Skip to content

Instantly share code, notes, and snippets.

@L4ys
Created July 11, 2016 19:56
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save L4ys/fc19a64dbf30324af78760cb9efed7e6 to your computer and use it in GitHub Desktop.
src of mbrainfuzz_returns
#!/usr/bin/python -u
import time
import random
import string
import os
import subprocess
import signal
mainbody = """#include <stdio.h>
#include <string.h>
#include <stdlib.h>
char bb[700]={0,};
int wow()
{
char a[10];
gets(a);
return 0;
}
int wowwow()
{
read(0,0,0);
return 0;
}
int main(int argc, char * argv[])
{
if(argc<2)
exit(0);
int l = strlen(argv[1]);
int c=0,cc=0;
char tmp[3]={0,};
while(l*2 > c)
{
tmp[0] = argv[1][c];
tmp[1] = argv[1][c+1];
sscanf(tmp,"%02x",&bb[cc++]);
c+=2;
}
fuck1(bb[0],bb[1],bb[2],bb[3]);
return 0;
}
"""
scanffunc = """{
int tmp = 0;
int cc;
if(c == @)
{
if(@ == b)
{
if(@ == a)
{
tmp = (abs(a $ @ $ b $ @ $ c )) * d;
if(tmp > a+b+c-1)
{
cc = fuck(bb[?],bb[?],bb[?],bb[?]);
}
}
}
}
return 0;
}
"""
captchafunc = """{
int tmp = 0;
int cc;
char aa[10]={0,};
char cap[10]="~";
int i;
if(c == @)
{
if(@ == b)
{
if(@ == a)
{
tmp = (abs(a $ @ $ b $ @ $ c )) * d;
if(tmp > a+b+c-1)
{
cc = fuck(bb[?],bb[?],bb[?],bb[?]);
}
}
}
}
return 0;
}"""
vulnfunc = """int fuck100(char a, char b, char c, char d)
{
char dest[8];
return memcpy(dest, &bb[334], 700-333);
}
"""
bblist = []
aalist = []
for i in xrange(4,164):
bblist.append(i)
for i in xrange(164,324):
aalist.append(i)
random.shuffle(bblist)
random.shuffle(aalist)
bbcnt = 0
aacnt = 0
fcnt = 1
def timeout(signum,frame):
print "TIMEOUT"
exit(0)
def nselect(funcstr):
funcstr = "int fuck"+`fcnt`+"(char a, char b, char c, char d)\n"+funcstr
funcstr = funcstr.split("@")
returnstr = ""
for i in funcstr[:-1]:
returnstr += i+`random.randint(0,10)`
returnstr += funcstr[len(funcstr)-1]
return returnstr
def arithselect(funcstr):
arith = ["+","-"]
funcstr = funcstr.split("$")
returnstr = ""
for i in funcstr[:-1]:
returnstr += i+random.choice(arith)
returnstr += funcstr[len(funcstr)-1]
return returnstr
def bbselect(funcstr,a,b,c,d,ff):
funcstr = funcstr.split("?")
funcstr[0]=funcstr[0].replace("fuck(","fuck"+`ff+1`+"(")
returnstr = funcstr[0]+`a`+funcstr[1]+`b`+funcstr[2]+`c`+funcstr[3]+`d`+funcstr[4]
return returnstr
def captselect(funcstr):
rr = ''.join([random.choice(string.ascii_letters + string.digits) for n in xrange(10)])
funcstr = funcstr.split("~")
returnstr = funcstr[0]+ rr +funcstr[1]
return returnstr
if __name__ == "__main__":
signal.signal(signal.SIGALRM, timeout)
signal.alarm(300)
os.chdir("/tmp/")
print "HI WASSUP\nJUST MAKE YOUR OWN AUTO EXPLOIT!\nSEND ME YOUR STRING TO EXPLOIT BRAND NEW BINARY (HEX ENCODED)\n"
filename = time.strftime("%m%d_%H%M%S", time.localtime()) + os.urandom(16).encode('hex') + ".c"
f = open(filename,"wb")
for i in xrange(1,81):
f.write("int fuck"+`i`+"(char a, char b, char c, char d);\n")
f.write("int fuck100(char a, char b, char c, char d);\n")
f.write(mainbody+"\n")
for i in xrange(0,40):
f.write(bbselect(arithselect(nselect(scanffunc)),bblist[bbcnt],bblist[bbcnt+1],bblist[bbcnt+2],bblist[bbcnt+3],fcnt)+"\n")
bbcnt += 4
fcnt += 1
for i in xrange(0,39):
f.write(captselect(bbselect(arithselect(nselect(captchafunc)),aalist[aacnt],aalist[aacnt+1],aalist[aacnt+2],aalist[aacnt+3],fcnt)+"\n"))
aacnt += 4
fcnt += 1
f.write(captselect(bbselect(arithselect(nselect(captchafunc)),aalist[aacnt],aalist[aacnt+1],aalist[aacnt+2],aalist[aacnt+3],99)+"\n"))
f.write(vulnfunc+"\n")
f.close()
os.system("gcc -o ./"+filename[:-2]+" ./"+filename+" -fno-stack-protector -w 2>/dev/null")
os.system("strip ./"+filename[:-2])
result = subprocess.check_output("base64 ./"+filename[:-2] , shell=True)
print result
print "\n\n\nNOW GIVE ME YOUR INPUT\n"
ii = raw_input(">>> ")
os.execl('./'+filename[:-2], './'+filename[:-2], ii)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment