bkth/sniper.py

## sniper.py
import time
import telnetlib
import sys
import binascii
import struct
import socket

def info(s):
    print "[*] %s" % s


def ru(delim):
    buf = ""
    while not delim in buf:
        buf += sock.recv(1)
    return buf

def interact():
    info("Switching to interactive mode")
    t=telnetlib.Telnet()
    t.sock = sock
    t.interact()


p32 = lambda v: struct.pack("<I", v)
p64 = lambda v: struct.pack("<Q", v)
u32 = lambda v: struct.unpack("<I", v)[0]
u64 = lambda v: struct.unpack("<Q", v)[0]

offset = int(sys.argv[2], 16)

BEGIN = -1
END = -1

ranges = {}

def get_ranges():

    maps = []
    with open("/proc/%s/maps" % sys.argv[1]) as f:
        maps = f.read().split("\n")

    keys = []
    for m in maps:

        k = m.split(" ")[-1]
        if k and (k[0] == '/' or k == "[heap]" or k == "[stack]"):
            if k not in keys:
                keys.append(k)

    for k in keys:

        mem = [x.split(" ")[0] for x in maps if k in x]
        BEGIN = int(mem[0].split("-")[0], 16)
        END = int(mem[-1].split("-")[1], 16)

        ranges[k] = (BEGIN, END)


def peek_pointer(v):

    for k in ranges:
        if ranges[k][0] <= v < ranges[k][1]:
            info("%s pointer found at 0x%x, value 0x%x" % (k, offset, v))

def peek_pointers():
    global offset
    with open("/proc/%s/mem" % sys.argv[1], "rb") as f:
        try:
            while True:
                # info("looking at addr 0x%x" % offset)
                f.seek(offset)
                qw = u64(f.read(8))

                peek_pointer(qw)
                offset += 8
        except:
            info("failed at offset 0x%x" % offset)


if __name__ == "__main__":
  get_ranges()
  peek_pointers()
	import time
	import telnetlib
	import sys
	import binascii
	import struct
	import socket

	def info(s):
	print "[*] %s" % s


	def ru(delim):
	buf = ""
	while not delim in buf:
	buf += sock.recv(1)
	return buf

	def interact():
	info("Switching to interactive mode")
	t=telnetlib.Telnet()
	t.sock = sock
	t.interact()


	p32 = lambda v: struct.pack("<I", v)
	p64 = lambda v: struct.pack("<Q", v)
	u32 = lambda v: struct.unpack("<I", v)[0]
	u64 = lambda v: struct.unpack("<Q", v)[0]

	offset = int(sys.argv[2], 16)

	BEGIN = -1
	END = -1

	ranges = {}

	def get_ranges():

	maps = []
	with open("/proc/%s/maps" % sys.argv[1]) as f:
	maps = f.read().split("\n")

	keys = []
	for m in maps:

	k = m.split(" ")[-1]
	if k and (k[0] == '/' or k == "[heap]" or k == "[stack]"):
	if k not in keys:
	keys.append(k)

	for k in keys:

	mem = [x.split(" ")[0] for x in maps if k in x]
	BEGIN = int(mem[0].split("-")[0], 16)
	END = int(mem[-1].split("-")[1], 16)

	ranges[k] = (BEGIN, END)


	def peek_pointer(v):

	for k in ranges:
	if ranges[k][0] <= v < ranges[k][1]:
	info("%s pointer found at 0x%x, value 0x%x" % (k, offset, v))

	def peek_pointers():
	global offset
	with open("/proc/%s/mem" % sys.argv[1], "rb") as f:
	try:
	while True:
	# info("looking at addr 0x%x" % offset)
	f.seek(offset)
	qw = u64(f.read(8))

	peek_pointer(qw)
	offset += 8
	except:
	info("failed at offset 0x%x" % offset)


	if __name__ == "__main__":
	get_ranges()
	peek_pointers()