-
Notifications
You must be signed in to change notification settings - Fork 14
/
Copy pathstart_sploit.py
executable file
·188 lines (150 loc) · 6.02 KB
/
start_sploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
#!/usr/bin/env python
# author: Alexander Bersenev (Bay) from Hackerdom team
# starts one sploit for all teams in a loop
import re
import sys
import os
from os.path import basename, splitext, abspath, exists
from subprocess import Popen, PIPE, STDOUT
from threading import Thread, Lock
from time import time, sleep, strftime
try:
from Queue import Queue, Empty
except ImportError:
from queue import Queue, Empty # python 3.x
from flag_format import FLAG_FORMAT
from team_list import TEAMS
MAX_RUNTIME = 60 # in secs, sploit will be restarted if it running too long
PAUSE = 10 # in secs, the time between sploit relaunches
OWNER_LOCK = Lock() # global lock that protects TeamOwner members
def log(text):
print(strftime("%H:%M:%S") + " " + text)
class TeamOwner(Thread):
def __init__(self, sploit_name, team_name, team_ip):
Thread.__init__(self, name=team_name)
self.sploit_name = sploit_name
self.team_name = team_name
self.team_ip = team_ip
spl_short_name = splitext(basename(sploit_name))[0]
self.flag_filename = "flags/%s_%s.txt" % (spl_short_name, team_name)
open(self.flag_filename, 'ab').close() # create file if not exists
savedflags = re.findall(FLAG_FORMAT,
open(self.flag_filename, "rb").read())
self.flags = set(savedflags)
self.cycle_num = 0
log("Starting hacking team %s, launching in a loop: %s %s" %
(self.team_name, basename(self.sploit_name), self.team_ip))
def run(self):
while True:
try:
self.cycle_num += 1
self.last_launch_time = time()
self.launch_spl()
except Exception as E:
log("Exception, team %s: %s" % (self.team_name, E) + "\a")
finally:
if self.cycle_num == 1:
log("Sploit for team %s: hiding output" % self.team_name)
sleep(PAUSE)
def launch_spl(self):
need_launch_in_shell = (os.name == "nt")
# launch sploit proccess with team_ip as arg
spl = Popen([self.sploit_name, self.team_ip],
stdout=PIPE, stderr=STDOUT, bufsize=1,
shell=need_launch_in_shell)
q = Queue()
# we are processing output in other thread to prevent blocking
def enqueue_output(queue, out):
while True:
line = out.readline()
queue.put(line)
if not line:
break
t = Thread(target=enqueue_output, args=(q, spl.stdout))
t.daemon = True
t.start()
# get output by lines until EOF
while True:
try:
remaining_time = MAX_RUNTIME - (time() - self.last_launch_time)
line = q.get(timeout=remaining_time)
except (Empty, ValueError):
log("Killing %s sploit(tried to run for more than %d secs)" % (
self.team_name, MAX_RUNTIME))
break
if not line:
break
line = line.strip()
if not line:
continue
if self.cycle_num == 1:
print("%s: %s" % (self.team_name, line))
flags = re.findall(FLAG_FORMAT, line)
OWNER_LOCK.acquire()
for flag in flags:
if flag not in self.flags:
if self.cycle_num == 1:
log("Flag from %s: %s" % (self.team_name, flag))
with open(self.flag_filename, "ab", 0) as f:
f.write(flag + b"\n")
self.flags.add(flag)
else:
if self.cycle_num == 1:
log("Flag from %s: %s (dup)" % (self.team_name, flag))
OWNER_LOCK.release()
if os.name != "nt":
spl.kill()
else:
spl.communicate()
# LETS ROCK !!!
if len(sys.argv) < 2:
print("Usage: start_sploit.py <sploit>")
sys.exit(1)
sploit_name = abspath(sys.argv[1])
if not exists(sploit_name):
print("Sploit doesn't exist: " + sploit_name)
sys.exit(1)
# ensure that flag dir is exists
if not exists("flags"):
os.makedirs("flags")
if os.name != "nt":
os.setpgrp()
if os.name == "nt":
# Because Windows sucks at the proccess management
log("Windows detected. Timeouts are not supported on this os!")
log("Please write only short-time-running exploits")
MAX_RUNTIME = 0xFFFFFFFF
owners = []
for team_name, team_ip in TEAMS.items():
owner = TeamOwner(sploit_name, team_name, team_ip)
owner.daemon = True
owners.append(owner)
try:
for owner in owners:
owner.start() # start pwning thread for each team
while True:
# generate stats in a loop
OWNER_LOCK.acquire()
last_flags = [set(o.flags) for o in owners]
last_stats = [(len(o.flags), o.cycle_num) for o in owners]
OWNER_LOCK.release()
sleep(60 - int(time()) % 60) # show stat on zero second
curr_flags = [set(o.flags) for o in owners]
curr_stats = [(len(o.flags), o.cycle_num) for o in owners]
stats = [(owners[i].team_name,
curr_stats[i][0], curr_stats[i][0] - last_stats[i][0],
curr_stats[i][1], curr_stats[i][1] - last_stats[i][1],
list(curr_flags[i] - last_flags[i]))
for i in range(len(owners))]
last_flags = ["%s: %s" % (s[0], s[5]) for s in stats]
log("LAST MINUTE NEW FLAGS: " + "\n".join(last_flags))
flag_stats = ["%s: %d(%d)" % (s[0], s[2], s[1]) for s in stats]
log("LAST MINUTE FLAG STATS: " + ", ".join(flag_stats))
iter_stats = ["%s: %d(%d)" % (s[0], s[4], s[3]) for s in stats]
log("LAST MINUTE LAUNCHES STATS: " + ", ".join(iter_stats))
except KeyboardInterrupt:
print("Ctrl-c received!")
# kill all sploits with the hardest fire I can cast
log("Done")
if os.name != "nt":
os.killpg(0, 9) # UNIX only =(