Ash nazg durbatulûk, ash nazg gimbatul,
ash nazg thrakatulûk agh burzum-ishi krimpatul.
Ashnazg is a library and tool for developing binary
exploits. It brings together a number of different
tools, Ghidra, dorat, ROPgadget, pwntools, angr,
smrop, and binds them together to pop shells.
The docker file should contain all steps needed to get ashnazg running. If you want to set this up outside of docker, then the dependencies for ubuntu are there, along with the black magic invocations for making lldb work with python on ubuntu.
Once running, you can run pytest.
Run pytest -vvv
Run pytest -vvv -n auto
Ashnazg is intended to make it possible to describe exploits at a high level.
import ashnazg
from ashnazg.assumptions import *
nazg = ashnazg.Ashnazg(binary="./target", libc="./libc.so.6")
# find a vulnerable function
vuln = list(nazg.find_vulnerable_functions())[0]
print(vuln.type) # says 'GETS' vulnerability
# begin exploit
conn = nazg.connect()
# get the program to the vulnerable function
# input.
conn.navigate(vuln.addr)
# 'GETS' vulnerability can be applied immediately if
# Binary is neither PIE nor canary. This is
# automatically detected, but we explicitly assume
# it here.
conn.exploit(vuln, assume=[NO_PIE, NO_CANARY])
# you have a shell
conn.interactive()
Old version (before auto prefix handling)
Fully exploitable corctf demo
More verbose demo:
lldb seems to be a bit of a problem. It can't be installed via pip, so you probably need to link to your system's install via a symlink instead. Blech.