Skip to content
master
Switch branches/tags
1 branch 19 tags
Code

Latest commit

@io12
io12 Release 3.2.0
dc024f3 Feb 15, 2022
Release 3.2.0
dc024f3

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
.github/workflows
CI: Add static-musl-build job (#279)
Feb 15, 2022
src
Support extracting data.tar.zst (#280)
Feb 15, 2022
.gitignore
init
Nov 2, 2019
Cargo.lock
Release 3.2.0
Feb 15, 2022
Cargo.toml
Release 3.2.0
Feb 15, 2022
LICENSE
Add license
Nov 3, 2019
README.md
Update README
Jan 8, 2022
pwninit Features Usage Short version Long version Custom solve.py template Persisting custom solve.py Example Install Arch Linux Download Using cargo Example

README.md

Checks Status Deploy Status

pwninit

A tool for automating starting binary exploit challenges

Features

  • Set challenge binary to be executable
  • Download a linker (ld-linux.so.*) that can segfaultlessly load the provided libc
  • Download debug symbols and unstrip the libc
  • Patch the binary with patchelf to use the correct RPATH and interpreter for the provided libc
  • Fill in a template pwntools solve script

Usage

Short version

Run pwninit

Long version

Run pwninit in a directory with the relevant files and it will detect which ones are the binary, libc, and linker. If the detection is wrong, you can specify the locations with --bin, --libc, and --ld.

Custom solve.py template

If you don't like the default template, you can use your own. Just specify --template-path <path>. Check template.py for the template format. The names of the exe, libc, and ld bindings can be customized with --template-bin-name, --template-libc-name, and --template-ld-name.

Persisting custom solve.py

You can make pwninit load your custom template automatically by adding an alias to your ~/.bashrc.

Example
alias pwninit='pwninit --template-path ~/.config/pwninit-template.py --template-bin-name e'

Install

Arch Linux

Install pwninit or pwninit-bin from the AUR.

Download

You can download statically-linked musl binaries from the releases page.

Using cargo

Run

cargo install pwninit

This places the binary in ~/.cargo/bin.

Note that openssl, liblzma, and pkg-config are required for the build.

Example

$ ls
hunter  libc.so.6  readme

$ pwninit
bin: ./hunter
libc: ./libc.so.6

setting ./hunter executable
fetching linker
https://launchpad.net/ubuntu/+archive/primary/+files//libc6_2.23-0ubuntu10_i386.deb
unstripping libc
https://launchpad.net/ubuntu/+archive/primary/+files//libc6-dbg_2.23-0ubuntu10_i386.deb
setting ./ld-2.23.so executable
copying ./hunter to ./hunter_patched
running patchelf on ./hunter_patched
writing solve.py stub

$ ls
hunter	hunter_patched	ld-2.23.so  libc.so.6  readme  solve.py

solve.py:

#!/usr/bin/env python3

from pwn import *

exe = ELF("./hunter_patched")
libc = ELF("./libc.so.6")
ld = ELF("./ld-2.23.so")

context.binary = exe


def conn():
    if args.LOCAL:
        r = process([exe.path])
        if args.DEBUG:
            gdb.attach(r)
    else:
        r = remote("addr", 1337)

    return r


def main():
    r = conn()

    # good luck pwning :)

    r.interactive()


if __name__ == "__main__":
    main()

About

pwninit - automate starting binary exploit challenges

Topics

exploit binary pwn elf init

Resources

Readme

License

MIT License

Stars

368 stars

Watchers

5 watching

Forks

22 forks

Releases 18

3.2.0 Latest
Feb 15, 2022
+ 17 releases

Packages

No packages published

Contributors 5

Languages