Crates.io | pwninit |
lib.rs | pwninit |
version | 3.3.1 |
source | src |
created_at | 2019-11-03 05:57:16.941402 |
updated_at | 2023-12-30 23:13:02.004714 |
description | automate starting binary exploit challenges |
homepage | |
repository | https://github.com/io12/pwninit |
max_upload_size | |
id | 177674 |
size | 85,038 |
pwninit
A tool for automating starting binary exploit challenges
ld-linux.so.*
) that can segfaultlessly load the provided libcpatchelf
to use
the correct RPATH and interpreter for the provided libcRun pwninit
Run pwninit
in a directory with the relevant files and it will detect which ones are the binary, libc, and linker. If the detection is wrong, you can specify the locations with --bin
, --libc
, and --ld
.
solve.py
templateIf you don't like the default template, you can use your own. Just specify --template-path <path>
. Check template.py for the template format. The names of the exe
, libc
, and ld
bindings can be customized with --template-bin-name
, --template-libc-name
, and --template-ld-name
.
solve.py
You can make pwninit
load your custom template automatically by adding an alias to your ~/.bashrc
.
alias pwninit='pwninit --template-path ~/.config/pwninit-template.py --template-bin-name e'
Install pwninit
or
pwninit-bin
from the AUR.
You can download statically-linked musl binaries from the releases page.
Run
cargo install pwninit
This places the binary in ~/.cargo/bin
.
Note that openssl
, liblzma
, and pkg-config
are required for the build.
$ ls
hunter libc.so.6 readme
$ pwninit
bin: ./hunter
libc: ./libc.so.6
setting ./hunter executable
fetching linker
https://launchpad.net/ubuntu/+archive/primary/+files//libc6_2.23-0ubuntu10_i386.deb
unstripping libc
https://launchpad.net/ubuntu/+archive/primary/+files//libc6-dbg_2.23-0ubuntu10_i386.deb
setting ./ld-2.23.so executable
copying ./hunter to ./hunter_patched
running patchelf on ./hunter_patched
writing solve.py stub
$ ls
hunter hunter_patched ld-2.23.so libc.so.6 readme solve.py
solve.py
:
#!/usr/bin/env python3
from pwn import *
exe = ELF("./hunter_patched")
libc = ELF("./libc.so.6")
ld = ELF("./ld-2.23.so")
context.binary = exe
def conn():
if args.LOCAL:
r = process([exe.path])
if args.DEBUG:
gdb.attach(r)
else:
r = remote("addr", 1337)
return r
def main():
r = conn()
# good luck pwning :)
r.interactive()
if __name__ == "__main__":
main()