A tool for automating starting binary exploit challenges

• Set challenge binary to be executable
• Download a linker (ld-linux.so.*) that can segfaultlessly load the provided libc
• Download debug symbols and unstrip the libc
• Patch the binary with patchelf to use the correct RPATH and interpreter for the provided libc
• Fill in a template pwntools solve script

Run pwninit

Run pwninit in a directory with the relevant files and it will detect which ones are the binary, libc, and linker. If the detection is wrong, you can specify the locations with --bin, --libc, and --ld.

If you don't like the default template, you can use your own. Just specify --template-path <path>. Check template.py for the template format. The names of the exe, libc, and ld bindings can be customized with --template-bin-name, --template-libc-name, and --template-ld-name.

You can make pwninit load your custom template automatically by adding an alias to your ~/.bashrc.

alias pwninit='pwninit --template-path ~/.config/pwninit-template.py --template-bin-name e'

Install pwninit or pwninit-bin from the AUR.

You can download statically-linked musl binaries from the releases page.

Run

cargo install pwninit

This places the binary in ~/.cargo/bin.

Note that openssl, liblzma, and pkg-config are required for the build.

$ ls
hunter  libc.so.6  readme
$ pwninit
bin: ./hunter
libc: ./libc.so.6
setting ./hunter executable
fetching linker
https://launchpad.net/ubuntu/+archive/primary/+files//libc6_2.23-0ubuntu10_i386.deb
unstripping libc
https://launchpad.net/ubuntu/+archive/primary/+files//libc6-dbg_2.23-0ubuntu10_i386.deb
setting ./ld-2.23.so executable
copying ./hunter to ./hunter_patched
running patchelf on ./hunter_patched
writing solve.py stub
$ ls
hunter	hunter_patched	ld-2.23.so  libc.so.6  readme  solve.py

solve.py:

#!/usr/bin/env python3
from pwn import *
exe = ELF("./hunter_patched")
libc = ELF("./libc.so.6")
ld = ELF("./ld-2.23.so")
context.binary = exe
def conn():
    if args.LOCAL:
        r = process([exe.path])
        if args.GDB:
            gdb.attach(r)
    else:
        r = remote("addr", 1337)
    return r
def main():
    r = conn()
    # good luck pwning :)
    r.interactive()
if __name__ == "__main__":
    main()