CheckFault : Segfault offset

Download | Vote Up (1) | Vote Down (0) 
#Checkfault
#Author: St0rn
#Use python-ptrace
#
#Usage: checkfault.py [Type] [Binary] [Length]
#
#!/usr/bin/env python


import os
import sys
from ptrace.debugger.debugger import PtraceDebugger
from ptrace.debugger.child import createChild
from ptrace.tools import locateProgram

def generatejunk(length): 
 taba = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
 tabb = "abcdefghijklmnopqrstuvwxyz"
 tabc = "0123456789"
 
 junk = ""
 a = 0 
 b = 0
 c = 0
 
 while len(junk) < length:
  junk += taba[a] + tabb[b] + tabc[c]
  c += 1
  if c == len(tabc): 
   c = 0
   b += 1 
  if b == len(tabb):
   b = 0
   a += 1
  if c == len(tabc):
   a = 0
 return junk

#Find EIP control offset Function
def checkfault(binary, types, length):
 #types = arg, get
 def trace(program):
  env = None

  return createChild(program, False, env)
 
 if types == "arg":
  junk = generatejunk(length)
  payload = []
 
  payload.append(locateProgram(binary))
  payload.append(junk)
  pid = trace(payload)
  
  debug = PtraceDebugger()
  ps = debug.addProcess(pid, True)
  
  ps.cont()
  try: 
   signal = ps.waitSignals()
   print "\n%s Detected!" % signal
   addr_eip = hex(ps.getInstrPointer())
   addr_ebp = hex(ps.getFramePointer())

   ebp = addr_ebp[8] + addr_ebp[9] + addr_ebp[6] + addr_ebp[7] + addr_ebp[4] + addr_ebp[5] + addr_ebp[2] + addr_ebp[3]

   eip = addr_eip[8] + addr_eip[9] + addr_eip[6] + addr_eip[7] + addr_eip[4] + addr_eip[5] + addr_eip[2] + addr_eip[3]
  except:
   print "\nNo SIGSEGV detected!\nMaybe the program is not vulnerable\nOr try with more bytes\n"
   debug.quit()
   sys.exit()

  try:
   print "\nControl of EBP after " + str(junk.index(ebp.decode("hex"))) + " Bytes"
  except:
   print "\nNo Control of EBP"


  try:
   print "Control of EIP after " + str(junk.index(eip.decode("hex"))) + " Bytes\n"
  except:
   print "No Control of EIP\n"
 
  
 if types == "get":
  junk = generatejunk(length)
  payload = []
 
  payload.append(locateProgram(binary))
  pid = trace(payload)
  
  debug = PtraceDebugger()
  ps = debug.addProcess(pid, True)
  
  ps.cont()
  try: 
   f = open("/tmp/junk" , "w")
   f.write(junk)
   f.close()
   print "\n File /tmp/junk has been created\n"
   signal = ps.waitSignals()
   print "\n%s Detected!" % signal
   addr_eip = hex(ps.getInstrPointer())
   addr_ebp = hex(ps.getFramePointer())

   ebp = addr_ebp[8] + addr_ebp[9] + addr_ebp[6] + addr_ebp[7] + addr_ebp[4] + addr_ebp[5] + addr_ebp[2] + addr_ebp[3]


   eip = addr_eip[8] + addr_eip[9] + addr_eip[6] + addr_eip[7] + addr_eip[4] + addr_eip[5] + addr_eip[2] + addr_eip[3]
  except:
   print "\nNo SIGSEGV detected!\nMaybe the program is not vulnerable\nOr try with more bytes\n"
   os.system("rm /tmp/junk")
   debug.quit()
   sys.exit()

  os.system("rm /tmp/junk")
  try:
   print "\nControl of EBP after " + str(junk.index(ebp.decode("hex"))) + " Bytes"
  except:
   print "\nNo Control of EBP"


  try:
   print "Control of EIP after " + str(junk.index(eip.decode("hex"))) + " Bytes\n"
  except:
   print "No Control of EIP\n"

if len(sys.argv) == 4:
 checkfault(sys.argv[2], sys.argv[1], int(sys.argv[3]))
else:
 print "\nUsage: %s [Type] [Binary] [Junk_Length]\nType:\n arg = If the binary use argv\n get = If the binary use gets(), scanf() or other\n" % sys.argv[0]

St0rn

Be the first to give feedback !
Please login to comment !