this is bug
┌──(root㉿pewjs)-[/mnt/f/safetool/pwn/pwnpasi]
└─# pwnpasi -l warmup_csaw_2016 -ip node5.buuoj.cn -p 26843
____ ____ _
| _ \ __ ___ _| _ \ __ _ ___(_)
| |_) |\ \ /\ / / '_ \ |_) / _` / __| |
| __/ \ V V /| | | | __/ (_| \__ \ |
|_| \_/\_/ |_| |_|_| \__,_|___/_|
Automated Binary Exploitation Framework v3.1
by Security Research Team
https://github.com/heimao-box/pwnpasi
[] [10:17:21] target binary: ./warmup_csaw_2016
[] [10:17:21] remote target: node5.buuoj.cn:26843
[*] [10:17:21] detecting libc path automatically
[+] [10:17:21] libc path detected: /lib/x86_64-linux-gnu/libc.so.6
┌────────────────────────────────────────────────────────────┐
│ BINARY ANALYSIS PHASE │
└────────────────────────────────────────────────────────────┘
[] [10:17:21] setting executable permissions
[] [10:17:21] collecting binary security information
[*] [10:17:21] collecting binary information
┌────────────────────────────────────────────────────────────┐
│ BINARY SECURITY ANALYSIS │
└────────────────────────────────────────────────────────────┘
Feature | Status | Risk Level
RELRO | Partial RELRO | MEDIUM
Stack Canary | No canary found | HIGH
NX Bit | NX unknown - GNU_STACK missing | LOW
PIE | No PIE (0x400000) | MEDIUM
RWX Segments | Has RWX segments | HIGH
┌────────────────────────────────────────────────────────────┐
│ FUNCTION ANALYSIS │
└────────────────────────────────────────────────────────────┘
[] [10:17:22] scanning PLT functions
[] [10:17:22] analyzing PLT table and available functions
┌────────────────────────────────────────────────────────────┐
│ FUNCTION ANALYSIS │
└────────────────────────────────────────────────────────────┘
Function | Address | Available
write | 00000000004004c0 | YES
puts | N/A | NO
printf | N/A | NO
main | N/A | NO
system | 00000000004004d0 | YES
backdoor | N/A | NO
callsystem | N/A | NO
[*] [10:17:22]
┌────────────────────────────────────────────────────────────┐
│ ROP GADGET DISCOVERY │
└────────────────────────────────────────────────────────────┘
[] [10:17:22] searching for x64 ROP gadgets
[] [10:17:22] searching for ROP gadgets (x64)
┌────────────────────────────────────────────────────────────┐
│ ROP GADGETS (x64) │
└────────────────────────────────────────────────────────────┘
Gadget Type | Address | Instruction
pop rdi | 0x0000000000400713 | pop rdi; ret
pop rsi (multi) | 0x0000000000400711 | pop rsi; pop ...; ret
ret | 0x00000000004004a1 | ret
[*] [10:17:22]
┌────────────────────────────────────────────────────────────┐
│ PADDING CALCULATION │
└────────────────────────────────────────────────────────────┘
[] [10:17:22] performing dynamic stack overflow testing
[] [10:17:22] testing for stack overflow vulnerability
┌────────────────────────────────────────────────────────────┐
│ STACK OVERFLOW DETECTION │
└────────────────────────────────────────────────────────────┘
[] Testing overflow: [██████████████████████████████] 100%[] [10:17:22]
[+] [10:17:22] stack overflow detected! Padding: 79 bytes
[*] [10:17:22] performing assembly-based overflow analysis
┌────────────────────────────────────────────────────────────┐
│ VULNERABLE FUNCTIONS IDENTIFIED │
└────────────────────────────────────────────────────────────┘
[+] [10:17:22] vulnerable function: .text
┌────────────────────────────────────────────────────────────┐
│ ASSEMBLY CODE ANALYSIS │
└────────────────────────────────────────────────────────────┘
[*] [10:17:22] disassembling function: .text
Disassembly of section .text:
0000000000400520 <.text>:
400520: xor ebp,ebp
400522: mov r9,rdx
400525: pop rsi
400526: mov rdx,rsp
400529: and rsp,0xfffffffffffffff0
40052d: push rax
40052e: push rsp
40052f: mov r8,0x400720
400536: mov rcx,0x4006b0
40053d: mov rdi,0x40061d
400544: call 4004e0 __libc_start_main@plt
400549: hlt
40054a: nop WORD PTR [rax+rax*1+0x0]
400550: mov eax,0x60105f
400555: push rbp
400556: sub rax,0x601058
40055c: cmp rax,0xe
400560: mov rbp,rsp
400563: ja 400567 <sprintf@plt+0x57>
400565: pop rbp
┌────────────────────────────────────────────────────────────┐
│ STRING ANALYSIS │
└────────────────────────────────────────────────────────────┘
[] [10:17:22] searching for /bin/sh string in binary
[] [10:17:22] checking for /bin/sh string
[!] [10:17:22] /bin/sh string not found in binary
[*] [10:17:22] testing for stack overflow vulnerability
┌────────────────────────────────────────────────────────────┐
│ STACK OVERFLOW DETECTION │
└────────────────────────────────────────────────────────────┘
[] Testing overflow: [██████████████████████████████] 100%[] [10:17:22]
[+] [10:17:22] stack overflow detected! Padding: 79 bytes
[*] [10:17:22] performing assembly-based overflow analysis
┌────────────────────────────────────────────────────────────┐
│ EXPLOITATION PHASE │
└────────────────────────────────────────────────────────────┘
[*] [10:17:22] initializing exploitation attempts
┌────────────────────────────────────────────────────────────┐
│ REMOTE STACK OVERFLOW EXPLOITATION │
└────────────────────────────────────────────────────────────┘
[*] [10:17:22] targeting remote service at node5.buuoj.cn:26843
┌────────────────────────────────────────────────────────────┐
│ EXPLOITATION: ret2libc (write) - x64 Remote │
└────────────────────────────────────────────────────────────┘
[PAYLOAD] [10:17:22] preparing ret2libc exploit using write function
[*] [10:17:23] using LibcSearcher for libc resolution
Traceback (most recent call last):
File "/usr/local/bin/pwnpasi", line 8, in
main()
File "/mnt/f/safetool/pwn/pwnpasi/pwnpasi.py", line 3633, in main
ret2libc_write_x64_remote(program, libc, padding, pop_rdi_addr, pop_rsi_addr, ret_addr, other_rdi_registers, other_rsi_registers, args.ip, args.port)
File "/mnt/f/safetool/pwn/pwnpasi/pwnpasi.py", line 1418, in ret2libc_write_x64_remote
main_addr = e.symbols['main']
File "/usr/local/lib/python3.9/site-packages/pwnlib/elf/elf.py", line 164, in missing
raise KeyError(name)
KeyError: 'main'
this is bug
┌──(root㉿pewjs)-[/mnt/f/safetool/pwn/pwnpasi]
└─# pwnpasi -l warmup_csaw_2016 -ip node5.buuoj.cn -p 26843
[] [10:17:21] target binary: ./warmup_csaw_2016
[] [10:17:21] remote target: node5.buuoj.cn:26843
[*] [10:17:21] detecting libc path automatically
[+] [10:17:21] libc path detected: /lib/x86_64-linux-gnu/libc.so.6
┌────────────────────────────────────────────────────────────┐
│ BINARY ANALYSIS PHASE │
└────────────────────────────────────────────────────────────┘
[] [10:17:21] setting executable permissions
[] [10:17:21] collecting binary security information
[*] [10:17:21] collecting binary information
┌────────────────────────────────────────────────────────────┐
│ BINARY SECURITY ANALYSIS │
└────────────────────────────────────────────────────────────┘
Feature | Status | Risk Level
Stack Canary | No canary found | HIGH
NX Bit | NX unknown - GNU_STACK missing | LOW
PIE | No PIE (0x400000) | MEDIUM
RWX Segments | Has RWX segments | HIGH
┌────────────────────────────────────────────────────────────┐
│ FUNCTION ANALYSIS │
└────────────────────────────────────────────────────────────┘
[] [10:17:22] scanning PLT functions
[] [10:17:22] analyzing PLT table and available functions
┌────────────────────────────────────────────────────────────┐
│ FUNCTION ANALYSIS │
└────────────────────────────────────────────────────────────┘
Function | Address | Available
backdoor | N/A | NO
callsystem | N/A | NO
[*] [10:17:22]
┌────────────────────────────────────────────────────────────┐
│ ROP GADGET DISCOVERY │
└────────────────────────────────────────────────────────────┘
[] [10:17:22] searching for x64 ROP gadgets
[] [10:17:22] searching for ROP gadgets (x64)
┌────────────────────────────────────────────────────────────┐
│ ROP GADGETS (x64) │
└────────────────────────────────────────────────────────────┘
Gadget Type | Address | Instruction
pop rsi (multi) | 0x0000000000400711 | pop rsi; pop ...; ret
ret | 0x00000000004004a1 | ret
[*] [10:17:22]
┌────────────────────────────────────────────────────────────┐
│ PADDING CALCULATION │
└────────────────────────────────────────────────────────────┘
[] [10:17:22] performing dynamic stack overflow testing
[] [10:17:22] testing for stack overflow vulnerability
┌────────────────────────────────────────────────────────────┐
│ STACK OVERFLOW DETECTION │
└────────────────────────────────────────────────────────────┘
[] Testing overflow: [██████████████████████████████] 100%[] [10:17:22]
[+] [10:17:22] stack overflow detected! Padding: 79 bytes
[*] [10:17:22] performing assembly-based overflow analysis
┌────────────────────────────────────────────────────────────┐
│ VULNERABLE FUNCTIONS IDENTIFIED │
└────────────────────────────────────────────────────────────┘
[+] [10:17:22] vulnerable function: .text
┌────────────────────────────────────────────────────────────┐
│ ASSEMBLY CODE ANALYSIS │
└────────────────────────────────────────────────────────────┘
[*] [10:17:22] disassembling function: .text
Disassembly of section .text:
0000000000400520 <.text>:
400520: xor ebp,ebp
400522: mov r9,rdx
400525: pop rsi
400526: mov rdx,rsp
400529: and rsp,0xfffffffffffffff0
40052d: push rax
40052e: push rsp
40052f: mov r8,0x400720
400536: mov rcx,0x4006b0
40053d: mov rdi,0x40061d
400544: call 4004e0 __libc_start_main@plt
400549: hlt
40054a: nop WORD PTR [rax+rax*1+0x0]
400550: mov eax,0x60105f
400555: push rbp
400556: sub rax,0x601058
40055c: cmp rax,0xe
400560: mov rbp,rsp
400563: ja 400567 <sprintf@plt+0x57>
400565: pop rbp
┌────────────────────────────────────────────────────────────┐
│ STRING ANALYSIS │
└────────────────────────────────────────────────────────────┘
[] [10:17:22] searching for /bin/sh string in binary
[] [10:17:22] checking for /bin/sh string
[!] [10:17:22] /bin/sh string not found in binary
[*] [10:17:22] testing for stack overflow vulnerability
┌────────────────────────────────────────────────────────────┐
│ STACK OVERFLOW DETECTION │
└────────────────────────────────────────────────────────────┘
[] Testing overflow: [██████████████████████████████] 100%[] [10:17:22]
[+] [10:17:22] stack overflow detected! Padding: 79 bytes
[*] [10:17:22] performing assembly-based overflow analysis
┌────────────────────────────────────────────────────────────┐
│ EXPLOITATION PHASE │
└────────────────────────────────────────────────────────────┘
[*] [10:17:22] initializing exploitation attempts
┌────────────────────────────────────────────────────────────┐
│ REMOTE STACK OVERFLOW EXPLOITATION │
└────────────────────────────────────────────────────────────┘
[*] [10:17:22] targeting remote service at node5.buuoj.cn:26843
┌────────────────────────────────────────────────────────────┐
│ EXPLOITATION: ret2libc (write) - x64 Remote │
└────────────────────────────────────────────────────────────┘
[PAYLOAD] [10:17:22] preparing ret2libc exploit using write function
[*] [10:17:23] using LibcSearcher for libc resolution
Traceback (most recent call last):
File "/usr/local/bin/pwnpasi", line 8, in
main()
File "/mnt/f/safetool/pwn/pwnpasi/pwnpasi.py", line 3633, in main
ret2libc_write_x64_remote(program, libc, padding, pop_rdi_addr, pop_rsi_addr, ret_addr, other_rdi_registers, other_rsi_registers, args.ip, args.port)
File "/mnt/f/safetool/pwn/pwnpasi/pwnpasi.py", line 1418, in ret2libc_write_x64_remote
main_addr = e.symbols['main']
File "/usr/local/lib/python3.9/site-packages/pwnlib/elf/elf.py", line 164, in missing
raise KeyError(name)
KeyError: 'main'