autorop.toplevel package

Submodules

autorop.toplevel.Pipe module

class autorop.toplevel.Pipe.Pipe(params)[source]

Bases: object

__call__(state)[source]

Call self as a function.

Return type: PwnState

__init__(params)[source]

Create a “pipe” which operates on a PwnState.

Pipes are abstractions that perform a single logical “step” on a PwnState, returning the modified PwnState.

Parameters: params (Iterable[Any]) – The initialisation parameters which describe this pipe.
Returns: A pipe, which takes and returns a single PwnState.

autorop.toplevel.Pipeline module

class autorop.toplevel.Pipeline.Pipeline(*pipes)[source]

Bases: autorop.toplevel.Pipe.Pipe

__call__(state)[source]

Execute the pipeline.

Execute the saved pipeline sequentially, making a copy of PwnState before each function call.

Parameters: state (PwnState) – The state to give to the first function.
Return type: PwnState
Returns: The state returned by the last function.

__init__(*pipes)[source]

Produce a pipeline to put PwnState through a sequence of Pipes.

Produce a state-copying function pipeline, which executes funcs sequentially, with the output of each function serving as the input to the next function.

The state is copied on every call, for future black magic caching reasons. This means that every function receives its own copy.

Parameters: pipes (Pipe) – Functions which operate on the PwnState and return another PwnState.
Returns: Pipe which puts PwnState through funcs and returns the PwnState returned by the last function.

autorop.toplevel.PwnState module

class autorop.toplevel.PwnState.LibcGetter(*args, **kwds)[source]

Bases: typing_extensions.Protocol

__call__(state)[source]

Perform an operation on the state, likely getting the libc based on leaks.

Return type: PwnState

__init__(*args, **kwargs)

class autorop.toplevel.PwnState.OverwriterFunction(*args, **kwds)[source]

Bases: typing_extensions.Protocol

__call__(_OverwriterFunction__t, _OverwriterFunction__data)[source]

Function which writes rop chain to the “right place”

Function which writes rop chain to e.g. the return address. It might be as simple as prepending some padding, or it might need to do format string attacks.

Parameters

__t – Where to write the data to.
__data – The data to write at the “right place”.

Return type

Any

Returns

Anything it likes, the result is ignored.

__init__(*args, **kwargs)

class autorop.toplevel.PwnState.PwnState(binary_name, target_factory, libc_getter=None, vuln_function='main', libc_database_path='/home/docs/.libc-database', libc=None, libc_base=None, bof_ret_offset=None, overwriter=<function default_overwriter>, leaks=<factory>, target=None, _elf=None)[source]

Bases: object

Class for keeping track of our exploit development.

__init__(binary_name, target_factory, libc_getter=None, vuln_function='main', libc_database_path='/home/docs/.libc-database', libc=None, libc_base=None, bof_ret_offset=None, overwriter=<function default_overwriter>, leaks=<factory>, target=None, _elf=None)

binary_name: str: Path to the binary to exploit.

bof_ret_offset: Optional[int] = None: Offset to return address via buffer overflow.

leaks: Dict[str, int]: Leaked symbols of libc.

libc: Optional[str] = None: Path to target’s libc.

libc_base: Optional[int] = None: Base address of target’s libc.

libc_database_path: str = '/home/docs/.libc-database': Path to local installation of libc-database, if using it.

libc_getter: Optional[autorop.toplevel.PwnState.LibcGetter] = None: Which libc acquisition service should be used. libc.Database is faster, but requires local installation. Automatically set to libc.Database if available in libc_database_path, otherwise libc.Rip.

overwriter(data)

Function which writes rop chain to the “right place”

Return type: None

target: Optional[pwnlib.tubes.tube.tube] = None: Current target, if any. Produced from calling target_factory.

target_factory: autorop.toplevel.PwnState.TargetFactory: What we want to exploit (can be local, or remote). You need to pass in something that can produce a pwntools’ tube for the actual target. This may be called multiple times to try multiple exploits.

vuln_function: str = 'main': Name of vulnerable function in binary, which we can return to repeatedly.

class autorop.toplevel.PwnState.TargetFactory(*args, **kwds)[source]

Bases: typing_extensions.Protocol

__call__()[source]

Produce a fresh pwntools’ tube of the target.

Create a tube of the desired target. This may be called multiple times to try multiple different exploits.

Return type: tube
Returns: Instance of target to exploit.

__init__(*args, **kwargs)

autorop.toplevel.PwnState.default_overwriter(t, data)[source]

Function which writes data via t.sendline(data)

Return type: None

autorop.toplevel.constants module

autorop.toplevel.constants.CLEAN_TIME = 0.5: pwntools tube.clean(CLEAN_TIME), for removing excess output

autorop.toplevel.constants.STACK_ALIGNMENT = 16: Stack alignment, in bytes Ubuntu et al. on x86_64 require it (https://ropemporium.com/guide.html#Common%20pitfalls) and some 32 bit binaries perform and esp, 0xfffffff0 in main

autorop.toplevel package

Submodules

autorop.toplevel.Pipe module

autorop.toplevel.Pipeline module

autorop.toplevel.PwnState module

autorop.toplevel.constants module

Module contents