Skip to content

k1R4/deathnot3

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

31 Commits
.github/workflows
.github/workflows
 
 
dn3
dn3
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
requirements.txt
requirements.txt
 
 
setup.py
setup.py
 
 
template.py
template.py
 
 

Repository files navigation

DeathNot3

pypi python-version last-commit build-status license twitter

Installation

sudo apt-get update
sudo apt-get install python3 python3-pip
python3 -m pip install --upgrade dn3

Description

DeathNot3 is a one-for-all, all-for-one tool that aims to make solving CTF pwn challenges easier and faster.

deathnot3 was started as a wrapper for pwntools, but with the addition of the "l1ght" submodule, it has become a lightweight alternative to pwntools process/remote while providing additional functionality. deathnot3 aims to:

  • allow strings and bytes interchageably
  • be lightweight
  • provide basic automation
  • be an all around pwn helper for CTFs

Requirements

Supports: Python 3.6+

Library Dependency:

  • pyelftools
  • zstandard
  • unix_ar
  • requests
  • wget

Usage

 from dn3 import *

 binary = ELF("./binary")
 libc = ELF("./libc.so.6")

 ctx.mode = str 
 ctx.libc = libc     
 # recv in string. Can also be set to bytes
 
 io = process("./binary")
 DeathNot3()              # Initialize deathnot3
 
 reu("yeet")              # equivalent of io.recvuntil()
 sl(b"leet")              # equivalent of io.sendline()
 sla("yeet",8)            # equivalent of io.sendlineafter()
 s("bruh")                # equivalent of io.send()
 # bytes, string and integers can be used interchageably to send
 
 sl(p64(0xdeadbeef))      # equivalent of p64() but returns string
 sla("oof", flat([
     0xdeadbeef,"ABCD"    # equivalent of flat() but returns string
     ])
 
 libc = libcleak("puts")  # Offset integer can be given instead of symbol
 # Equivalent to
 # libc = unpack(io.recv(6),48) - libc.symbols.puts
 # log.info("Libc -> %s" % hex(libc)
 
 interactive()             # equivalent of io.interactive()

  • CLI

    dn3 template <binary_path> -l <libc_path> -r <ip>:<port>

    • used to generate template exploit on the go, based on a template format
    • edit config using dn3 cfg and specify template format url or path (if path prefix with local:)
    • example template format

    dn3 linker <binary_path> -l <libc_path>

    • Find appropriate dynamic linker for given libc and patch binary with it and provided libc using patchelf

    dn3 cfg <key(optional)>

    • Edit dn3's config
    • config is located at ~/.dn3.conf

TODO

  • Implement ELF similar to that of pwntools
  • Add inline description comments for code
  • Implement buffering for process, remote
  • Add automation
    • static vulnerability detection
    • ret2win
    • ret2shellcode
    • ret2libc/ROP
    • tcache poisoning
  • Add documentation to wiki
  • Add support for big endian
  • Add support for arm based architectures
    • aarch64
    • arm

About

CTF pwn tool

Resources

Readme

License

MIT license
Activity

Stars

8 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases 7

v1.1.1 Latest
Mar 9, 2023
+ 6 releases

Contributors 2

Languages