masthoon / pwintools Goto Github PK

View Code? Open in Web Editor NEW

255.0 9.0 30.0 108 KB

Basic pwntools for Windows

Python 93.46% C++ 0.74% Batchfile 5.80%

pwintools's Introduction

PWiNTOOLS

PWiNTOOLS is a very basic implementation of pwntools for Windows to play with local processes and remote sockets.

Windows is not yet supported in the official pwntools: Minimal support for Windows #996.

PWiNTOOLS supports both Python 2 and 3.

Feel free to contribute or report bugs.

Usage / Documentation

Read the code :)

from pwintools import *

DEBUG = True
if DEBUG:
	r = Process("chall.exe") # Spawn chall.exe process
	r.spawn_debugger(breakin=False)
	log.info("WinExec @ 0x{:x}".format(r.symbols['kernel32.dll']['WinExec']))
else:
	r = Remote("challenge.remote.service", 8080)

r.sendline('ID123456789') # send / write
if r.recvline().strip() == 'GOOD': # recv / read / recvn / recvall / recvuntil
	log.success('Woot password accepted!')
	r.send(shellcraft.amd64.WinExec('cmd.exe'))
else:
	log.failure('Bad password')

log.info('Starting interactive mode ...')
r.interactive() # interactive2 for Remote available

The test directory provides some examples of usage:

test_pwn_pe spawns pwn.exe and exploits it (pwn.exe can be build using tests/build_pwn_pe.py requires LIEF)
test_remote is a basic TCP connection and interaction
test_shellcode injects shellcodes into notepad.exe to test them locally
exemple_rop is a example of exploit script for the associated vulnerable exemple_rop

Deps

PythonForWindows providing a Python implementation to play with Windows.

Optionals:

TODO

	Improve 32 bits support and testing
	Support local Context like pwntools
	Improve Shellcraft to avoid NULL bytes (xor_pair)
	Provide examples with Python Debugger
	Integrate gadgets tool support (rp++)
	Process mitigation (appcontainer / Force ASLR rebase / Job sandboxing ...)
	pip install pwintools :)
	`Port` the project to pwntools

Acknowledgements

Mastho
Geluchat

pwintools's People

Contributors

Stargazers

Watchers

pwintools's Issues

Upstream Support in Pwntools

This is a really neat project! I used to have some basic support for targeting Windows binaries (rather than running against them).

It would be really neat to get your shellcode imported into the main Pwntools repository, as a starting point.

archive pwintools repo

I have already seriously started to integrate pwintools on pwntools as asked in this issue: #4. See these PRs: Gallopsled/pwntools#1959 and Gallopsled/pwntools#1978.

In my humble opinion, this is now useless to continue to work on pwintools. This is now just a duplicate of pwntools. You can set the repo in read only and tell why in the readme to ensure that nobody will work for nothing.

Pwintools was useful to see how PythonForWindows can interact for pwntools.

This was a great experience. Nice to meet you.

remove xrange

This commit 5dada36 has some good features like remove string not set with bytes.

Sadly it also decrase the python3 style.

xrange is a python2 stuff and should be removed. I want to avoid that developper in the future spend hours to understand how xrange works to finally realize this is a python2 stuff.

I have already removed it in an old commit but somebody has put it back. So instead of remove it again and start a war I decided to open an issue to discuss and debate on what is the best between range and xrange.

Python 3.10 - encoding issues in spawn_debugger()

I would like to share the possible solution for the encoding issue with the spawn_debugger() using python3.10.

PROBLEM

The below code triggers an error, because of no encoding in the spawn_debugger().

from pwintools import *
p = Process(b"C:\\Users\\karol\\Desktop\\t\\ch72.exe")
p.debuggerpath = b"C:\\Program Files (x86)\\Windows Kits\\10\\Debuggers\\x86\\windbg.exe"
p.spawn_debugger(breakin = True, dbg_cmd = None)

Traceback (most recent call last):
  File "C:\Users\karol\Desktop\t\a.py", line 34, in <module>
    p.spawn_debugger(breakin = True, dbg_cmd = None)
  File "C:\Program Files\Python310\lib\site-packages\pwintools-0.5-py3.10.egg\pwintools.py", line 915, in spawn_debugger
  File "C:\Program Files\Python310\lib\site-packages\pwintools-0.5-py3.10.egg\pwintools.py", line 656, in __init__
  File "C:\Program Files\Python310\lib\site-packages\pwintools-0.5-py3.10.egg\pwintools.py", line 698, in _create_process
  File "C:\Program Files\Python310\lib\site-packages\pwintools-0.5-py3.10.egg\pwintools.py", line 698, in <listcomp>
TypeError: string argument without an encoding

SOLUTION

I modified the spawn_debugger() like below, adding the encode() and b for all strings:

    def spawn_debugger(self, breakin=True, dbg_cmd=None):
        """spawn_debugger(breakin = True, dbg_cmd = None) spawns Windbg (self.debuggerpath) to debug the process"""
        cmd = [self.debuggerpath, b'-p', str(self.pid).encode()]
        if not breakin:
            cmd.append(b'-g')
        if dbg_cmd:
            cmd.append(b'-c')
            cmd.append(dbg_cmd.encode())
        self.debugger = Process(cmd, nostdhandles=True)
        # Give time to the debugger
        time.sleep(1)

After that, I reinstalled the library, and the problem was solved:

pip uninstall pwintools
python setup.py install

Thought I'd throw it in here. Someone may find it useful.

Python 3 support

Waiting for next release of PythonForWindows with python 3 support.

Windbg exit from spawn_debugger()

Wanted to ask if there is a way that windbg reamain opened from spawn_debugger or if there are other functions that help with debugging,.
Thanks in advance

remove classes Minilogger and Pipe

Pipe() could be replaced by os.pipe and Minilogger could be repalced by print or another built in function. This code is useless.

write in the readme and in the doc that you need to download windbg

To use the spawn_debugger() function we need to have wingdb installed in 'C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\windbg.exe' this is not mentionned nowhere.

I also suggest to check in the code and notify the user if this is not installed.

use pywin32?

https://github.com/mhammond/pywin32 seem more mature than pythonForWindows. In my humble opinion we could use it.

Fell free to give your opinion.

Python 2&3: PythonForWindows won't install automatically failing pwintools installation

Python 2&3: PythonForWindows won't install automatically

If I do,

pip install pwintools

cd pwintools
pip install .

The installation will fail because Pip will fail to find a PythonForWindows package (not only of v0.4, but any)

However, if I download the repo off Github (whether master or dev. Dev supports Py3), and then manually install it, and then install pwintools, having removed PythonForWindows lines from setup.py, the installation and, most importantly, usage of pwintools gets set up correctly

I wonder if anyone else experiences the same issue