autorop.turnkey package

Submodules

autorop.turnkey.Classic module

class autorop.turnkey.Classic.Classic(find=Corefile(), leak=Puts(False, ['__libc_start_main', 'puts']), lookup=Auto(), shell=SystemBinSh())

Bases: autorop.toplevel.Pipeline.Pipeline

__init__(find=Corefile(), leak=Puts(False, ['__libc_start_main', 'puts']), lookup=Auto(), shell=SystemBinSh())

Perform a “classic” attack against a binary.

Launch a find-leak-lookup-shell attack against a binary. I made up this term. But it is a common pattern in CTFs.

• Find: Find the vulnerability (e.g. how far we need to write to overwrite return address due to a buffer overflow).

• Leak: Find out important stuff about our context (e.g. addresses of symbols in libc, PIE offset, etc.).

• Lookup: Get data from elsewhere (e.g. download appropriate libc version).

• Shell: Spawn a shell (e.g. via ret2libc, or via syscall).

The default parameters perform a ret2libc attack on a non-PIE/non-ASLR target (at most one of these is fine, but not both), leaking with puts. You can set state._elf.address yourself and it might work for PIE and ASLR. We use find the libc automatically (likely using libc.rip), and then spawn a shell on the target.

Parameters

• find (Pipe) – “Finder” of vulnerability. autorop.bof may be of interest.

• leak (Pipe) – “Leaker”. autorop.leak may be of interest.

• lookup (Pipe) – “Lookup-er” of info. autorop.libc may be of interest.

• shell (Pipe) – Spawner of shell. autorop.call may be of interest.

Returns

Function which takes a PwnState, and returns the new PwnState.

Module contents