/mbrainfuzz.py Secret
Created
July 11, 2016 19:55
Star
You must be signed in to star a gist
src of mbrainfuzz
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python -u | |
import time | |
import random | |
import string | |
import os | |
import subprocess | |
import signal | |
mainbody = """#include <stdio.h> | |
#include <string.h> | |
#include <stdlib.h> | |
char bb[700]={0,}; | |
int wow() | |
{ | |
char a[10]; | |
gets(a); | |
return 0; | |
} | |
int wowwow() | |
{ | |
read(0,0,0); | |
return 0; | |
} | |
int main(int argc, char * argv[]) | |
{ | |
if(argc<2) | |
exit(0); | |
int l = strlen(argv[1]); | |
int c=0,cc=0; | |
char tmp[3]={0,}; | |
while(l*2 > c) | |
{ | |
tmp[0] = argv[1][c]; | |
tmp[1] = argv[1][c+1]; | |
sscanf(tmp,"%02x",&bb[cc++]); | |
c+=2; | |
} | |
fuck1(bb[0],bb[1],bb[2],bb[3]); | |
return 0; | |
} | |
""" | |
scanffunc = """{ | |
int tmp = 0; | |
int cc; | |
if(c == @) | |
{ | |
if(@ == b) | |
{ | |
if(@ == a) | |
{ | |
tmp = (abs(a $ @ $ b $ @ $ c ))* d; | |
if(tmp > a+b+c-1) | |
{ | |
cc = fuck(bb[?],bb[?],bb[?],bb[?]); | |
} | |
} | |
} | |
} | |
return 0; | |
} | |
""" | |
captchafunc = """{ | |
int tmp = 0; | |
int cc; | |
char aa[10]={0,}; | |
char cap[10]="~"; | |
int i; | |
if(c == @) | |
{ | |
if(@ == b) | |
{ | |
if(@ == a) | |
{ | |
tmp = (abs(a $ @ $ b $ @ $ c ))* d; | |
if(tmp > a+b+c-1) | |
{ | |
cc = fuck(bb[?],bb[?],bb[?],bb[?]); | |
} | |
} | |
} | |
} | |
return 0; | |
}""" | |
vulnfunc = """int fuck100(char a, char b, char c, char d) | |
{ | |
char dest[8]; | |
return memcpy(dest, &bb[334], 700-333); | |
} | |
""" | |
bblist = [] | |
aalist = [] | |
for i in xrange(4,164): | |
bblist.append(i) | |
for i in xrange(164,324): | |
aalist.append(i) | |
random.shuffle(bblist) | |
random.shuffle(aalist) | |
bbcnt = 0 | |
aacnt = 0 | |
fcnt = 1 | |
def timeout(signum,frame): | |
print "TIMEOUT" | |
exit(0) | |
def nselect(funcstr): | |
funcstr = "int fuck"+`fcnt`+"(char a, char b, char c, char d)\n"+funcstr | |
funcstr = funcstr.split("@") | |
returnstr = "" | |
for i in funcstr[:-1]: | |
returnstr += i+`random.randint(0,10)` | |
returnstr += funcstr[len(funcstr)-1] | |
return returnstr | |
def arithselect(funcstr): | |
arith = ["+","-"] | |
funcstr = funcstr.split("$") | |
returnstr = "" | |
for i in funcstr[:-1]: | |
returnstr += i+random.choice(arith) | |
returnstr += funcstr[len(funcstr)-1] | |
return returnstr | |
def bbselect(funcstr,a,b,c,d,ff): | |
funcstr = funcstr.split("?") | |
funcstr[0]=funcstr[0].replace("fuck(","fuck"+`ff+1`+"(") | |
returnstr = funcstr[0]+`a`+funcstr[1]+`b`+funcstr[2]+`c`+funcstr[3]+`d`+funcstr[4] | |
return returnstr | |
def captselect(funcstr): | |
rr = ''.join([random.choice(string.ascii_letters + string.digits) for n in xrange(10)]) | |
funcstr = funcstr.split("~") | |
returnstr = funcstr[0]+ rr +funcstr[1] | |
return returnstr | |
if __name__ == "__main__": | |
signal.signal(signal.SIGALRM, timeout) | |
signal.alarm(300) | |
os.chdir("/tmp/") | |
print "HI WASSUP\nJUST MAKE YOUR OWN AUTO EXPLOIT!\nSEND ME YOUR STRING TO EXPLOIT BRAND NEW BINARY (HEX ENCODED)\n" | |
filename = time.strftime("%m%d_%H%M%S", time.localtime()) + os.urandom(16).encode('hex') + ".c" | |
f = open(filename,"wb") | |
for i in xrange(1,81): | |
f.write("int fuck"+`i`+"(char a, char b, char c, char d);\n") | |
f.write("int fuck100(char a, char b, char c, char d);\n") | |
f.write(mainbody+"\n") | |
for i in xrange(0,40): | |
f.write(bbselect(arithselect(nselect(scanffunc)),bblist[bbcnt],bblist[bbcnt+1],bblist[bbcnt+2],bblist[bbcnt+3],fcnt)+"\n") | |
bbcnt += 4 | |
fcnt += 1 | |
for i in xrange(0,39): | |
f.write(captselect(bbselect(arithselect(nselect(captchafunc)),aalist[aacnt],aalist[aacnt+1],aalist[aacnt+2],aalist[aacnt+3],fcnt)+"\n")) | |
aacnt += 4 | |
fcnt += 1 | |
f.write(captselect(bbselect(arithselect(nselect(captchafunc)),aalist[aacnt],aalist[aacnt+1],aalist[aacnt+2],aalist[aacnt+3],99)+"\n")) | |
f.write(vulnfunc+"\n") | |
f.close() | |
os.system("gcc -o ./"+filename[:-2]+" ./"+filename+" -fno-stack-protector -z execstack -w 2>/dev/null") | |
os.system("strip ./"+filename[:-2]) | |
result = subprocess.check_output("base64 ./"+filename[:-2] , shell=True) | |
print result | |
print "\n\n\nNOW GIVE ME YOUR INPUT\n" | |
ii = raw_input(">>> ") | |
os.execl('./'+filename[:-2], './'+filename[:-2], ii) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment