Created
September 21, 2017 00:14
-
-
Save bkth/c4cfda1ef8d51aa8a2cf2272e8d825e4 to your computer and use it in GitHub Desktop.
pointers sniper
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import time | |
import telnetlib | |
import sys | |
import binascii | |
import struct | |
import socket | |
def info(s): | |
print "[*] %s" % s | |
def ru(delim): | |
buf = "" | |
while not delim in buf: | |
buf += sock.recv(1) | |
return buf | |
def interact(): | |
info("Switching to interactive mode") | |
t=telnetlib.Telnet() | |
t.sock = sock | |
t.interact() | |
p32 = lambda v: struct.pack("<I", v) | |
p64 = lambda v: struct.pack("<Q", v) | |
u32 = lambda v: struct.unpack("<I", v)[0] | |
u64 = lambda v: struct.unpack("<Q", v)[0] | |
offset = int(sys.argv[2], 16) | |
BEGIN = -1 | |
END = -1 | |
ranges = {} | |
def get_ranges(): | |
maps = [] | |
with open("/proc/%s/maps" % sys.argv[1]) as f: | |
maps = f.read().split("\n") | |
keys = [] | |
for m in maps: | |
k = m.split(" ")[-1] | |
if k and (k[0] == '/' or k == "[heap]" or k == "[stack]"): | |
if k not in keys: | |
keys.append(k) | |
for k in keys: | |
mem = [x.split(" ")[0] for x in maps if k in x] | |
BEGIN = int(mem[0].split("-")[0], 16) | |
END = int(mem[-1].split("-")[1], 16) | |
ranges[k] = (BEGIN, END) | |
def peek_pointer(v): | |
for k in ranges: | |
if ranges[k][0] <= v < ranges[k][1]: | |
info("%s pointer found at 0x%x, value 0x%x" % (k, offset, v)) | |
def peek_pointers(): | |
global offset | |
with open("/proc/%s/mem" % sys.argv[1], "rb") as f: | |
try: | |
while True: | |
# info("looking at addr 0x%x" % offset) | |
f.seek(offset) | |
qw = u64(f.read(8)) | |
peek_pointer(qw) | |
offset += 8 | |
except: | |
info("failed at offset 0x%x" % offset) | |
if __name__ == "__main__": | |
get_ranges() | |
peek_pointers() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment