How to use:
python ushellcode.py hex-file output-file
Download:ushellcode.py.tar.gz
Showing posts with label python. Show all posts
Showing posts with label python. Show all posts
Monday, February 16, 2009
Wednesday, January 28, 2009
Python: Simple URL extractor
def url_finder(data):
all =re.findall("http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+",data)
for i in all:
outpt = i.strip('"').strip("'") + "\n"
print outpt
inpt = "aaaaaaaaaaaaaa http://www.google.com bbbbbbbbb http://example010.blogspot.com ccccccccc http://google.com dddd http://a.b/a/a/a/index.html"
url_finder(inpt)
This code will simply find url using regular expression and output it.
all =re.findall("http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+",data)
for i in all:
outpt = i.strip('"').strip("'") + "\n"
print outpt
inpt = "aaaaaaaaaaaaaa http://www.google.com bbbbbbbbb http://example010.blogspot.com ccccccccc http://google.com dddd http://a.b/a/a/a/index.html"
url_finder(inpt)
This code will simply find url using regular expression and output it.
Wednesday, January 21, 2009
Python: UCS2 shellcode to hex converter
When analyzing javascript that contain shellcode, I really need a UCS2 to Hex converter before running the shellcode via libemu's sctest because the shellcode are in UCS2 format when directly convert the hex into ascii, it means nothing, for example:
UCS2 : %u3341
if i remove the %u and directly convert the 3341 to ascii, it will produce 3A in ascii. But this may bring a false meaning if we run the shellcode. Because the real hex is 4133. So, before we convert the ucs2 into hex, we need to remove the %u and swap the 33 and 41. To make our life easier, we a have python code that automate our job:
def ucs2hex(self, match):
s = match.group()
return "".join([s[4]+s[5],s[2]+s[3]]) # swap the 4th and 5th char with 2nd and 3rd char
def find_word(self,data):
p = re.compile(r'\%u(\w{4})') #regular expression to search for %u and 4 char after it
return p.sub(self.ucs2hex, data)
ucs2_string = "%u3341"
hex_string = self.find_word(ucs2_string)
print hex_string
this code will simply sear the string for %u and 4 chars after it, swap the char no 4 and 5 with char no 2 and 3.
UCS2 : %u3341
if i remove the %u and directly convert the 3341 to ascii, it will produce 3A in ascii. But this may bring a false meaning if we run the shellcode. Because the real hex is 4133. So, before we convert the ucs2 into hex, we need to remove the %u and swap the 33 and 41. To make our life easier, we a have python code that automate our job:
def ucs2hex(self, match):
s = match.group()
return "".join([s[4]+s[5],s[2]+s[3]]) # swap the 4th and 5th char with 2nd and 3rd char
def find_word(self,data):
p = re.compile(r'\%u(\w{4})') #regular expression to search for %u and 4 char after it
return p.sub(self.ucs2hex, data)
ucs2_string = "%u3341"
hex_string = self.find_word(ucs2_string)
print hex_string
this code will simply sear the string for %u and 4 chars after it, swap the char no 4 and 5 with char no 2 and 3.
Subscribe to:
Comments (Atom)
