16777390508

Committed 06 Aug 2025 12:49PM UTC coverage: 73.731% (-0.2%) from 73.937%

Build # 16777390508

Build Type

push

github

Committed by

peace-maker

Commit Message

Merge branch 'beta' into dev

Run Details

3825 of 6462 branches covered (59.19%)

25 of 39 new or added lines in 3 files covered. (64.1%)

145 existing lines in 5 files now uncovered.

13377 of 18143 relevant lines covered (73.73%)

0.74 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

18.8

/pwnlib/commandline/template.py

from __future__ import absolute_import
from __future__ import division
from __future__ import print_function

from pwn import *
from pwnlib.commandline import common
from pwnlib.util.misc import which, parse_ldd_output, write

from sys import stderr
from mako.lookup import TemplateLookup, Template

parser = common.parser_commands.add_parser(
    'template',
    help = 'Generate an exploit template',
    description = 'Generate an exploit template. If no arguments are given, '
                    'the current directory is searched for an executable binary and ' 
                    'libc. If only one binary is found, it is assumed to be the '
                    'challenge binary.'
)

# change path to hardcoded one when building the documentation
printable_data_path = "pwnlib/data" if 'sphinx' in sys.modules else pwnlib.data.path

parser.add_argument('exe', nargs='?', help='Target binary. If not given, the current directory is searched for an executable binary.')
parser.add_argument('--host', help='Remote host / SSH server')
parser.add_argument('--port', help='Remote port / SSH port', type=int)
parser.add_argument('--user', help='SSH Username')
parser.add_argument('--pass', '--password', help='SSH Password', dest='password')
parser.add_argument('--libc', help='Path to libc binary to use. If not given, the current directory is searched for a libc binary.')
parser.add_argument('--path', help='Remote path of file on SSH server')
parser.add_argument('--quiet', help='Less verbose template comments', action='store_true')
parser.add_argument('--color', help='Print the output in color', choices=['never', 'always', 'auto'], default='auto')
parser.add_argument('--template', help='Path to a custom template. Tries to use \'~/.config/pwntools/templates/pwnup.mako\', if it exists. '
                                   'Check \'%s\' for the default template shipped with pwntools.' % 
                                        os.path.join(printable_data_path, "templates", "pwnup.mako"))
parser.add_argument('--no-auto', help='Do not automatically detect missing binaries', action='store_false', dest='auto')

def get_docker_image_libraries():
    """Tries to retrieve challenge libraries from a Docker image built from the Dockerfile in the current working directory.
    
    The libraries are retrieved by parsing the output of running ldd on /bin/sh.
    Supports regular Docker images as well as jail images.
    """
    with log.progress("Extracting challenge libraries from Docker image") as progress:
        if not which("docker"):
            progress.failure("docker command not found")
            return None, None
        # maps jail image name to the root directory of the child image
        jail_image_to_chroot_dir = {
            "pwn.red/jail": "/srv",
        }
        dockerfile = open("Dockerfile", "r").read()
        jail = None
        chroot_dir = "/"
        for jail_image in jail_image_to_chroot_dir:
            if re.search(r"^FROM %s" % jail_image, dockerfile, re.MULTILINE):
                jail = jail_image
                chroot_dir = jail_image_to_chroot_dir[jail_image]
                break
        try:
            progress.status("Building image")
            image_sha = subprocess.check_output(["docker", "build", "-q", "."], stderr=subprocess.PIPE, shell=False).decode().strip()

            progress.status("Retrieving library paths")
            ldd_command = ["-c", "chroot %s /bin/sh -c 'ldd /bin/sh'" % chroot_dir]
            ldd_output = subprocess.check_output([
                    "docker",
                    "run",
                    "--rm",
                    "--entrypoint",
                    "/bin/sh",
                    ] + (["--privileged"] if jail else []) + [
                        image_sha,
                    ] + ldd_command,
                stderr=subprocess.PIPE, 
                shell=False
            ).decode()
            
            libc, ld = None, None
            libc_basename, ld_basename = None, None
            for lib_path in parse_ldd_output(ldd_output):
                if "libc." in lib_path:
                    libc = lib_path
                    libc_basename = os.path.basename(lib_path)
                if "ld-" in lib_path:
                    ld = lib_path
                    ld_basename = os.path.basename(lib_path)

            if not (libc and ld):
                progress.failure("Could not find libraries")
                return None, None
            
            progress.status("Copying libraries to current directory")
            for filename, basename in zip((libc, ld), (libc_basename, ld_basename)):
                cat_command = ["-c", "chroot %s /bin/sh -c '/bin/cat %s'" % (chroot_dir, filename)]
                contents = subprocess.check_output([
                        "docker",
                        "run",
                        "--rm",
                        "--entrypoint",
                        "/bin/sh",
                        ] + (["--privileged"] if jail else []) + [
                            image_sha
                        ] + cat_command,
                    stderr=subprocess.PIPE, 
                    shell=False
                )
                write(basename, contents)

        except subprocess.CalledProcessError as e:
            print(e.stderr.decode())
            log.error("docker failed with status: %d" % e.returncode)

        progress.success("Retrieved libraries from Docker image")
    return libc_basename, ld_basename

def detect_missing_binaries(args):
    """Automatically detects challenge binaries and libraries in the current directory.
    
    This function scans the current directory for executable files, libc, and ld libraries.
    If a Dockerfile is present and no libraries are found, it attempts to extract them from
    the Docker image, but only if the binary is not statically linked.
    
    Args:
        args: Argument namespace containing exe and libc attributes.
        
    Returns:
        tuple: A pair of (executable_path, libc_path) where either may be None if not found.
    """
    log.info("Automatically detecting challenge binaries...")
    # look for challenge binary, libc, and ld in current directory
    exe, libc, ld = args.exe, args.libc, None
    has_dockerfile = False
    other_files = []
    for filename in os.listdir("."):
        if not os.path.isfile(filename):
            continue
        if not libc and ('libc-' in filename or 'libc.' in filename):
            libc = filename
        elif not ld and 'ld-' in filename:
            ld = filename
        elif filename == "Dockerfile":
            has_dockerfile = True
        else:
            if os.access(filename, os.X_OK):
                other_files.append(filename)
    if not exe:
        if len(other_files) == 1:
            exe = other_files[0]
        elif len(other_files) > 1:
            log.warning("Failed to find challenge binary. There are multiple binaries in the current directory: %s", other_files)
    
    # Check if the binary is statically linked before trying to extract libraries from Docker
    is_statically_linked = False
    if exe:
        try:
            binary = ELF(exe, checksec=False)
            is_statically_linked = binary.statically_linked
            if is_statically_linked:
                log.info("Binary is statically linked, no need for external libraries")
        except Exception as e:
            log.warning("Could not check if binary is statically linked: %s", e)
    
    # Only extract libraries from Docker if the binary is not statically linked
    if has_dockerfile and exe and not (libc or ld) and not is_statically_linked: 
        libc, ld = get_docker_image_libraries()

    if exe != args.exe:
        log.success("Found challenge binary %r", exe)
    if libc != args.libc:
        log.success("Found libc binary %r", libc)
    return exe, libc

def main(args):

    lookup = TemplateLookup(
        directories      = [
            os.path.expanduser('~/.config/pwntools/templates/'),
            os.path.join(pwnlib.data.path, 'templates')
        ],
        module_directory = None
    )

    # For the SSH scenario, check that the binary is at the
    # same path on the remote host.
    if args.user:
        if not (args.path or args.exe):
            log.error("Must specify --path or a exe")

        with ssh(args.user, args.host, args.port or 22, args.password or None) as s:
            try:
                remote_file = args.path or args.exe
                s.download(remote_file)
            except Exception:
                log.warning("Could not download file %r, opening a shell", remote_file)
                s.interactive()
                return

        if not args.exe:
            args.exe = os.path.basename(args.path)

    if args.auto and (args.exe is None or args.libc is None):
        args.exe, args.libc = detect_missing_binaries(args)
    
    if args.template:
        template = Template(filename=args.template) # Failing on invalid file is ok
    else:
        template = lookup.get_template('pwnup.mako')
    
    output = template.render(args.exe,
                             args.host,
                             args.port,
                             args.user,
                             args.password,
                             args.libc,
                             args.path,
                             args.quiet)

    # Fix Mako formatting bs
    output = re.sub('\n\n\n', '\n\n', output)

    # Colorize the output if it's a TTY
    if args.color == 'always' or (args.color == 'auto' and sys.stdout.isatty()):
        from pygments import highlight
        from pygments.formatters import TerminalFormatter
        from pygments.lexers.python import PythonLexer
        output = highlight(output, PythonLexer(), TerminalFormatter())

    print(output)

    # If redirected to a file, make the resulting script executable
    if not sys.stdout.isatty():
        try: os.fchmod(sys.stdout.fileno(), 0o700)
        except OSError: pass

if __name__ == '__main__':
    pwnlib.commandline.common.main(__file__, main)
    

1	from __future__ import absolute_import	1✔
2	from __future__ import division	1✔
3	from __future__ import print_function	1✔
4
5	from pwn import *	1✔
6	from pwnlib.commandline import common	1✔
7	from pwnlib.util.misc import which, parse_ldd_output, write	1✔
8
9	from sys import stderr	1✔
10	from mako.lookup import TemplateLookup, Template	1✔
11
12	parser = common.parser_commands.add_parser(	1✔
13	'template',
14	help = 'Generate an exploit template',
15	description = 'Generate an exploit template. If no arguments are given, '
16	'the current directory is searched for an executable binary and '
17	'libc. If only one binary is found, it is assumed to be the '
18	'challenge binary.'
19	)
20
21	# change path to hardcoded one when building the documentation
22	printable_data_path = "pwnlib/data" if 'sphinx' in sys.modules else pwnlib.data.path	1✔
23
24	parser.add_argument('exe', nargs='?', help='Target binary. If not given, the current directory is searched for an executable binary.')	1✔
25	parser.add_argument('--host', help='Remote host / SSH server')	1✔
26	parser.add_argument('--port', help='Remote port / SSH port', type=int)	1✔
27	parser.add_argument('--user', help='SSH Username')	1✔
28	parser.add_argument('--pass', '--password', help='SSH Password', dest='password')	1✔
29	parser.add_argument('--libc', help='Path to libc binary to use. If not given, the current directory is searched for a libc binary.')	1✔
30	parser.add_argument('--path', help='Remote path of file on SSH server')	1✔
31	parser.add_argument('--quiet', help='Less verbose template comments', action='store_true')	1✔
32	parser.add_argument('--color', help='Print the output in color', choices=['never', 'always', 'auto'], default='auto')	1✔
33	parser.add_argument('--template', help='Path to a custom template. Tries to use \'~/.config/pwntools/templates/pwnup.mako\', if it exists. '	1✔
34	'Check \'%s\' for the default template shipped with pwntools.' %
35	os.path.join(printable_data_path, "templates", "pwnup.mako"))
36	parser.add_argument('--no-auto', help='Do not automatically detect missing binaries', action='store_false', dest='auto')	1✔
37
38	def get_docker_image_libraries():	1✔
39	"""Tries to retrieve challenge libraries from a Docker image built from the Dockerfile in the current working directory.
40
41	The libraries are retrieved by parsing the output of running ldd on /bin/sh.
42	Supports regular Docker images as well as jail images.
43	"""
44	with log.progress("Extracting challenge libraries from Docker image") as progress:	×
45	if not which("docker"):	×
46	progress.failure("docker command not found")	×
47	return None, None	×
48	# maps jail image name to the root directory of the child image
49	jail_image_to_chroot_dir = {	×
50	"pwn.red/jail": "/srv",
51	}
52	dockerfile = open("Dockerfile", "r").read()	×
53	jail = None	×
54	chroot_dir = "/"	×
55	for jail_image in jail_image_to_chroot_dir:	×
56	if re.search(r"^FROM %s" % jail_image, dockerfile, re.MULTILINE):	×
57	jail = jail_image	×
58	chroot_dir = jail_image_to_chroot_dir[jail_image]	×
59	break	×
60	try:	×
61	progress.status("Building image")	×
62	image_sha = subprocess.check_output(["docker", "build", "-q", "."], stderr=subprocess.PIPE, shell=False).decode().strip()	×
63
64	progress.status("Retrieving library paths")	×
65	ldd_command = ["-c", "chroot %s /bin/sh -c 'ldd /bin/sh'" % chroot_dir]	×
66	ldd_output = subprocess.check_output([	×
67	"docker",
68	"run",
69	"--rm",
70	"--entrypoint",
71	"/bin/sh",
72	] + (["--privileged"] if jail else []) + [
73	image_sha,
74	] + ldd_command,
75	stderr=subprocess.PIPE,
76	shell=False
77	).decode()
78
79	libc, ld = None, None	×
80	libc_basename, ld_basename = None, None	×
81	for lib_path in parse_ldd_output(ldd_output):	×
82	if "libc." in lib_path:	×
83	libc = lib_path	×
84	libc_basename = os.path.basename(lib_path)	×
85	if "ld-" in lib_path:	×
86	ld = lib_path	×
87	ld_basename = os.path.basename(lib_path)	×
88
89	if not (libc and ld):	×
90	progress.failure("Could not find libraries")	×
91	return None, None	×
92
93	progress.status("Copying libraries to current directory")	×
94	for filename, basename in zip((libc, ld), (libc_basename, ld_basename)):	×
95	cat_command = ["-c", "chroot %s /bin/sh -c '/bin/cat %s'" % (chroot_dir, filename)]	×
96	contents = subprocess.check_output([	×
97	"docker",
98	"run",
99	"--rm",
100	"--entrypoint",
101	"/bin/sh",
102	] + (["--privileged"] if jail else []) + [
103	image_sha
104	] + cat_command,
105	stderr=subprocess.PIPE,
106	shell=False
107	)
108	write(basename, contents)	×
109
110	except subprocess.CalledProcessError as e:	×
111	print(e.stderr.decode())	×
112	log.error("docker failed with status: %d" % e.returncode)	×
113
114	progress.success("Retrieved libraries from Docker image")	×
115	return libc_basename, ld_basename	×
116
117	def detect_missing_binaries(args):	1✔
118	"""Automatically detects challenge binaries and libraries in the current directory.
119
120	This function scans the current directory for executable files, libc, and ld libraries.
121	If a Dockerfile is present and no libraries are found, it attempts to extract them from
122	the Docker image, but only if the binary is not statically linked.
123
124	Args:
125	args: Argument namespace containing exe and libc attributes.
126
127	Returns:
128	tuple: A pair of (executable_path, libc_path) where either may be None if not found.
129	"""
UNCOV 130	log.info("Automatically detecting challenge binaries...")	×
131	# look for challenge binary, libc, and ld in current directory
132	exe, libc, ld = args.exe, args.libc, None	×
133	has_dockerfile = False	×
134	other_files = []	×
135	for filename in os.listdir("."):	×
136	if not os.path.isfile(filename):	×
137	continue	×
138	if not libc and ('libc-' in filename or 'libc.' in filename):	×
139	libc = filename	×
140	elif not ld and 'ld-' in filename:	×
141	ld = filename	×
142	elif filename == "Dockerfile":	×
143	has_dockerfile = True	×
144	else:
145	if os.access(filename, os.X_OK):	×
146	other_files.append(filename)	×
147	if not exe:	×
148	if len(other_files) == 1:	×
149	exe = other_files[0]	×
150	elif len(other_files) > 1:	×
151	log.warning("Failed to find challenge binary. There are multiple binaries in the current directory: %s", other_files)	×
152
153	# Check if the binary is statically linked before trying to extract libraries from Docker
NEW 154	is_statically_linked = False	×
NEW 155	if exe:	×
NEW 156	try:	×
NEW 157	binary = ELF(exe, checksec=False)	×
NEW 158	is_statically_linked = binary.statically_linked	×
NEW 159	if is_statically_linked:	×
NEW 160	log.info("Binary is statically linked, no need for external libraries")	×
NEW 161	except Exception as e:	×
NEW 162	log.warning("Could not check if binary is statically linked: %s", e)	×
163
164	# Only extract libraries from Docker if the binary is not statically linked
NEW 165	if has_dockerfile and exe and not (libc or ld) and not is_statically_linked:	×
UNCOV 166	libc, ld = get_docker_image_libraries()	×
167
168	if exe != args.exe:	×
169	log.success("Found challenge binary %r", exe)	×
170	if libc != args.libc:	×
171	log.success("Found libc binary %r", libc)	×
172	return exe, libc	×
173
174	def main(args):	1✔
175
176	lookup = TemplateLookup(	×
177	directories = [
178	os.path.expanduser('~/.config/pwntools/templates/'),
179	os.path.join(pwnlib.data.path, 'templates')
180	],
181	module_directory = None
182	)
183
184	# For the SSH scenario, check that the binary is at the
185	# same path on the remote host.
186	if args.user:	×
187	if not (args.path or args.exe):	×
188	log.error("Must specify --path or a exe")	×
189
190	with ssh(args.user, args.host, args.port or 22, args.password or None) as s:	×
191	try:	×
192	remote_file = args.path or args.exe	×
193	s.download(remote_file)	×
194	except Exception:	×
195	log.warning("Could not download file %r, opening a shell", remote_file)	×
196	s.interactive()	×
197	return	×
198
199	if not args.exe:	×
200	args.exe = os.path.basename(args.path)	×
201
202	if args.auto and (args.exe is None or args.libc is None):	×
203	args.exe, args.libc = detect_missing_binaries(args)	×
204
205	if args.template:	×
206	template = Template(filename=args.template) # Failing on invalid file is ok	×
207	else:
208	template = lookup.get_template('pwnup.mako')	×
209
210	output = template.render(args.exe,	×
211	args.host,
212	args.port,
213	args.user,
214	args.password,
215	args.libc,
216	args.path,
217	args.quiet)
218
219	# Fix Mako formatting bs
220	output = re.sub('\n\n\n', '\n\n', output)	×
221
222	# Colorize the output if it's a TTY
223	if args.color == 'always' or (args.color == 'auto' and sys.stdout.isatty()):	×
224	from pygments import highlight	×
225	from pygments.formatters import TerminalFormatter	×
226	from pygments.lexers.python import PythonLexer	×
227	output = highlight(output, PythonLexer(), TerminalFormatter())	×
228
229	print(output)	×
230
231	# If redirected to a file, make the resulting script executable
232	if not sys.stdout.isatty():	×
233	try: os.fchmod(sys.stdout.fileno(), 0o700)	×
234	except OSError: pass	×
235
236	if __name__ == '__main__':	1!
237	pwnlib.commandline.common.main(__file__, main)	×
238

Gallopsled / pwntools / 16777390508

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous