Skip to main content

VirtuAlization GDb integrations in pwntools

Project description

PyPI docs

VAGD

VirtuAlization GDb integrations in pwntools

Installation

pip install vagd

or from repo with

git clone https://github.com/gfelber/vagd
pip install ./vagd/

Usage

  • vagd template [OPTIONS] [BINARY] [IP] [PORT] to generate a template, list OPTIONS with help -h
#!/usr/bin/env python
from pwn import *
from vagd import Dogd, Qegd, Vagd, Shgd

IP = ''         # remote IP
PORT = 0        # remote PORT
BINARY = ''     # PATH to local binary e.g. ./chal
ARGS = []       # ARGS supplied to binary 
ENV = {}        # ENVs supplied to binary
# GDB SCRIPT, executed at start of GDB session (set breakpoint here)
GDB = f"""

c"""

context.binary = exe = ELF(BINARY, checksec=False)
# enable disable ASLR (works for GDB)
context.aslr = False

vm = None
def get_target(**kw):
    global vm

    if args.REMOTE:
        context.log_level = 'debug'
        return remote(IP, PORT)

    if not vm:
        # Docker 
        vm = Dogd(exe.path, image="ubuntu:jammy", ex=True, fast=True)
        # or Qemu
        vm = Qegd(exe.path, img="https://cloud-images.ubuntu.com/jammy/current/jammy-server-cloudimg-amd64.img", ex=True, fast=True)
        # or Vagrant
        vm = Vagd(exe.path, vbox="ubuntu/jammy64", ex=True, fast=True)
        # or SSH
        vm = Shgd(exe.path, user='user', host='localhost', port=22, ex=True, fast=True)
    return vm.start(argv=ARGS, env=ENV, gdbscript=GDB, **kw) # returns a pwn.process (similar to pwn.process())


t = get_target()

t.interactive()
  • vagd info BINARY to print info about binary
# run as process in VM
./exploit.py
# run as gdb server in VM requires tmux
./exploit.py GDB
# run on remote IP:PORT
./exploit.py REMOTE

I recommend using pwndbg.

Files

All created files ares stored in the local ./.vagd/ directory. Additional large files (e.g. cloudimages) are stored in the home directory ~/.vagd/ or handled by tools themselfs (e.g. Vagrant, Docker).

CLI

alias vagd="python -m vagd" # or install with pip / pipx
# help message
vagd -h
# analyses the binary, prints checksec and .comment (often includes Distro and Compiler info)
vagd info BINARY
# creates template, for more info use: vagd template -h
vagd template [OPTIONS] [BINARY] [IP] [PORT]
# ssh to current vagd instance, for more info use: vagd ssh -h
vagd ssh [OPTIONS]
# scp file to/from vagd instance, for more info use: vagd scp -h
# e.g. vagd scp ./test_file vagd:./ # vagd:./ is default target
vagd scp [OPTIONS] SOURCE [TARGET]
# stop and remove current vagd instance, for more info use: vagd clean -h
vagd clean [OPTIONS]

Documentation

Boxes

A listed of known working Boxes can be found in the Documentation. Other images might also work but currently only distributions that use apt and alpine for Docker are supported. This limitation may be circumvented by creating a target yourself (with the dependencies gdbserver, python, openssh) and creating a ssh connection via Shgd.

Troubleshooting

background processes

all instances continue to run in the background (after a vagd object has been started), this improves the runtime greatly after the first execution of the exploit. But this means that instances must be killed manually e.g.: vagd clean

gdb & gdbserver

Because gdbserver is used to run binaries on the instances it is advised to use pwndbg. Other well known gdb plugins like peda and gef aren't compatible with gdbserver and therefore won't work.

files

files on the virtual instance are never overwritten this has performance reason (so files aren't always copied if the exploit is run). If you need to updated files on the remote either use vagd scp or create use temporary directories Dogd(..., tmp=True)

gdb performance

Using gdbserver and gdb to index libraries can be very slow. Therefore an experimental feature is available that mounts libraries locally: Dogd(..., ex=True, fast=True)

Future plans

pre configured Vagrant boxes / QEMU Images / Docker Image

created pre configured environments with preinstalled lib debug symbols and gdbserver to lower init runtime.

Better Docker integration

created a Docker integration that allows loading existing Dockerfiles (maybe docker-compose), also add a feature that additionally virtualizes (Vagrant/Qemu) them to change the used kernel.

Project details


Release history Release notifications | RSS feed

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

vagd-1.1.7.tar.gz (42.8 kB view details)

Uploaded Source

Built Distribution

vagd-1.1.7-py3-none-any.whl (46.8 kB view details)

Uploaded Python 3

File details

Details for the file vagd-1.1.7.tar.gz.

File metadata

  • Download URL: vagd-1.1.7.tar.gz
  • Upload date:
  • Size: 42.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.2 CPython/3.11.5

File hashes

Hashes for vagd-1.1.7.tar.gz
Algorithm Hash digest
SHA256 fc5c3081ee4c6a84122b8fb5ae05a351d5d32b458de96ced15c29e673ecae868
MD5 ca59393cf59d9f296fcabc5bbf28564a
BLAKE2b-256 420348c7bd84a15bd4478fccb357a523968b8e3652545bbd0d5895c0ecf72203

See more details on using hashes here.

File details

Details for the file vagd-1.1.7-py3-none-any.whl.

File metadata

  • Download URL: vagd-1.1.7-py3-none-any.whl
  • Upload date:
  • Size: 46.8 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.2 CPython/3.11.5

File hashes

Hashes for vagd-1.1.7-py3-none-any.whl
Algorithm Hash digest
SHA256 a5c8caa12b7da40ecb8f408dae2d91048f124308d127b50ab6559ab6a7d4fd34
MD5 8dde5c79384efdd242dd70556d06a9b7
BLAKE2b-256 62ecac47d5aad15105c2b8692e0fcc3c63942986b6432f6a2a7d087efcd95911

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page