gallopsled / pwntools-write-ups Goto Github PK
View Code? Open in Web Editor NEWA colleciton of CTF write-ups all using pwntools
License: MIT License
A colleciton of CTF write-ups all using pwntools
License: MIT License
$ PWNLIB_NOTERM=1 make clean doctest
Sphinx = 941 vs 967 => difference of 26 tests.
Comparison of the Sphinx results to Pwntools Library resulted in the following list of unreported tests.
About
Atexception
Commandline
Dynelf
Elf
Environment.pickle
Exception
Index
Install
Log
Replacements
Term
UI
Tubes/Serial
Util/Net
Util/Hashes
Install/Binutils
Install/Headers
Shellcraft/Common
Current efforts of first finding the files lead me to
/binjitsu/pwnlib which contain .py and .pyc
/binjitsu/docs/source which contain .rst
/binjitsu/docs/build/doctree which contain .doctree
Attempt to include missing test include
sphinx-quickstart with --ext-doctest extension
sphinx-build
sys.path update to include '/binjitsu/pwnlib'
all of which have yet to yield the desired results.
run_all_tests.sh
should be replaced with a simple scandown for unit tests. For example, pytest
or nosetests
scans for all files which start with test
, and executes all functions whose name start with test
.
harness.py
can then be renamed to test.py
and replaced with a simple wrapper script that does something like what's shown below.
test.py
#!/usr/bin/env python2
from pwn import *
def run_exploit(**kwargs):
# set up the flag and target file
write('flag', randoms(20, string.ascii_letters))
saveflag = tempfile.NamedTemporaryFile()
# Set up arguments
global args
args['SAVEFLAG'] = saveflag.name
args['FLAG'] = 'flag'
args.update(**kwargs)
exploit = __import__('exploit', level=0)
del sys.modules['exploit']
del exploit
# verify
assert read(saveflag.name) == read('flag')
def test_local():
'Run the exploit locally'
run_exploit()
def test_remote():
l = listen(0)
l.spawn_process('pwnme')
run_exploit(REMOTE='localhost', PORT=l.lport)
if __name__ == '__main__':
test_local()
test_remote()
Given this input script
pip install pytest nose
cat > test_foo.py <<EOF
from pwn import *
def test_normal_success():
print "Lol"
def test_normal_error():
print "Shucks!"
raise Exception()
def test_success():
log.info("Hurray!")
def test_failure():
log.error("Oh no!")
EOF
PWNLIB_NOTERM=1 py.test
PWNLIB_NOTERM=1 nosetests
=============================================================================== test session starts ===============================================================================
platform linux2 -- Python 2.7.8 -- py-1.4.26 -- pytest-2.6.4
collected 4 items
test_foo.py .F.F
==================================================================================== FAILURES =====================================================================================
________________________________________________________________________________ test_normal_error ________________________________________________________________________________
def test_normal_error():
print "Shucks!"
> raise Exception()
E Exception
test_foo.py:8: Exception
------------------------------------------------------------------------------ Captured stdout call -------------------------------------------------------------------------------
Shucks!
__________________________________________________________________________________ test_failure ___________________________________________________________________________________
def test_failure():
> log.error("Oh no!")
test_foo.py:14:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
self = <pwnlib.log.Logger object at 0x7fc1eea42810>, m = 'Oh no!', a = (), kw = {'extra': {'pwnlib_stop': False, 'pwnlib_symbol': 'ERROR'}}
def error(self, m, *a, **kw):
"""error(message)
Logs an error message, and raises an ``Exception``.
"""
self.__log(logging.ERROR, m, a, kw, text.on_red('ERROR'))
> raise Exception(m)
E Exception: Oh no!
/home/riggle/pwntools/pwnlib/log.py:134: Exception
------------------------------------------------------------------------------ Captured stdout call -------------------------------------------------------------------------------
[ERROR] Oh no!
======================================================================= 2 failed, 2 passed in 0.23 seconds ========================================================================
.E.E
======================================================================
ERROR: test_foo.test_normal_error
----------------------------------------------------------------------
Traceback (most recent call last):
File "/home/riggle/.pyenv/versions/2.7.8/lib/python2.7/site-packages/nose/case.py", line 197, in runTest
self.test(*self.arg)
File "/media/SSD1T/riggle/yyy/test_foo.py", line 8, in test_normal_error
raise Exception()
Exception:
-------------------- >> begin captured stdout << ---------------------
Shucks!
--------------------- >> end captured stdout << ----------------------
======================================================================
ERROR: test_foo.test_failure
----------------------------------------------------------------------
Traceback (most recent call last):
File "/home/riggle/.pyenv/versions/2.7.8/lib/python2.7/site-packages/nose/case.py", line 197, in runTest
self.test(*self.arg)
File "/media/SSD1T/riggle/yyy/test_foo.py", line 14, in test_failure
log.error("Oh no!")
File "/home/riggle/pwntools/pwnlib/log.py", line 134, in error
raise Exception(m)
Exception: Oh no!
-------------------- >> begin captured stdout << ---------------------
[ERROR] Oh no!
--------------------- >> end captured stdout << ----------------------
-------------------- >> begin captured logging << --------------------
pwnlib.exploit: ERROR: Oh no!
--------------------- >> end captured logging << ---------------------
----------------------------------------------------------------------
Ran 4 tests in 0.126s
FAILED (errors=2)
The general model here is that doit.py
is an exploit that gives a shell or reads a flag file, and harness.py
verifies that.
First, the naming isn't obvious for anyone who's never used pwntools before and is casually browsing the repository. I'd suggest exploit.py
instead of doit.py
and test.py
or test_harness.py
instead of harness.py
Second, the harness.py
using SILENT
to doit.py
. This makes it less useful for actual automated testing purposes, e.g. with travis-ci
. Logging should be able to get cranked up all the way to DEBUG
and still work. The issue is we need to see what's wrong, in the event that an exploit works locally but not on travis-ci
.
One method of being able to verify that the flag was successfully retrieved, instead of scraping the exploit's output, may be to have the exploit check for a SAVEFLAG
argument. The exploit would then write the flag to the specified file. For example, python exploit.py SAVEFLAG=foo
. Then, the contents of foo
and the real flag.txt
can be verified for success (foo
standing in for a temporary file path).
Instead of (or in addition to) echoing ok
or not ok
, what is currently called harness.py
should use standard exit codes (0 for success, nonzero for failure).
Hello,
vortex is a maintained and ongoing wargeme (unlike a CTF, it is not over yet...). I think its a pity that you distribute spoilers like this, even when we explicitly ask players not to do so.
From the motd:
Please play nice:
- don't leave orphan processes running
- don't leave exploit-files laying around
- don't annoy other players
- don't post passwords or spoilers
Thank you for your attention!
While trying to load libc, I receive the following error:
>>> ELF('/lib/i386-linux-gnu/i686/cmov/libc.so.6')
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/local/lib/python2.7/dist-packages/pwnlib/elf/__init__.py", line 65, in __init__
self._populate_got_plt()
File "/usr/local/lib/python2.7/dist-packages/pwnlib/elf/__init__.py", line 250, in _populate_got_plt
rel_plt = next(s for s in self.sections if s.header.sh_info == self.sections.index(plt))
StopIteration
Any idea how to fix this?
Installed the latest version of capstone.
Running on Kali.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.