Custom Tooling

from pwn import * def enterCal(conn): conn.recvuntil(b"=") conn.sendline(b"acc\r\n") conn.recvuntil(b"=") conn.sendline(b"2ac\r\n") conn.recvuntil(b"=") conn.sendline(b"cal\r\n") conn.recvuntil(b"==>>")

from comUtil import * HOST = "10.152.152.152" PORT = 23 FILENAME = "demo.txt" UPPER = "10000100" LOWER = "10000000" conn = remote(HOST, PORT) # Drop us in CAL enterCal(conn) # extract memory addresses conn.sendline(f"mem {LOWER} {UPPER}\r\n".encode()) response = conn.recvuntil(b"==>>") # Clean up the response response = response.decode() response = response.replace(" ", "").replace("\r\n", "") # Save the response to a file with open("demo.txt", "w") as f: f.write(str(response)) conn.close() print(f"Memory dump saved to {FILENAME}")

import logging from pwn import * from itertools import product, dropwhile # General Configuration HOST = "10.152.152.152" PORT = 23 LOG_FILE = "main.log" CONSOLE_LEVEL = logging.INFO # Change to logging.DEBUG, logging.WARNING, etc. ## Attack Configuration alphabet = "abcdefghijklmnopqrstuvwxyz1234567890_" start_combo = ('a', 'a', 'a') commandLength = 3 # Creates a log level when commands are found GOAL_LEVEL = 25 logging.addLevelName(GOAL_LEVEL, "GOAL") def goal(self, message, *args, **kwargs): if self.isEnabledFor(GOAL_LEVEL): self._log(GOAL_LEVEL, message, args, **kwargs) logging.Logger.goal = goal def setup_logging(console_level): logger = logging.getLogger() logger.setLevel(logging.DEBUG) formatter = logging.Formatter('%(asctime)s [%(levelname)s] %(message)s') fh = logging.FileHandler(LOG_FILE) fh.setLevel(logging.DEBUG) fh.setFormatter(formatter) logger.addHandler(fh) ch = logging.StreamHandler() ch.setLevel(console_level) ch.setFormatter(formatter) logger.addHandler(ch) def main(): setup_logging(CONSOLE_LEVEL) try: #logging.info(f"Connecting to {HOST}:{PORT}") redundent conn = remote(HOST, PORT) recv1 = conn.recvuntil(b"=") logging.debug(f"Received: {recv1}") combinations = dropwhile( lambda combo: combo != start_combo, product(alphabet, repeat=3) ) for combination in combinations: x,y,z = combination command = x + y + z + "\r\n" # Remove commands that elevate if command == "acc\r\n" or command == "2ac\r\n" or command == "exi\r\n" or command == "qui\r\n": continue conn.sendline(command) logging.info(f"Sent command: {command.strip()}") output = conn.recvuntil("=") logging.debug(f"Received: {output}") if b"Invalid Access Level" in output: with open("new_commands.txt", "a") as file: file.write(command.strip() + "\n") logging.getLogger().goal("New command found: " + command.strip()) print(f"New command found: {command.strip()}") elif b"Invalid Command" in output: pass else: conn.sendline(b"n") print(f"Command {command.strip()} is needing to be excluded.") logging.warning(f"Command {command.strip()} is needing to be excluded.") conn.close() logging.info("Connection closed.") except Exception as e: logging.error(f"Error: {e}") if __name__ == "__main__": main()

from comUtil import * HOST = "10.152.152.152" PORT = 23 conn = remote(HOST, PORT) # Drop us in CAL enterCal(conn) # Start dropping mem combinations hexNumbers = "0123456789ABCDEF" for i in hexNumbers: command = "mem 50000" + str(i) + "00\r\n" conn.sendline(command.encode()) print(conn.recvuntil(b"==>>").decode().strip()) print("Finished") conn.close()