/
tinypwn.py
140 lines (114 loc) · 3.34 KB
/
tinypwn.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
import socket
import struct
import subprocess
import threading
import commands
import time
import sys
import os
class Pwn:
def __enter__(self):
return self
def __exit__(self, exc_type, exc_value, traceback):
self.close()
def sendline(self, data):
self.send(data + '\n')
def recvuntil(self, delim):
ret = ""
while True:
ret += self.recv(1)
if ret.endswith(delim):
return ret
def sendafter(self, delim, data):
self.recvuntil(delim)
self.send(data)
def sendlineafter(self, delim, data):
self.recvuntil(delim)
self.sendline(data)
def recvline(self):
return self.recvuntil('\n')[:-1]
def listener(self):
while True:
data = self.recv(1)
if data:
sys.stdout.write(data)
else:
print "\n*** Connection closed ***"
break
def interact(self):
print "[*] Switching to interactive mode"
t = threading.Thread(target = self.listener)
t.start()
time.sleep(0.1)
print ""
while t.is_alive():
print "$",
try:
data = raw_input()
except EOFError:
self.close()
break
self.sendline(data)
time.sleep(0.2)
class Remote(Pwn):
def __init__(self, ip, port):
self.sock = socket.create_connection((ip, port))
def close(self):
self.sock.shutdown(socket.SHUT_WR)
def send(self,data):
self.sock.sendall(data)
time.sleep(0.03)
def recv(self, n):
return self.sock.recv(n)
class Local(Pwn):
def __init__(self, *args, **env):
self.proc = subprocess.Popen(args, stdin = subprocess.PIPE, stdout = subprocess.PIPE, env = env)
def close(self):
self.proc.stdin.close()
def send(self,data):
self.proc.stdin.write(data)
time.sleep(0.03)
def recv(self, n):
return self.proc.stdout.read(n)
def p32(x):
return struct.pack('<I',x)
def u32(x):
return struct.unpack('<I',x.ljust(4,'\0'))[0]
def p64(x):
return struct.pack('<Q',x)
def u64(x):
return struct.unpack('<Q',x.ljust(8,'\0'))[0]
def get_shellcode(name):
try:
with open(os.path.dirname(__file__) + '/shellcodes/' + name + '.asm', 'r') as f:
if '32' in name:
frmt = 'elf32'
else:
frmt = 'elf64'
return asm(f.read(),frmt)
except Exception:
print "\n*** error: %s.asm does not exist ***" % name
exit(0)
def run(cmd):
return commands.getoutput(' '.join(cmd))
shellcodes = {}
def asm(code,frmt = 'elf64'):
global shellcodes
if code not in shellcodes:
asmfile = 'tmp.asm'
objfile = 'tmp.o'
assembler = ['nasm', '-f', frmt, asmfile]
objcopy = ['objcopy', '-j', '.text', '-O', 'binary', objfile]
try:
with open(asmfile,'wb') as f:
f.write(code)
run(assembler)
run(objcopy)
with open(objfile,'rb') as f:
shellcodes[code] = f.read()
except Exception:
print "\n*** error: following shellcode can't be assemble. ***"
print code
return None
# exit(1)
return shellcodes[code]