break a time, with break the c0de…

bufferbruteforce.py


This is buffer brute force for test buffer overflow program

#!/usr/bin/python
import sys, time, StringIO, commands, re, os, os.path

'''
	This is buffer brute forcer program, allow you to brute forcing buffer and know how bytes to make got Segmentation fault .
	Written for educational purpose and pentest only. Use it at your own risk .
	Toolname : bufferbruteforce.py
	Author	 : gunslinger_ <yudha.gunslinger@gmail.com>
	date	 : Sun Jul  4 00:58:54 WIT 2010
	You can use this simple bof.c for testing .
	-----------------bof.c-----------------
	#include <stdio.h>
	#include <string.h>

	int main(int argc, char** argv)
	{
		char buffer[400];
		strcpy(buffer, argv[1]);

		return 0;
	}
	------------------EOF------------------
	Example usage :
	root@localhost:/home/gunslinger/bof# cat bof.c
	#include <stdio.h>
	#include <string.h>

	int main(int argc, char** argv)
	{
		char buffer[400];
		strcpy(buffer, argv[1]);

		return 0;
	}
	root@localhost:/home/gunslinger/bof# echo 0 > /proc/sys/kernel/randomize_va_space
	root@localhost:/home/gunslinger/bof# gcc -o bof -g -fno-stack-protector -mpreferred-stack-boundary=2 bof.c
	root@localhost:/home/gunslinger/bof# exit
	gunslinger@localhost:~/bof$ ./bbf.py -a /home/gunslinger/bof/bof -s 1 -e 500

	Buffer brute force
	Programmer : gunslinger_ <yudha.gunslinger@gmail.com>

	[*] Checking Existing application 					[Ok]
	[*] Checking '/proc/sys/kernel/randomize_va_space' 			[Ok]
	[*] Checking null on randomize_va_space 				[Ok]
	[*] Checking perl 							[Ok]
	[*] Preparing for bruteforcing buffer 					[Ok]
	[*] buffering on 404 byte(s)
	[!] Application got segmentation fault by giving 404 byte(s) into buffer !!

	gunslinger@localhost:~/bof$
'''

'''define color'''
green 	= '\033[38m'
red 	= '\033[31m'
reset 	= '\033[0;0m'

name	= sys.argv[0]
fail 	= "[Failure]"
ok 	= "[Ok]"
rvs	= '/proc/sys/kernel/randomize_va_space'

face	= '''
Buffer brute force
Programmer : gunslinger_ <yudha.gunslinger@gmail.com>'''

option = '''
Usage: %s [options]
Options: -a, --application    	<path-to-application>   |   Target application for bruteforcing buffer 
         -s, --start      	<int>	          	|   start byte for bruteforcing buffer
         -e, --end  		<int>     	 	|   end byte for bruteforcing buffer
         -h, --help      	<help>          	|   print this help
                                        					
Example: %s -a /home/gunslinger/bufferoverflow/bof -s 0 -e 500
''' % (name,name)


def myface() :
	print face

def helpMe() :
	myface()
	print option
	sys.exit(1)
	
for arg in sys.argv:
	if arg.lower() == '-a' or arg.lower() == '--application':
            app = sys.argv[int(sys.argv[1:].index(arg))+2]
	elif arg.lower() == '-s' or arg.lower() == '--start':
            counter = sys.argv[int(sys.argv[1:].index(arg))+2]
	elif arg.lower() == '-e' or arg.lower() == '--end':
            end = sys.argv[int(sys.argv[1:].index(arg))+2]
	elif arg.lower() == '-h' or arg.lower() == '--help':
        	helpMe()
	elif len(sys.argv) <= 1:
		helpMe()

def checkingexistingfile():
	if os.path.exists(app):
		exfile = green+ok
	else:
		exfile = red+fail
	time.sleep(1)
	print "\n[*] Checking Existing application \t\t\t\t\t%s%s" % (exfile, reset)
	if exfile == red+fail:
		print "[*] Please checking your application target path"
		exit()

def checkrandomize():
	if os.path.exists(rvs):
		exrvs = green+ok
	else:
		exrvs = red+fail
	time.sleep(1)
	print "[*] Checking \'/proc/sys/kernel/randomize_va_space\' \t\t\t%s%s" % (exrvs, reset)
	if exrvs == red+fail:
		quit()
	cat = "cat "+rvs
	result = StringIO.StringIO(commands.getstatusoutput(cat)[1]).read()
	null = re.findall("0", result)
	time.sleep(1)
	if null:
		print "[*] Checking null on randomize_va_space \t\t\t\t%s%s%s" % (green, ok, reset)
		time.sleep(1)
	else:
		print "[*] Checking null on randomize_va_space \t\t\t\t%s%s%s" % (red, fail, reset)	
		print "[*] Please giving null on randomize_va_space by echo 0 > /proc/sys/kernel/randomize_va_space"
		exit()

def checkperl():
	perl = "perl -e \'print \"A\" x 1\'"
	result = StringIO.StringIO(commands.getstatusoutput(perl)[1]).read()
	A = re.findall("A", result)
	if A:
		print "[*] Checking perl \t\t\t\t\t\t\t%s%s%s" % (green, ok, reset)
		time.sleep(1)
	else:
		print "[*] Checking perl \t\t\t\t\t\t\t%s%s%s" % (red, fail, reset)	
		print "[*] Are perl installed on your system ?"
		exit()


def bruteforcebuff():
	global counter
	print "[*] Preparing for bruteforcing buffer \t\t\t\t\t%s%s%s" % (green, ok, reset)
	time.sleep(1)
	while counter <= end :
		try:
			sys.stdout.write("\r[*] buffering on %s%d%s byte(s)" % (red,int(counter),reset))
			sys.stdout.flush()
			args = app+' '+'`perl -e \'print "A" x '+repr(counter)+'\'`'
			SIGSEGV = StringIO.StringIO(commands.getstatusoutput(args)[0]).read()
			segmentation_fault = re.findall("35584", SIGSEGV)
			if segmentation_fault:
				print "\n[!] Application got segmentation fault by giving %s%d%s byte(s) into buffer !!\n" % (red, int(counter), reset)
				break
			counter = int(counter) + 1
		except KeyboardInterrupt:
			print "\n[-] Exiting %s" % (name)
			sys.exit(1)
			
def main():
	myface()
	checkingexistingfile()
	checkrandomize()
	checkperl()
	bruteforcebuff()
	
if __name__ == '__main__':
	main()

buffer brute force python gunslinger_ 0xr00t.com inj3ct0r.com

Advertisements

7 responses

  1. holoooh..apaan tuh?? :D

    July 3, 2010 at 1:34 pm

  2. hm…. ni fungsinya buat nge brute sopwer om??

    July 3, 2010 at 6:09 pm

    • hanya membrute buffer applikasi bro, supaya kita tahu vulnerable terhadap buffer overflow atau tidak dan untuk mengetahui berapa byte yang di perlukan untuk membuat program menjadi crash

      July 4, 2010 at 3:04 am

  3. vr3xz

    bang minta ijin buat belajar ni code sama buat pahami biar nambah ilmu..

    July 3, 2010 at 10:32 pm

  4. setelah mempelajari ttg schemafuzz saya tertarik untuk tau banyak ttg teknik python yg lain, dan blog anda telah menjawab rasa penasaran saya…oh ya bro….ada saran ndak untuk forum yang membahas khusus hack with python?

    December 11, 2010 at 2:45 pm

    • dulu ada, tahun 2009 tapi di tutup sama empunya… namanya darkc0de.com, sekarang udah mati… dan di beli ulang domainnya sama orang arab .

      January 11, 2011 at 3:07 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s