From 80b4a2af54eb29370cda9cb37265dc74e1fec265 Mon Sep 17 00:00:00 2001
From: danger <null@null.com>
Date: Sun, 27 Oct 2024 17:55:14 +0800
Subject: [PATCH] Upload files to "/"

---
 verify_exp.py | 146 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 146 insertions(+)
 create mode 100644 verify_exp.py

diff --git a/verify_exp.py b/verify_exp.py
new file mode 100644
index 0000000..59e1176
--- /dev/null
+++ b/verify_exp.py
@@ -0,0 +1,146 @@
+
+import os
+import shutil
+import sys
+import subprocess
+import re
+import time
+RED = '\033[91m'
+GREEN = '\033[92m'
+YELLOW = '\033[93m'
+BLUE = '\033[94m' 
+RESET = '\033[0m'  
+
+
+INJECT_SCRIPT_NAME="inject_tmp.py"
+WIN_FILE_NAME="win"
+VERIFY_TIMEOUT=0.5
+
+def init_exp_all(src_path,dest_path):
+    print(f"Try to copy exp  ({src_path} -> {dest_path})")
+    try:
+        for f in os.listdir(src_path):
+            if(f[-3:]==".py"):
+                src_file_path=os.path.join(src_path,f)
+                dest_file_path=os.path.join(dest_path,f)
+                shutil.copy(src_file_path,dest_file_path)
+                print(f"{GREEN}Copy successful ({src_file_path} -> {dest_file_path}){RESET}")
+    except Exception as msg:
+        print(f"{RED}{msg}{RESET}")
+        print(f"{RED}Exp copy failed{RESET}")
+        return -1
+
+def init_exp(elf_path,dest_path):
+    elf_path+=".py"
+    dest_path=os.path.join(dest_path,'exp.py')
+    print(f"Try to copy exp  ({elf_path} -> {dest_path})")
+    try:
+        shutil.copy(elf_path,dest_path)
+        print(f"{GREEN}Copy successful ({elf_path} -> {dest_path}){RESET}")
+    except Exception as msg:
+        print(f"{RED}{msg}{RESET}")
+        print(f"{RED}Exp copy failed{RESET}")
+        return -1   
+    
+def verify_exp(elf_path,exp_name=""):
+    tmp_py="" 
+    try:
+        dir_path=os.path.dirname(elf_path)
+
+        #确定exp的脚本
+        if(exp_name == ""):
+            script_exp_name=[]
+            for f in os.listdir(dir_path):
+                if(f[-3:]==".py"):script_exp_name.append(f)
+            script_counts=len(script_exp_name)
+            assert(script_counts),"There is no python script under the directory"
+            if(script_counts==1):
+                exp_name=script_exp_name[0]
+            else:
+                print(f"{YELLOW}There are multiple scripts, please select one{RESET}")
+                for i in range(script_counts):
+                    print(f"{i} -> {script_exp_name[i]}")
+                idx=int(input("idx:"))
+                assert(0<=idx<script_counts),"Index wrong"
+                exp_name=script_exp_name[idx]
+                
+        print(f"{BLUE}[*]Found {exp_name} -> Attack ...{RESET}")
+    
+        exp_path=os.path.join(dir_path,exp_name)
+    #注入判断语句
+        with open(exp_path,"r") as f:
+            script_content=f.read()
+        #匹配连接的变量名称
+        pattern = r"^(?!#)\s*(\w+).interactive"
+        match=re.search(pattern ,script_content,re.MULTILINE)
+        assert(match),f"Failed to match the script RE" 
+        
+        # print(script_content)
+        
+        PID_virtualname=match.group(1)
+        #注入利用win文件判断，先清除win文件
+        if( os.path.exists(WIN_FILE_NAME) and os.path.isfile(WIN_FILE_NAME) ):os.remove(WIN_FILE_NAME)
+
+        script_split=script_content.split("\n")
+        inject_payload=f"""\n
+\t{PID_virtualname}.sendline(b"clear;echo 'Successful Attack {elf_path}' >> {WIN_FILE_NAME};")
+\tstrs={PID_virtualname}.recvuntil(b'mowen',timeout={VERIFY_TIMEOUT})
+\tif(strs==b''):{PID_virtualname}.close()
+except:
+\tpass
+finally:
+\t{PID_virtualname}.close()
+        """
+        tmp_py=os.path.join(dir_path,INJECT_SCRIPT_NAME)
+        with open(tmp_py,"w+") as f:
+            f.write("try: \n")
+            for s in script_split:
+                if("interactive" in s):
+                    f.write(inject_payload+"\n")
+                    continue
+                f.write("\t"+s+"\n")
+                
+        print(f"Inject payload successful! Start program...")
+        #启动elf
+        cmd=[elf_path]
+        elf_process=subprocess.Popen(cmd,stdout=subprocess.PIPE,stderr=subprocess.PIPE)
+
+        #开始执行exp
+        print(f"Run payload...")
+
+        cmd=f"cd {dir_path} ;python3 {INJECT_SCRIPT_NAME};"
+        old_time=time.time()
+        subprocess.run(cmd,check=True,shell=True,capture_output=True)
+        run_time=time.time()-old_time
+        print(f"run end process({run_time:.3f})")
+
+        assert(os.path.exists(WIN_FILE_NAME)),f"Failed to attack" 
+
+        with open(WIN_FILE_NAME,"r") as f:
+            print(f"{GREEN}{f.read()}{RESET}")
+            
+        #关闭进程
+        elf_process.kill()
+        elf_process.wait()
+    except AssertionError as msg:
+        print(f"{RED}{msg}{RESET}")
+        return -1
+    except Exception as msg:
+        print(f"{RED}{msg}{RESET}")
+        return -1
+    finally:
+        # with open(tmp_py,"r") as f:
+        #     print(f.read())
+        #删除文件
+        if(os.path.exists(WIN_FILE_NAME)):os.remove(WIN_FILE_NAME) 
+        if(os.path.exists(tmp_py)):os.remove(tmp_py)
+
+            
+
+
+
+
+if __name__ == "__main__":
+    elf_path=sys.argv[1]
+    init_exp(os.path.dirname(elf_path),"./")
+    verify_exp(elf_path)
\ No newline at end of file