def create(self, bInheritHandle=1):
# set attr
attr = SECURITY_ATTRIBUTES()
attr.lpSecurityDescriptor = 0
attr.bInheritHandle = bInheritHandle
attr.nLength = sizeof(attr)
hReadPipe = wintypes.HANDLE() # father read, child write
hWritePipe = wintypes.HANDLE() # father write, child read
child_hReadPipe = wintypes.HANDLE()
child_hWritePipe = wintypes.HANDLE()
rs1 = windll.kernel32.CreatePipe(byref(hReadPipe),
byref(child_hWritePipe), byref(attr),
0)
rs2 = windll.kernel32.CreatePipe(byref(child_hReadPipe),
byref(hWritePipe), byref(attr), 0)
rs3 = windll.kernel32.SetHandleInformation(hReadPipe.value,
HANDLE_FLAG_INHERIT, 0)
rs4 = windll.kernel32.SetHandleInformation(hWritePipe.value,
HANDLE_FLAG_INHERIT, 0)
if (rs1 and rs2 and rs3 and rs4):
return (hReadPipe.value, hWritePipe.value, child_hReadPipe.value,
child_hWritePipe.value)
else:
raise (EOFError(color("[-]: Create Pipe error", 'red')))
def attach(clx, target, script="", sysroot=None):
showbanner('attaching', 'purple', '[=]')
if context.windbg_path is None:
raise Exception(
color("can't find windbg.exe, plz set context.windbg_path",
'red'))
else:
windbgPath = context.windbg
load_windbg = [windbgPath, '-p']
if isinstance(target, int):
load_windbg.append(str(target))
else:
load_windbg.append(str(target.pid))
script = context.dbginit + '\n' + script + '\n'
tmp = tempfile.NamedTemporaryFile(prefix='winpwn_',
suffix='.dbg',
delete=False)
tmp.write(Latin1_encode(script))
tmp.flush()
tmp.close()
load_windbg += ['-c'] # exec command
load_windbg += [
'$$><{}'.format(tmp.name) + ';.shell -x del {}'.format(tmp.name)
]
# print('script:',script)
# print('load:',load_windbg)
ter = subprocess.Popen(load_windbg)
while (os.path.exists(tmp.name)): # wait_for_debugger
pass
target.debugger = ter
return ter.pid
def recvn(self, n, timeout=None):
# must recv n bytes within timeout
showbanner("Recv")
buf = self.read(n, timeout)
if len(buf) != n:
raise (EOFError(color("[-]: Timeout when use recvn", 'red')))
showbuf(buf)
return buf
def recv_thread():
try:
while not go.is_set():
buf = self.read(0x10000, 0.125, interactive=True)
if buf:
showbuf(buf, is_noout=False)
showbanner('Interacting', is_noout=False)
go.wait(0.2)
except KeyboardInterrupt:
go.set()
print(color('[-]: Exited', 'red'))
def read(self, n, timeout=None, interactive=False):
buf = ''
try:
if self.debugger is not None and interactive is False:
while (len(buf) != n):
buf += self.Process.read(n - len(buf), timeout)
else:
buf = self.Process.read(n, timeout)
except KeyboardInterrupt:
self.close()
raise (EOFError(color("[-]: Exited by CTRL+C", 'red')))
return buf
def interactive(self):
# it exited, contrl+C, timeout
showbanner('Interacting', is_noout=False)
go = threading.Event()
go.clear()
def recv_thread():
try:
while not go.is_set():
buf = self.read(0x10000, 0.125, interactive=True)
if buf:
showbuf(buf, is_noout=False)
showbanner('Interacting', is_noout=False)
go.wait(0.2)
except KeyboardInterrupt:
go.set()
print(color('[-]: Exited', 'red'))
t = threading.Thread(target=recv_thread)
t.daemon = True
t.start()
try:
while not go.is_set():
go.wait(0.2)
try:
if self.is_exit():
time.sleep(0.2) # wait for time to read output
buf = sys.stdin.readline()
if buf:
self.write(buf) # remote.write() may cause exception
except:
go.set()
print(color('[-]: Exited', 'red'))
break
except KeyboardInterrupt: # control+C
go.set()
print(color('[-]: Exited', 'red'))
while t.is_alive():
t.join(timeout=0.1)
def read(self, n, timeout=None, interactive=False):
if timeout is not None:
self.sock.settimeout(timeout)
buf = b''
try:
buf = self.sock.recv(n) # ignore timeout error
except KeyboardInterrupt:
self.close()
raise (EOFError(color("[-]: Exited by CTRL+C", 'red')))
except:
pass
self.sock.settimeout(self.timeout)
return Latin1_decode(buf)
def __init__(self,
ip,
port,
family=socket.AF_INET,
socktype=socket.SOCK_STREAM):
tube.__init__(self)
self.sock = socket.socket(family, socktype)
# self.ip = ip
# self.port = port
self._is_exit = False
try:
showbanner("Connecting to ({},{})".format(ip, port))
self.sock.settimeout(self.timeout)
self.sock.connect((ip, port))
except:
raise (EOFError(
color("[-]: Connect to ({},{}) failed".format(ip, port),
'red')))
def create(self, argv, cwd=None, flags=None):
lpCurrentDirectory = cwd
lpEnvironment = None
dwCreationFlags = flags
bInheritHandles = True
lpProcessAttributes = None
lpThreadAttributes = None
lpProcessInformation = PROCESS_INFORMATION()
StartupInfo = STARTUPINFO()
StartupInfo.cb = sizeof(StartupInfo)
StartupInfo.dwFlags = STARTF_USESTDHANDLES
StartupInfo.hStdInput = self.child_hReadPipe
StartupInfo.hStdOutput = self.child_hWritePipe
StartupInfo.hStdError = self.child_hWritePipe
lpStartupInfo = byref(StartupInfo)
lpCommandLine = None
lpApplicationName = None
if not isinstance(argv, list):
lpApplicationName = Latin1_encode(argv)
else:
lpCommandLine = Latin1_encode((" ".join([str(a) for a in argv])))
try:
bs = windll.kernel32.CreateProcessA(
lpApplicationName, lpCommandLine, lpProcessAttributes,
lpThreadAttributes, bInheritHandles, dwCreationFlags,
lpEnvironment, lpCurrentDirectory, byref(StartupInfo),
byref(lpProcessInformation))
self.pid = lpProcessInformation.dwProcessId
self.phandle = lpProcessInformation.hProcess
self.tid = lpProcessInformation.dwThreadId
self.thandle = lpProcessInformation.hThread
showbanner('Create process success #pid 0x{:x}'.format(self.pid))
except:
raise (EOFError(color("[-]: Create process error", 'red')))
def recvuntil(self, delim, drop=True, timeout=None):
showbanner("Recv")
if timeout is None:
if self.timeout:
timeout = self.timeout
else:
timeout = context.timeout
buf = ''
st = time.time()
xt = st
while (buf[-len(delim):] != delim):
buf += self.read(1, timeout=timeout - (xt - st))
if self.debugger is None:
xt = time.time()
if (xt - st) >= timeout:
break
if not buf.endswith(delim):
raise (EOFError(color("[-]: Recvuntil error", 'red')))
if drop:
buf = buf[:-len(delim)]
showbuf(buf)
return buf