pwninit.py 1.0.0__py3-none-any.whl

pwninit/__init__.py

@@ -0,0 +1,39 @@
+from pwn import *
+from .io import *
+from .helpers import *
+from types import SimpleNamespace
+
+from .io import ioctx
+from .helpers import pwnctx
+
+config = None
+
+
+class Config(SimpleNamespace):
+    def __init__(
+        self,
+        binary:ELF,
+        libc:ELF,
+        libs:list=[],
+        chall:list|str=[],
+        env:dict={},
+        archive:str="",
+        kernel:str="",
+        prefix:str="",
+        **kwargs,
+    ):
+        global config
+        if binary and not chall:
+            chall = binary
+        super().__init__(
+            binary=binary,
+            libc=libc,
+            libs=libs,
+            chall=chall,
+            env=env,
+            archive=archive,
+            kernel=kernel,
+            prefix=prefix,
+            **kwargs,
+        )
+        config = self

pwninit/config.py

@@ -0,0 +1,64 @@
+import os
+from pathlib import Path
+from pwn import log
+
+
+class Config:
+    def __init__(self):
+        self.config_file = Path.home() / ".config" / "pwninit.conf"
+        self._config_data = {}
+        self._load_config()
+
+    def _load_config(self):
+        if self.config_file.exists():
+            try:
+                with open(self.config_file, "r") as f:
+                    for line in f:
+                        line = line.strip()
+                        if line and not line.startswith("#") and "=" in line:
+                            key, value = line.split("=", 1)
+                            self._config_data[key.strip()] = value.strip().strip("\"'")
+            except Exception as e:
+                log.warning(f"Error reading config file {
+                            self.config_file}: {e}")
+
+    def get(self, key, default=None, env_var=None):
+        if env_var and env_var in os.environ:
+            return os.environ[env_var]
+
+        return self._config_data.get(key, default)
+
+    def get_author(self):
+        return self.get("author", "0xB0tm4n", "PWNINIT_AUTHOR")
+
+    def create_default_config(self):
+        self.config_file.parent.mkdir(parents=True, exist_ok=True)
+
+        default_config = """# pwninit configuration file
+# You can override these values with environment variables
+
+# Author name for generated files
+author=0xB0tm4n
+
+# Root-me provider settings
+# rootme_api_key=your_api_key_here
+
+# Proof of work binaries
+# sossette=pow-sossette
+# hxp=pow-hxp
+# redpwn=redpwnpow
+# kctf=pow-kctf
+# hashcash=hashcash
+"""
+
+        if not self.config_file.exists():
+            try:
+                with open(self.config_file, "w") as f:
+                    f.write(default_config)
+                log.success(f"Created default config file at {
+                            self.config_file}")
+            except Exception as e:
+                log.warning(f"Could not create config file: {e}")
+
+
+config = Config()

pwninit/farm.py

@@ -0,0 +1,334 @@
+import copy
+import itertools
+import queue
+import re
+import threading
+import time
+from math import ceil
+from pathlib import Path
+from urllib.parse import urljoin
+
+import requests
+from pwn import log
+
+from pwninit.io import IOContext
+from pwninit.helpers import PwnContext
+
+SERVER_TIMEOUT = 5
+POST_PERIOD = 5
+POST_FLAG_LIMIT = 1000
+exit_event = threading.Event()
+
+
+class FlagStorage:
+    def __init__(self):
+        self._flags = []
+        self._seen = set()
+        self._lock = threading.Lock()
+
+    def add(self, flag, team_name, service):
+        with self._lock:
+            if flag not in self._seen:
+                self._seen.add(flag)
+                self._flags.append(
+                    {"flag": flag, "team": team_name, "service": service}
+                )
+
+    def flush(self):
+        with self._lock:
+            flags = self._flags[:POST_FLAG_LIMIT]
+            self._flags = self._flags[POST_FLAG_LIMIT:]
+            return flags
+
+    def unflushed(self, flags):
+        with self._lock:
+            self._flags = flags + self._flags
+
+
+class FlagIDStorage:
+    def __init__(self):
+        self._data = {}
+        self._lock = threading.Lock()
+
+    def update(self, chall, data):
+        with self._lock:
+            self._data[chall] = data
+
+    def get(self, chall, team=None):
+        with self._lock:
+            if chall not in self._data:
+                return None
+            if team is None:
+                return self._data[chall]
+            return self._data[chall].get(str(team))
+
+
+def get_auth_headers(args):
+    return {"Authorization": args.password}
+
+
+def set_farm_config(args, config):
+    url = urljoin(args.url, "/api/set_config")
+    r = requests.post(
+        url, headers=get_auth_headers(args), json=config, timeout=SERVER_TIMEOUT
+    )
+    if not r.ok:
+        raise Exception(r.text)
+    return r.json()
+
+
+def get_farm_config(args):
+    url = urljoin(args.url, "/api/get_config")
+    r = requests.get(url, headers=get_auth_headers(args), timeout=SERVER_TIMEOUT)
+    if not r.ok:
+        raise Exception(r.text)
+    return r.json()
+
+
+def get_flagids(args, *keys):
+    path = "/".join(str(k) for k in keys)
+    url = urljoin(args.url, f"/api/get_flagid/{path}")
+    r = requests.get(url, headers=get_auth_headers(args), timeout=SERVER_TIMEOUT)
+    if not r.ok:
+        raise Exception(r.text)
+    return r.json()
+
+
+def post_flags(args, flags):
+    sploit_name = Path("exploit.py").resolve().parent.name
+    data = [
+        {
+            "flag": item["flag"],
+            "sploit": sploit_name,
+            "team": item["team"],
+            "service": item["service"],
+        }
+        for item in flags
+    ]
+    url = urljoin(args.url, "/api/post_flags")
+    r = requests.post(
+        url, headers=get_auth_headers(args), json=data, timeout=SERVER_TIMEOUT
+    )
+    if not r.ok:
+        raise Exception(r.text)
+
+
+def once_in_a_period(period):
+    for iter_no in itertools.count(1):
+        start_time = time.time()
+        yield iter_no
+        time_spent = time.time() - start_time
+        if period > time_spent:
+            exit_event.wait(period - time_spent)
+        if exit_event.is_set():
+            break
+
+
+def _post_loop(args, flag_storage, stop_event):
+    while not stop_event.is_set():
+        flags = flag_storage.flush()
+        if flags:
+            try:
+                post_flags(args, flags)
+                log.info("Posted %d flags" % len(flags))
+            except Exception as e:
+                log.warning("Can't post flags: %s" % e)
+                flag_storage.unflushed(flags)
+        stop_event.wait(POST_PERIOD)
+
+    flags = flag_storage.flush()
+    if flags:
+        try:
+            post_flags(args, flags)
+            log.info("Posted %d flags" % len(flags))
+        except Exception as e:
+            log.warning("Can't post remaining flags: %s" % e)
+            flag_storage.unflushed(flags)
+
+
+def _run_one(
+    exploit,
+    ioctx,
+    ctx,
+    flag_ids,
+    team_name,
+    max_runtime,
+    flag_format,
+    flag_storage,
+    chall,
+):
+    try:
+        ioctx.connect(enable_log=False)
+    except Exception as e:
+        log.warning("%s: connection failed - %s" % (team_name, e))
+        return
+
+    ioctx.conn.timeout = max_runtime
+
+    try:
+        result = exploit(ctx, ioctx, flag_ids)
+        flags = flag_format.findall(result) if isinstance(result, (str, bytes)) else []
+        if not flags and result:
+            flags = [result]
+        for flag in flags:
+            log.success("%s: got flag %s" % (team_name, flag))
+            flag_storage.add(flag, team_name, chall)
+    except Exception as e:
+        log.warning("%s: exploit failed - %s" % (team_name, e))
+    finally:
+        ioctx.close(enable_log=False)
+
+
+def _team_worker(
+    team_name,
+    ioctx,
+    ctx,
+    exploit,
+    config,
+    args,
+    flag_format,
+    flag_storage,
+    flagid_storage,
+    task_queue,
+    stop_event,
+):
+    """Persistent per-team thread. Binds its IOContext into the thread-local
+    proxy once at startup, then waits for round tasks."""
+    import pwninit.io as io
+    import pwninit.helpers as helpers
+
+    io.set_ctx(ioctx)
+    helpers.set_ctx(ctx)
+
+    while not stop_event.is_set():
+        try:
+            max_runtime = task_queue.get(timeout=1)
+        except queue.Empty:
+            continue
+
+        flag_ids = flagid_storage.get(config.challname, team_name)
+        try:
+            _run_one(
+                exploit,
+                ioctx,
+                ctx,
+                flag_ids,
+                team_name,
+                max_runtime,
+                flag_format,
+                flag_storage,
+                config.challname,
+            )
+        finally:
+            task_queue.task_done()
+
+
+def run_farm(args, config, exploit):
+    log.info("Connecting to farm server at %s" % args.url)
+
+    if hasattr(config, "farm_config"):
+        set_farm_config(args, config.farm_config)
+
+    try:
+        farm_config = get_farm_config(args)
+        log.info(f'Flag format: {farm_config["FLAG_FORMAT"]}')
+        log.info(f'Flag lifetime: {farm_config["FLAG_LIFETIME"]}')
+        if not args.period:
+            args.period = farm_config["FLAG_LIFETIME"]
+        else:
+            args.period = 55
+    except Exception as e:
+        log.error("Can't get farm_config from server: %s" % e)
+        return 1
+
+    teams = farm_config["TEAMS"]
+    flag_format = re.compile(farm_config["FLAG_FORMAT"])
+    if not teams:
+        log.error("No teams in server farm_config")
+        return 1
+
+    log.info("Got %d teams from server" % len(teams))
+
+    flag_storage = FlagStorage()
+    flagid_storage = FlagIDStorage()
+
+    team_ctxs = {}
+    for team_name, team_addr in teams.items():
+        try:
+            host = team_addr
+            if ":" in host:
+                host = team_addr.split(":")[0]
+                port = int(team_addr.split(":")[1])
+
+            team_args = copy.copy(args)
+            team_args.remote.host = host
+            if port:
+                team_args.remote.port = port
+            ioctx = IOContext(team_args, config)
+            ctx = PwnContext(ioctx.proc, config.binary, config.libc)
+            team_ctxs[team_name] = (copy.deepcopy(ioctx), copy.deepcopy(ctx))
+        except Exception as e:
+            log.warning("%s: failed to init - %s" % (team_name, e))
+
+    if not team_ctxs:
+        log.error("No teams could be initialized")
+        return 1
+
+    team_queues = {}
+    stop_event = threading.Event()
+
+    for team_name, (ioctx, ctx) in team_ctxs.items():
+        q = queue.Queue()
+        team_queues[team_name] = q
+        t = threading.Thread(
+            target=_team_worker,
+            args=(
+                team_name,
+                ioctx,
+                ctx,
+                exploit,
+                config,
+                args,
+                flag_format,
+                flag_storage,
+                flagid_storage,
+                q,
+                stop_event,
+            ),
+            daemon=True,
+        )
+        t.start()
+
+    try:
+        for attack_no in once_in_a_period(args.period):
+            try:
+                data = get_flagids(args, config.challname)
+                flagid_storage.update(config.challname, data)
+                log.info("Fetched flag IDs for %d teams" % len(data))
+            except Exception as e:
+                log.warning("Can't fetch flag IDs: %s" % e)
+                log.warning("No flag id for attack #%d" % attack_no)
+
+            log.info("Launching attack #%d on %d teams" % (attack_no, len(team_ctxs)))
+
+            post_stop = threading.Event()
+            post_thread = threading.Thread(
+                target=_post_loop, args=(args, flag_storage, post_stop), daemon=True
+            )
+            post_thread.start()
+
+            for q in team_queues.values():
+                q.put(args.period)
+
+            for q in team_queues.values():
+                q.join()
+
+            post_stop.set()
+            post_thread.join()
+
+    except KeyboardInterrupt:
+        log.info("Got Ctrl+C, shutting down")
+
+    stop_event.set()
+    exit_event.set()
+    return 0

pwninit/helpers/__init__.py

@@ -0,0 +1,3 @@
+from .pwncontext import *
+from .utils import *
+from .constants import *

pwninit/helpers/constants.py

@@ -0,0 +1,67 @@
+# FSOP
+IO_USER_BUF = 0x0001
+IO_UNBUFFERED = 0x0002
+IO_NO_READS = 0x0004
+IO_NO_WRITES = 0x0008
+IO_EOF_SEEN = 0x0010
+IO_ERR_SEEN = 0x0020
+IO_DELETE_DONT_CLOSE = 0x0040
+IO_LINKED = 0x0080
+IO_IN_BACKUP = 0x0100
+IO_LINE_BUF = 0x0200
+IO_TIED_PUT_GET = 0x0400
+IO_CURRENTLY_PUTTING = 0x0800
+IO_IS_APPENDING = 0x1000
+IO_IS_FILEBUF = 0x2000
+
+DUMMY = 0x00
+DUMMY2 = 0x08
+FINISH = 0x10
+OVERFLOW = 0x18
+UNDERFLOW = 0x20
+UFLOW = 0x28
+PBACKFAIL = 0x30
+XSPUTN = 0x38
+XSGETN = 0x40
+SEEKOFF = 0x48
+SEEKPOS = 0x50
+SETBUF = 0x58
+SYNC = 0x60
+DOALLOCATE = 0x68
+READ = 0x70
+WRITE = 0x78
+SEEK = 0x80
+CLOSE = 0x88
+STAT = 0x90
+SHOWMANYC = 0x98
+IMBUE = 0xA0
+
+# House Of Muney
+STB_LOCAL = 0
+STB_GLOBAL = 1
+STB_WEAK = 2
+STB_NUM = 3
+STB_LOOS = (10,)
+STB_GNU_UNIQUE = (10,)
+STB_HIOS = (12,)
+STB_LOPROC = (13,)
+STB_HIPROC = (15,)
+
+STT_NOTYPE = 0
+STT_OBJECT = 1
+STT_FUNC = 2
+STT_SECTION = 3
+STT_FILE = 4
+STT_COMMON = 5
+STT_TLS = 6
+STT_NUM = 7
+STT_LOOS = (10,)
+STT_GNU_IFUNC = 10
+STT_HIOS = (12,)
+STT_LOPROC = (13,)
+STT_HIPROC = (15,)
+
+STV_DEFAULT = 0
+STV_INTERNAL = 1
+STV_HIDDEN = 2
+STV_PROTECTED = 3