├── .gitignore
├── README.md
└── Vagrantfile


/.gitignore:
--------------------------------------------------------------------------------
1 | *
2 | !.gitignore
3 | !README.md
4 | !Vagrantfile
5 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # pwnmachine
 2 | 
 3 | Vagrantfile for quickly (~50 mins) setting up a headless Ubuntu 18.04 VM for
 4 | exploit development on Linux.
 5 | 
 6 | ```
 7 | sudo apt install vagrant
 8 | git clone https://github.com/kapaw/pwnmachine
 9 | cd pwnmachine
10 | vagrant up
11 | vagrant ssh
12 | ```
13 | 


--------------------------------------------------------------------------------
/Vagrantfile:
--------------------------------------------------------------------------------
  1 | # -*- mode: ruby -*-
  2 | # vi: set ft=ruby :
  3 | 
  4 | $install = <<EOF
  5 | PRE=$(date +%s)
  6 | MY_NAME=vagrant
  7 | MY_HOME=/home/${MY_NAME}
  8 | export DEBIAN_FRONTEND=noninteractive
  9 | 
 10 | # Install packages
 11 | sudo rm -rf /var/lib/apt/lists
 12 | sudo dpkg --add-architecture i386
 13 | sudo -E apt-get -y update
 14 | sudo -E apt-get -y upgrade
 15 | sudo -E apt-get -y install git python-pip python3-pip python-dev        \
 16 |     build-essential software-properties-common gdb gdb-multiarch curl   \
 17 |     vim exuberant-ctags pyflakes cmake tmux source-highlight            \
 18 |     libpq5 gcc-multilib libc6-i386 libc6-dev-i386 qemu-user-static      \
 19 |     libreadline-dev libssl-dev libpq-dev nmap libreadline5              \
 20 |     libsqlite3-dev libpcap-dev autoconf pgadmin3 zlib1g-dev libxml2-dev \
 21 |     libxslt1-dev screen ipython gdbserver binutils-{arm,mips}*          \
 22 |     binutils-multiarch libxml2-dev libxslt1-dev git libffi-dev          \
 23 |     libreadline-dev libtool debootstrap debian-archive-keyring          \
 24 |     libglib2.0-dev libpixman-1-dev libqt4-dev graphviz-dev              \
 25 |     nasm pandoc libtool-bin valgrind libfuzzer-7-dev
 26 | sudo -E pip install pip --upgrade
 27 | 
 28 | # Init .repositories
 29 | mkdir .repositories
 30 | function git_clone(){
 31 |     base=$(basename "${1}" | sed 's/\.git//g')
 32 |     if test -n "${3}"; then
 33 |         git clone -b "${3}" "${1}" ${MY_HOME}/.repositories/"${base}"
 34 |     else
 35 |         git clone "${1}" ${MY_HOME}/.repositories/"${base}"
 36 |     fi
 37 |     if test -n "${2}"; then
 38 |         ln -s ${MY_HOME}/.repositories/"${base}" "${2}"/"${base}"
 39 |     fi
 40 | }
 41 | 
 42 | # Install pwntools
 43 | git_clone https://github.com/Gallopsled/pwntools.git ${MY_HOME}
 44 | cd pwntools
 45 | sudo pip2 install -r requirements.txt
 46 | sudo python setup.py install
 47 | cd ${MY_HOME}
 48 | 
 49 | # Enable core dumps
 50 | ulimit -c 100000
 51 | echo 'vagrant     soft      core      unlimited' | sudo tee /etc/security/limits.conf
 52 | 
 53 | # ptrace_scope = 0
 54 | sudo sed -i 's/kernel.yama.ptrace_scope = 1/kernel.yama.ptrace_scope = 0/' /etc/sysctl.d/10-ptrace.conf
 55 | sudo service procps restart
 56 | 
 57 | # Create .gdbinit
 58 | echo 'set follow-fork-mode child'          >> ${MY_HOME}/.gdbinit
 59 | echo 'set disassembly-flavor intel'        >> ${MY_HOME}/.gdbinit
 60 | echo 'set auto-load safe-path /'           >> ${MY_HOME}/.gdbinit
 61 | echo 'set disable-randomization off'       >> ${MY_HOME}/.gdbinit
 62 | 
 63 | # Install voltron
 64 | sudo apt-get -y install libreadline6-dev python3-dev python3-setuptools python3-yaml
 65 | git_clone https://github.com/snare/voltron.git
 66 | cd ${MY_HOME}/.repositories/voltron
 67 | ./install.sh
 68 | sed -i 's/\\(.*voltron.*\\)/#\\1/' ${MY_HOME}/.gdbinit
 69 | 
 70 | # Install gef
 71 | git_clone https://github.com/hugsy/gef.git
 72 | sed -i 's/127.0.1.1/127.0.0.1/g' ${MY_HOME}/.repositories/gef/gef.py
 73 | echo '#source ~/.repositories/gef/gef.py' >> ${MY_HOME}/.gdbinit
 74 | 
 75 | # Install peda
 76 | git_clone https://github.com/longld/peda
 77 | echo '#source ~/.repositories/peda/peda.py' >> ${MY_HOME}/.gdbinit
 78 | 
 79 | # Install pwndbg
 80 | git_clone https://github.com/pwndbg/pwndbg.git
 81 | cd ${MY_HOME}/.repositories/pwndbg
 82 | sudo ./setup.sh
 83 | 
 84 | ## Install qira (BUG: ubuntu 18.04 qemu)
 85 | #git_clone https://github.com/BinaryAnalysisPlatform/qira.git
 86 | #cd ${MY_HOME}/.repositories/qira
 87 | #sed -i 's/sudo apt-get/sudo apt-get -y/g' tracers/qemu_build.sh
 88 | #sed -i 's/.*pypi.python.org\\/packages\\/source\\/p\\/pyparsing.*/pyparsing/g' requirements.txt
 89 | #sudo ./install.sh
 90 | 
 91 | # Install radare2
 92 | git_clone https://github.com/radare/radare2
 93 | cd ${MY_HOME}/.repositories/radare2
 94 | ./sys/user.sh
 95 | sudo -E pip install r2pipe --upgrade
 96 | 
 97 | # Install z3
 98 | git_clone https://github.com/Z3Prover/z3.git
 99 | cd ${MY_HOME}/.repositories/z3
100 | sudo python scripts/mk_make.py --python
101 | cd build
102 | sudo make -j$(nproc)
103 | sudo make install
104 | 
105 | # Install angr
106 | sudo apt-get -y install virtualenvwrapper
107 | source /usr/share/virtualenvwrapper/virtualenvwrapper.sh
108 | mkvirtualenv --python=$(which python3) angr
109 | pip install angr
110 | deactivate
111 | 
112 | # Install ropper
113 | git_clone https://github.com/sashs/ropper.git
114 | cd ${MY_HOME}/.repositories/ropper
115 | git submodule init
116 | git submodule update
117 | sudo -E pip install filebytes==0.9.18
118 | sudo -E pip install keystone-engine
119 | sudo -E pip install . --upgrade
120 | 
121 | # Install afl-fuzz
122 | sudo apt-get -y install clang-7
123 | cd ${MY_HOME}/.repositories
124 | wget --quiet http://lcamtuf.coredump.cx/afl/releases/afl-latest.tgz
125 | tar -xvf afl-latest.tgz
126 | rm afl-latest.tgz
127 | (
128 |   cd afl-*
129 |   make -j$(nproc)
130 |   # build clang-fast
131 |   (
132 |     cd llvm_mode
133 |     CC=clang-7 LLVM_CONFIG=llvm-config-7 make -j$(nproc)
134 |   )
135 |   # build qemu mode (BUG: ubuntu 18.04 qemu)
136 |   #(
137 |   #  cd qemu_mode
138 |   #  sudo apt install -y bison flex
139 |   #  ./build_qemu_support.sh
140 |   #)
141 |   # build libdislocator
142 |   (
143 |     cd libdislocator
144 |     make -j$(nproc)
145 |   )
146 |   # build libtokencap
147 |   (
148 |     cd libtokencap
149 |     make -j$(nproc)
150 |   )
151 |   sudo make install
152 | )
153 | 
154 | # Install honggfuzz
155 | git_clone https://github.com/google/honggfuzz.git
156 | sudo apt-get -y install libbfd-dev libunwind-dev
157 | cd ${MY_HOME}/.repositories/honggfuzz
158 | make -j$(nproc)
159 | sudo make install
160 | 
161 | # Install radamsa
162 | git_clone https://gitlab.com/akihe/radamsa.git
163 | sudo apt-get -y install gcc make git wget
164 | cd ${MY_HOME}/.repositories/radamsa
165 | make -j$(nproc)
166 | sudo make install
167 | 
168 | # Install zzuf
169 | git_clone https://github.com/samhocevar/zzuf.git
170 | cd ${MY_HOME}/.repositories/zzuf
171 | ./bootstrap
172 | ./configure
173 | make -j$(nproc)
174 | sudo make install
175 | 
176 | # Install unicorn engine
177 | git_clone https://github.com/unicorn-engine/unicorn.git
178 | cd ${MY_HOME}/.repositories/unicorn
179 | make -j$(nproc)
180 | sudo make install
181 | 
182 | # Install Intel Pin
183 | cd ${MY_HOME}/.repositories/
184 | wget https://software.intel.com/sites/landingpage/pintool/downloads/pin-3.7-97619-g0d0c92f4f-gcc-linux.tar.gz
185 | tar xf pin-*.tar.gz
186 | rm pin-*.tar.gz
187 | ln -s pin-* pin
188 | echo "PIN_HOME=${MY_HOME}/.repositories/pin/" >> ${MY_HOME}/.bashrc
189 | 
190 | # Install DynamoRIO
191 | cd ${MY_HOME}/.repositories/
192 | wget https://github.com/DynamoRIO/dynamorio/releases/download/release_7.1.0/DynamoRIO-Linux-7.1.0-1.tar.gz
193 | tar xf DynamoRIO-Linux-*.tar.gz
194 | rm DynamoRIO-Linux-*.tar.gz
195 | ln -s DynamoRIO-Linux-* DynamoRIO
196 | echo "DYNAMORIO_HOME=${MY_HOME}/.repositories/DynamoRIO/" >> ${MY_HOME}/.bashrc
197 | 
198 | ## Install Triton (BUG: Triton only supports pin-2.14-71313. pin-2.14-71313 is not supported in Ubuntu 18.04)
199 | #sudo apt-get -y install libboost-dev
200 | #git_clone https://github.com/JonathanSalwan/Triton.git
201 | #cd Triton
202 | #mkdir build
203 | #cmake -DPINTOOL=on -DPIN_ROOT=$PIN_HOME ..
204 | #make -j 4
205 | #sudo make install
206 | #sudo ln -s `pwd`/triton /usr/bin/triton
207 | #sudo ln -s `pwd`/tritonAttach /usr/bin/tritonAttach
208 | 
209 | # Add 'pwn' exploit template function to .bashrc
210 | echo 'export EDITOR=vim'                                                                  >> ${MY_HOME}/.bashrc
211 | echo 'function pwn(){'                                                                    >> ${MY_HOME}/.bashrc
212 | echo '    target_bin="$1"'                                                                >> ${MY_HOME}/.bashrc
213 | echo '    fname="exploit.py"'                                                             >> ${MY_HOME}/.bashrc
214 | echo '    if [ ! -f "$fname" ] ; then'                                                    >> ${MY_HOME}/.bashrc
215 | echo '        cat > "${fname}"<<EOF'                                                      >> ${MY_HOME}/.bashrc
216 | echo '#!/usr/bin/env python'                                                              >> ${MY_HOME}/.bashrc
217 | echo 'from pwn import *'                                                                  >> ${MY_HOME}/.bashrc
218 | echo 'context.terminal = ["tmux", "splitw", "-h"]'                                        >> ${MY_HOME}/.bashrc
219 | echo ''                                                                                   >> ${MY_HOME}/.bashrc
220 | echo 'TARGET_BIN = ""'                                                                    >> ${MY_HOME}/.bashrc
221 | echo 'HOST = "127.0.0.1"'                                                                 >> ${MY_HOME}/.bashrc
222 | echo 'PORT = 1337'                                                                        >> ${MY_HOME}/.bashrc
223 | echo ''                                                                                   >> ${MY_HOME}/.bashrc
224 | echo 'c = None'                                                                           >> ${MY_HOME}/.bashrc
225 | echo 'if "REMOTE" in args:'                                                               >> ${MY_HOME}/.bashrc
226 | echo '    c = remote(HOST, PORT)'                                                         >> ${MY_HOME}/.bashrc
227 | echo 'elif "GDB" in args:'                                                                >> ${MY_HOME}/.bashrc
228 | echo '    c = gdb.debug(TARGET_BIN, """'                                                  >> ${MY_HOME}/.bashrc
229 | echo '        c'                                                                          >> ${MY_HOME}/.bashrc
230 | echo '        """)'                                                                       >> ${MY_HOME}/.bashrc
231 | echo 'else:'                                                                              >> ${MY_HOME}/.bashrc
232 | echo '    c = process(TARGET_BIN)'                                                        >> ${MY_HOME}/.bashrc
233 | echo ''                                                                                   >> ${MY_HOME}/.bashrc
234 | echo ''                                                                                   >> ${MY_HOME}/.bashrc
235 | echo 'EOF'                                                                                >> ${MY_HOME}/.bashrc
236 | echo '        target_escaped=$(echo $target_bin | sed "s/\\//\\\\\\\\\\//g")'             >> ${MY_HOME}/.bashrc
237 | echo '        sed -i "s/\\(TARGET_BIN = \\"\\)\\(\\"\\)/\\1$target_escaped\\2/" "$fname"' >> ${MY_HOME}/.bashrc
238 | echo '        chmod +x "${fname}"'                                                        >> ${MY_HOME}/.bashrc
239 | echo '    fi'                                                                             >> ${MY_HOME}/.bashrc
240 | echo '    grep -q "TARGET_BIN = \\"\\"" "${fname}"'                                       >> ${MY_HOME}/.bashrc
241 | echo '    if [ "$?" -eq 0 ] ; then'                                                       >> ${MY_HOME}/.bashrc
242 | echo '        ${EDITOR} -c "startinsert" "${fname}" "+call cursor(5,15)"'                 >> ${MY_HOME}/.bashrc
243 | echo '    else'                                                                           >> ${MY_HOME}/.bashrc
244 | echo '        ${EDITOR} "${fname}" +'                                                     >> ${MY_HOME}/.bashrc
245 | echo '    fi'                                                                             >> ${MY_HOME}/.bashrc
246 | echo '}'                                                                                  >> ${MY_HOME}/.bashrc
247 | 
248 | # Update .screenrc
249 | cat > ${MY_HOME}/.screenrc << SCREEN_END
250 | startup_message off
251 | vbell off
252 | hardstatus alwayslastline
253 | hardstatus string '%{= kG}[ %{G}%H %{g}][%= %{= kw}%?%-Lw%?%{r}(%{W}%n*%f%t%?(%u)%?%{r})%{w}%?%+Lw%?%? %= %{g}][%{B} %m/%d %{W}%c %{g}]'
254 | defscrollback 50000
255 | SCREEN_END
256 | 
257 | # Done
258 | POST=$(date +%s)
259 | echo "Installation took "$((POST-PRE))" seconds"
260 | EOF
261 | 
262 | Vagrant.configure(2) do |config|
263 |     config.vm.box = "ubuntu/bionic64"
264 |     config.vm.box_check_update = false
265 |     config.vm.provider "virtualbox" do |v|
266 |         v.memory = 4096
267 |         v.cpus = 4
268 |     end
269 |     config.vm.provision "shell", inline: $install, privileged: false
270 |     config.vm.hostname = "pwnmachine"
271 |     # forward qira port
272 |     config.vm.network "forwarded_port", guest: 3002, host: 3002
273 |     ENV['LC_ALL']="en_US.UTF-8"
274 | end
275 | 


--------------------------------------------------------------------------------