Useful-Scripts/pwn.sh at master · whuben/Useful-Scripts · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
#!/bin/bash
#shell scripts for implementing pwn subjects in a CTF
#
#written by ben
#2016/05/31
#
#basic setting
xinetd_path="/etc/xinetd.d"    #the configure directory of xinetd by default
services_path="/etc/services"  #the path of services by default
pwn_base_dir="/home/xxx/pwn"   #setting your own pwn directory

#global vars
binary_path=""
port=0
flag=""
temp_user=""
pwn_name=""

#version infomation
version(){
    echo "pwn v1.0, BenChang,https://github.com/whuben, may 2016"
}

#helpinfo information
helpinfo(){
    echo "Usage: pwn [-h|-v|-l <pwn-name>|-d <pwn-name>|-u <pwn-name>|-s] [--bianry <binary>] [--port <server-port>] [--flag <string-flag>]"
    echo
    echo "Options:"
    echo "  -h,--help"
    echo "  -v,--version"
    echo "  -l  <pwn-name>     #loading a pwn server"
    echo "  -d  <pwn-name>     #delete a pwn server"
    echo "  -u  <pwn-name>     #unload a pwn server"
    echo "  -s,--start                    #start a pwn server, more args should be given"
    echo "  --binary <executable-file>  #pwn server"
    echo "  --flag   <string-flag>       #pwn flag"
    echo "  --port   <port-number>       #less than 65535"
}

#generate a temp user
GenerateTempusr(){
    temp_user="ctf_user$RANDOM"
    while id -u $temp_user >/dev/null 2>&1
    do
        temp_user="ctf_user$RANDOM"
    done
}

#setting a specific privilege to the pwn directory
setprivilege(){
    # args: $1: pwn-path; $2:flag-path
    echo "[*]Change the user group of the pwn binary:\"$1\""
    sudo chgrp $temp_user $1
    echo "[*]Change the previlige of the pwn binary:\"$1\""
    sudo chmod 755 $1
    echo "[*]Change the user group of the flag file:\"$2\""
    sudo chgrp $temp_user $2
    echo "[*]Change the previlige of the flag file:\"$2\""
    sudo chmod 640 $2
}

isDFexist(){
    if [ -z $1 ] ; then
        printf "\033[31mError: pwn name should be given.\033[m\n\n"
        exit 1
    fi
    pwn_name=$1
    pwn_dir=${pwn_base_dir}"/"${pwn_name}
    if [ ! -d $pwn_dir ] ;then
        printf "\033[31mError: The directory: $pwn_dir does not exist.\033[m\n\n"
        exit 1
    fi
    pwn_path=${pwn_dir}"/"${pwn_name}
    if [ ! -f $pwn_path ] ; then
        printf "\033[31mError: The pwn binary: $pwn_path does not exist.\033[m\n\n"
        exit 1
    fi
}

#load a pwn server on xinetd
startpwn(){
    pwn_name=${binary_path##*/}
    pwn_dir=${pwn_base_dir}"/"${pwn_name}
    pwn_path=${pwn_dir}"/"${pwn_name}
    flag_path=${pwn_dir}"/flag"
    echo "[*]Creating the directory:\"$pwn_dir\""
    mkdir $pwn_dir
    echo "[*]Copy the pwn binary from \"$path\" to \"$pwn_dir\""
    sudo cp $binary_path $pwn_dir
    echo "[*]Creating a flag file:\"$flag_path\" for storing the flag"
    echo $flag > $flag_path
    GenerateTempusr   #generate a random name for temp user
    echo "[*]Creating a temp user:$temp_user for the pwn server"
    sudo useradd $temp_user
    setprivilege $pwn_path $flag_path
    echo "[*]Register a server on xinetd"
    echo "---------------------------------"
    echo "Creating the configure file: \"$xinetd_path/ctf_$pwn_name\""
	printf 'service ctf_%s\n
{
    disable     = no\n
    socket_type = stream\n
    protocol    = tcp\n
    user        = %s\n
    server      = %s\n
    wait        = no\n
}\n' $pwn_name $temp_user $pwn_path | sudo tee -a $xinetd_path/ctf_$pwn_name
    echo "[*]Register a port for the pwn server"
    printf "ctf_%-12s%s/tcp%48s\n" $pwn_name $port "#add the ctf server port" | sudo tee -a $services_path
    #restart the xinetd
    echo "[*]Restart the xinetd service"
    sudo /etc/init.d/xinetd restart
    echo "[*]Complete: try to connect:127.0.0.1:$port"
}

#load a exist pwn server which was unloaded last time
loadpwn(){
    pattern=$(printf 's/#ctf_%s/ctf_%s/' $1 $1)
    echo "[*]Recovery the registered service"
    sudo sed -i $pattern $services_path
    echo "[*]Restart the xinetd service"
    sudo /etc/init.d/xinetd restart
    echo "[*]Complete!"
}

#unload a pwn server on xinetd
unloadpwn(){
    #just need to comment out the registered service line related to the pwn server
    pattern=$(printf 's/ctf_%s/#ctf_%s/' $1 $1)
    echo "[*]Comment out the registered service"
    sudo sed -i $pattern $services_path
    echo "[*]Restart the xinetd service"
    sudo /etc/init.d/xinetd restart
    echo "[*]Complete!"
}

#delete a pwn server
deletepwn(){
    pwn_dir=${pwn_base_dir}"/"${pwn_name}
    pwn_path=${pwn_dir}"/"${pwn_name}
    temp_user=`ls -l $pwn_path | awk '{print $4}'`  #get the tempuser
    echo "[*]Deleting the tempuser:$temp_user related to the pwn:$pwn_name"
    sudo userdel $temp_user
    echo "[*]Deleting the pwn directory $pwn_dir"
    sudo rm -rf $pwn_dir
    echo "[*]Deleting the $pwn_name configure file in xinetd"
    sudo rm $xinetd_path/ctf_$pwn_name
    echo "[*]Deleting the registered services line in $services_path"
    pattern=$(printf '/^ctf_%s.*/d' $1)
    sudo sed -i $pattern $services_path >/dev/null
    echo "[*]Restart the xinetd service"
    sudo /etc/init.d/xinetd restart
    echo "[*]Complete!"
}

isnumeric() {
    echo "$@" | grep -q -v "[^0-9]"
}

#the main code
case "$1" in
    -v|--version)
    version
    exit 0
    ;;

    -h|--help)
    helpinfo
    exit0
    ;;

    -s|--start)
    while [ $# -gt 1 ] ; do
        case "$2" in
            --flag)
            shift
            if [ -z "$2" ] ; then
                printf "\033[31mError: Please provide a flag string.\033[m\n\n"
                exit 1
            fi
            flag=$2
            shift
            ;;

            --port)
            shift
            if !(isnumeric "$2") ; then
                printf "\033[31mError: Please provide a valid port.\033[m\n\n"
                exit 1
            fi
            port=$2
            shift
            ;;

            --binary)
            shift
            if [ -z "$2" ] ; then
                printf "\033[31mError: Please provide a valid binary.\033[m\n\n"
                exit 1
            fi
            if [ ! -e $2 ] ; then
                printf "\033[31mError: The binary '$2' does not exist.\033[m\n\n"
                exit 1
            fi
            binary_path=$2
            shift
            ;;

            *)
            printf "\033[31mError: Unkown option '$2'.\033[m\n\n"
            exit 1
            ;;
        esac
    done
    if [ -z "$binary_path" ] || [ -z "$flag" ] || [ -z "$port" ] ; then
        printf "\033[31mError: More Args needed.\033[m\n\n"
        helpinfo
        exit 1
    fi
    if [ $port -ge 65535 ] ; then
        printf "\033[31mError: The port number must be less than 65535.\033[m\n\n"
        exit 1
    fi
    startpwn
    exit 0
    ;;

    -l)
	isDFexist $2
	loadpwn $pwn_name
	exit 0
	;;

    -u)
    isDFexist $2
    unloadpwn $pwn_name
    exit 0
    ;;

    -d)
    isDFexist $2
    deletepwn $pwn_name
    exit 0
    ;;

    *)
    if [ "$#" != "0" ] ; then
        printf "\033[31mError: Unkown option '$1'.\033[m\n\n"
        echo "test"
    fi
    helpinfo
    exit 1
    ;;
esac