- Return type
ROP- Returns
Reference to the mutated
rop, performing the function call ensuring the stack is aligned.
autorop.arutil.align_rop module
- autorop.arutil.align_rop.align_rop(rop, n)[source]
Pad
roptonwords usingretinstructions.- Parameters
rop (
ROP) – The rop chain to pad.n (
int) – the minimum size of the rop chain after padding, in words.
- Return type
ROP- Returns
Reference to the mutated rop chain
rop, which is padded to be at leastnbytes long.
autorop.arutil.debug_requests module
autorop.arutil.leak_helper module
- autorop.arutil.leak_helper.leak_helper(state, leaker, symbols, offset=0)[source]
Leak libc addresses using a leaking function.
This function leaks the libc addresses of
symbolsusing rop chain built byleaker, placing them instate.leaks.leakermsut separate leaks using newlines.- Parameters
state (
PwnState) –The current
PwnStatewith the following settarget_factory: Producer of target to exploit._elf: pwntoolsELFofstate.binary_name.overwriter: Function which writes rop chain to the “right place”.vuln_function: Name of vulnerable function in binary, which we can return to repeatedly.
leaker (
Callable[[ROP,int],ROP]) – function which reads arbitrary memory, newline terminated.symbols (
Iterable[str]) – what libc symbols we need to leak.offset (
int) – offset, in bytes, from the start of the GOT address of each symbol at which to begin leak, treating previous bytes as zeroes (this is helpful if the leaker function terminates on a zero byte)
- Return type
- Returns
Mutated
PwnState, with the following updatedtarget: The instance of target from which we got a successful leak. Hopefully it can still be interacted with.leaks: Updated with"symbol": addresspairs for each function address of libc that was leaked.
autorop.arutil.load_libc module
- autorop.arutil.load_libc.load_libc(state)[source]
Load the libc specified in the given state into a pwntools’
ELF.- Parameters
state (
PwnState) –The state, with the following set
libc: Path totarget’s libc.libc_base: Base address oflibc, orNoneif unknown.
- Return type
ELF- Returns
Loaded
ELFof the libc with attributes set as expected.
autorop.arutil.pad_rop module
- autorop.arutil.pad_rop.pad_rop(rop, n)[source]
Append
nretinstructions torop.- Parameters
rop (
ROP) – The rop chain to pad.n (
int) – The number ofretinstructions to padropwith.
- Return type
ROP- Returns
Reference to mutated rop chain
rop, which has had exactlynretinstructions appended to it.
autorop.arutil.pretty_function module
- autorop.arutil.pretty_function.pretty_function(name, args)[source]
Produce a pretty textual description of a function call.
Produce a string describing a function call. This is of the form: name(args[0], args[1], …)
- Parameters
name (
str) – Name of function.args (
Iterable[Any]) – The arguments passed to said function.
- Return type
str- Returns
Textual description of function call to the function name with the provided arguments.