Hi,

just did some debugging for a ctf binary which resulted in the following:

There is an error in the trigger_fmt function stating:

Traceback (most recent call last): File "ropstar.py", line 481, in <module> app.main() File "ropstar.py", line 319, in main autofmt = FmtStr(self.trigger_fmt) File "/usr/local/lib/python3.8/dist-packages/pwnlib/fmtstr.py", line 854, in __init__ self.offset, self.padlen = self.find_offset() File "/usr/local/lib/python3.8/dist-packages/pwnlib/fmtstr.py", line 872, in find_offset leak = self.leak_stack(off, marker) File "/usr/local/lib/python3.8/dist-packages/pwnlib/fmtstr.py", line 861, in leak_stack leak = self.execute_fmt(prefix + b"START%%%d$pEND" % offset) File "ropstar.py", line 183, in trigger_fmt m = re.search(pattern, result) File "/usr/lib/python3.8/re.py", line 201, in search return _compile(pattern, flags).search(string) TypeError: cannot use a string pattern on a bytes-like object
recvall returns a byte array but the regex search is done via string.

Just that. I'm running it on Python3.7.6

[DEBUG] [b'You know who are 0xDiablos: ', b'aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabp\x90\x04\x08\x1e\x90\x04\x08\x1c\xc0\x04\x08\xb1\x92\x04\x08', b'\x103\xdf\xf7\x86\x90\x04\x08 W\xda\xf7P9\xdf\xf7\xb6\x90\x04\x08\xf0\xa9\xe4\xf7', b'You know who are 0xDiablos: ']
[+] Leak puts : 0xf7df3310
[*] Saved leak
[*] Stopped process './vuln' (pid 15742)
[*] Getting libc version
[*] /root/tools/libc-database/find puts 310 
/bin/sh: 1: /root/tools/libc-database/find: not found
[*] []

I tryed running it as root and as a normal user, both with the proper installation of the requirements.txt file.

I was running this against a binary and I got the following error:

Traceback (most recent call last):
  File "../ropstar/ropstar.py", line 373, in <module>
    app.main()
  File "../ropstar/ropstar.py", line 318, in main
    if self.exploit.static(p):
  File "/root/Documents/ropstar/exploit.py", line 61, in static
    payload = fit({self.ropstar.offset:p})    
NameError: name 'p' is not defined

https://github.com/xct/ropstar/blob/master/exploit.py#L61

[root:~/tools/ropstar]# ./ropstar.py (master✱)
File "./ropstar.py", line 88
log.info(f"Canary: {hex(self.canary)}")
^
SyntaxError: invalid syntax

import pwd
os.getlogin = lambda: pwd.getpwuid(os.getuid())[0]

used this and solve the problem

Hi there,

As I want to integrate ropstar in OpenCRS, I analyzed the code to better understand the implemented exploitation techniques. Despite the program is meant to be used locally, I want to address a security issue that I discovered.

Description

Command injection is possible while exploiting a statically linked binary with a malicious filename.

Steps to Reproduce

1. Download the source code of an exploitable binary: wget https://raw.githubusercontent.com/TechSecCTF/pwn_challs/master/stack/bof/bof.c -o /tmp.
2. Compile: gcc -m32 -static -fno-stack-protector /tmp/bof.c -o "/tmp/bin/bof;touch here;".
3. Run ropstar: python3 ropstar.py -o 1 -state 1,1,1 "/tmp/bin/bof;touch here;".
4. Observe the creation of the here file (due to command injection): ls here.

Patch

I already forked the repository and proposed a patch. Please see #11.

[+] Leak puts : 0x7fc29146c040
[*] Saved leak
[*] Stopped process '/home/tarush/tools/ropstar/baby_boi' (pid 5748)
[*] Getting libc version
[*] /home/tarush/tools/libc-database/find puts 040 
[*] []
tarush@core:~/tools/ropstar$

I have installed libc-database in ~/tools/ but getting this error
Target binary: baby_boi

when i run the script with remote mode.
it returns: re.search(b'****',bytes).group[0] type nonetype have no atttribute group.

and in the other program.
it paused...