autorop.call package

Submodules

autorop.call.Custom module

class autorop.call.Custom.Custom(func_name, args=[], align=False)[source]

Bases: autorop.toplevel.Pipe.Pipe

__call__(state)[source]

Perform the call on the target in PwnState.

Parameters

state (PwnState) – The current PwnState.

Return type

PwnState

Returns

The same PwnState, but with the state.overwriter called with the generated rop chain.

__init__(func_name, args=[], align=False)[source]

Call an arbitrary function using rop chain.

Call an arbitrary function using rop chain. This is basically a thin wrapper around using ROP in pwntools.

Parameters

  • func_name (str) – Symbol in executable which we can return to.

  • args (List[Any]) – Optional list of arguments to pass to function.

  • align (bool) – Whether the call should be stack aligned or not.

Returns

Function which takes a PwnState, doing the call, and returns reference to the new PwnState.

autorop.call.SystemBinSh module

class autorop.call.SystemBinSh.SystemBinSh[source]

Bases: autorop.toplevel.Pipe.Pipe

__call__(state)[source]

Call system("/bin/sh") on the current state.target.

Parameters

state (PwnState) –

The current PwnState with the following set

  • target: What we want to exploit.

  • _elf: pwntools ELF of state.binary_name.

  • libc: Path to target’s libc.

  • libc_base: Base address of libc.

  • vuln_function: Name of vulnerable function in binary, which we can return to repeatedly.

  • overwriter: Function which writes rop chain to the “right place”.

Return type

PwnState

Returns

The given PwnState.

__init__()[source]

Call system("/bin/sh") via a rop chain.

Call system("/bin/sh") using a rop chain built from state.libc and written by state.overwriter.

Module contents