VirtuAlization GDb integrations in pwntools
Project description
VAGD
VirtuAlization GDb integrations in pwntools
Installation
pip install vagd
or from repo with
git clone https://github.com/gfelber/vagd
pip install ./vagd/
Usage
vagd template [OPTIONS] [BINARY] [IP] [PORT]
to generate a template, list OPTIONS with help-h
#!/usr/bin/env python
from pwn import *
IP = '' # remote IP
PORT = 0 # remote PORT
BINARY = '' # PATH to local binary e.g. ./chal
ARGS = [] # ARGS supplied to binary
ENV = {} # ENVs supplied to binary
# GDB SCRIPT, executed at start of GDB session (set breakpoint here)
GDB = f"""
c"""
context.binary = exe = ELF(BINARY, checksec=False)
# enable disable ASLR (works for GDB)
context.aslr = False
vm = None
def get_target(**kw):
global vm
if args.REMOTE:
context.log_level = 'debug'
return remote(IP, PORT)
from vagd import Dogd, Qegd, Shgd
if not vm:
# Docker
vm = Dogd(exe.path, image="ubuntu:jammy", ex=True, fast=True)
# or Qemu
vm = Qegd(exe.path, img="https://cloud-images.ubuntu.com/jammy/current/jammy-server-cloudimg-amd64.img", ex=True, fast=True)
# or SSH
vm = Shgd(exe.path, user='user', host='localhost', port=22, ex=True, fast=True)
return vm.start(argv=ARGS, env=ENV, gdbscript=GDB, **kw) # returns a pwn.process (similar to pwn.process())
t = get_target()
t.interactive()
vagd info BINARY
to print info about binary
# run as process in VM
./exploit.py
# run as gdb server in VM requires tmux
./exploit.py GDB
# run on remote IP:PORT
./exploit.py REMOTE
I recommend using pwndbg.
Files
All created files ares stored in the local ./.vagd/
directory. Additional large files (e.g. cloudimages) are stored in the home directory ~/.share/local/vagd/
or handled by tools themselfs (e.g. Docker).
CLI
alias vagd="python -m vagd" # or install with pip / pipx
# help message
vagd -h
# analyses the binary, prints checksec and .comment (often includes Distro and Compiler info)
vagd info BINARY
# creates template, for more info use: vagd template -h
vagd template [OPTIONS] [BINARY] [IP] [PORT]
# ssh to current vagd instance, for more info use: vagd ssh -h
vagd ssh [OPTIONS]
# scp file to/from vagd instance, for more info use: vagd scp -h
# e.g. vagd scp ./test_file vagd:./ # vagd:./ is default target
vagd scp [OPTIONS] SOURCE [TARGET]
# stop and remove current vagd instance, for more info use: vagd clean -h
vagd clean [OPTIONS]
Documentation
Boxes
A listed of known working Boxes can be found in the Documentation.
Other images might also work but currently only distributions that use apt
and alpine for Docker are supported.
This limitation may be circumvented by creating a target yourself (with the dependencies gdbserver, python, openssh) and creating a ssh connection via Shgd.
Troubleshooting
background processes
all instances continue to run in the background (after a vagd object has been started), this improves the runtime greatly after the first execution of the exploit. But this means that instances must be killed manually e.g.: vagd clean
gdb & gdbserver
Because gdbserver is used to run binaries on the instances I recommend using pwndbg. Other well known gdb plugins like peda aren't compatible with gdbserver and therefore won't work.
files
files on the virtual instance are never overwritten this has performance reason (so files aren't always copied if the exploit is run). If you need to updated files on the remote either use vagd scp
or create use temporary directories Dogd(..., tmp=True)
gdb performance
Using gdbserver and gdb to index libraries can be very slow. Therefore an experimental feature is available that mounts libraries locally: Dogd(..., ex=True, fast=True)
Future plans
pre configured QEMU Images / Docker Image
created pre configured environments with preinstalled lib debug symbols and gdbserver to lower init runtime.
Better Docker integration
created a Docker integration that allows loading existing Dockerfiles (maybe docker-compose), also add a feature that additionally visualizes (Qemu) them to change the used kernel.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file vagd-1.4.0.tar.gz
.
File metadata
- Download URL: vagd-1.4.0.tar.gz
- Upload date:
- Size: 45.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/5.1.0 CPython/3.12.5
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 84dd888e2ee4ca2017938caf06e1d33b89ebc23cc43bf6b32bf2ccdca03fac93 |
|
MD5 | f1e6a7197e63c4f21204230101ca85b7 |
|
BLAKE2b-256 | ecad62339c5b8e64c3c355b93b7e925a8c5467ed742e711e9ac96ec78ee72051 |
File details
Details for the file vagd-1.4.0-py3-none-any.whl
.
File metadata
- Download URL: vagd-1.4.0-py3-none-any.whl
- Upload date:
- Size: 49.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/5.1.0 CPython/3.12.5
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | c3fe4edf2092e0016d82a50af1f0fb96cca9aa875433c0fa0722711d0e2b23b9 |
|
MD5 | aea1db56864625e1a751916ecc62f42e |
|
BLAKE2b-256 | ec030191e13d96f1b9e76c450b172070934e40bcaa5ec1a22009a51c4c793575 |