autorop.leak package

Submodules

autorop.leak.Printf module

class autorop.leak.Printf.Printf(short=False, leak_symbols=['__libc_start_main', 'printf'])[source]

Bases: autorop.toplevel.Pipe.Pipe

__call__(state)[source]

Transform the given state with the results of the leak via printf.

Parameters

state (PwnState) – The current PwnState.

Return type

PwnState

Returns

The mutated PwnState, with the following updated

  • target: The fresh instance of target from which we got a successful leak. Hopefully it can still be interacted with.

  • leaks: Updated with "symbol": address pairs for each function address of libc that was leaked.

__init__(short=False, leak_symbols=['__libc_start_main', 'printf'])[source]

Leak libc addresses using printf.

This returns a callable which opens a new target, and leaks the addresses of (by default) __libc_start_main and printf using printf, placing them in state.leaks.

Parameters

  • short (bool) – Whether the attack should be minimised i.e. leak only one address.

  • leak_symbols (Iterable[str]) – What symbols should be leaked.

autorop.leak.Puts module

class autorop.leak.Puts.Puts(short=False, leak_symbols=['__libc_start_main', 'puts'])[source]

Bases: autorop.toplevel.Pipe.Pipe

__call__(state)[source]

Transform the given state with the results of the leak via printf.

Parameters

state (PwnState) – The current PwnState.

Return type

PwnState

Returns

The mutated PwnState, with the following updated

  • target: The fresh instance of target from which we got a successful leak. Hopefully it can still be interacted with.

  • leaks: Updated with the "symbol": address pairs for each function address of libc that was leaked.

__init__(short=False, leak_symbols=['__libc_start_main', 'puts'])[source]

Leak libc addresses using puts.

This returns a callable which opens a new target, and leaks the addresses of (by default) __libc_start_main and puts using puts, placing them in state.leaks.

Parameters

  • short (bool) – Whether the attack should be minimised i.e. leak only one address.

  • leak_symbols (Iterable[str]) – What symbols should be leaked.

Returns

Function which takes the state, and returns the mutated PwnState, with the following updated

  • target: The fresh instance of target from which we got a successful leak. Hopefully it can still be interacted with.

  • leaks: Updated with "symbol": address pairs for each address that was leaked.

Module contents