CODEWITHSUNDEEP
pythonstringsearchhex
user7576140
user7576140

Reputation:

Search two byte with in a string in python

I have a string like the following: \x31\xc0\xb8\x04\x00\x00\x00\x31\xdb\xb3\x01\x31\xd2\x52\x68\x72\x6c\x64\x0a\x68\x6f\x20\x57\x6f\x68\x48\x65\x6c\x6c\x89\xe1\xb2\x0c\xcd\x80\xb0\x01\xb3\x02\xcd\x80

I search it for null bytes with following code. The code works perfectly for searching one byte:

def ScanStringNullByte(_arg_string):
        totalNullByte = 0
        print("\033[101m\033[1mNull Bytes Detected:\033[0m\n")

        for pos, check in enumerate(_arg_string):

            if check == '\\x00':
                print("\tNull byte at {} index".format(pos))
                totalNullByte += 1

        print("\n\t\033[95m\033[1mTotal null bytes in the shellcode: {}\033[0m\n".format(totalNullByte))

But I don't know how can I search the same string for two byte. for example I want to detect there are bytes like \xcd\x80 in the string or not. if there are, what location it is.

Upvotes: 0

Views: 284

Answers (2)

sinkmanu
sinkmanu

Reputation: 1112

You have to replace "\\x00" by "\x00" because you are escaping the slash (\) so, you aren't searching for null bytes.

In Python, the string library has a method to count a substring.

    string.count(s, sub[, start[, end]])
        Return the number of (non-overlapping) occurrences of substring sub in string s[start:end]. Defaults for start and end and interpretation of negative values are the same as for slices.

E.g. Count the substring "\x00" and "\xcd\x80":

shellcode = "\x31\xc0\xb8\x04\x00\x00\x00\x31\xdb\xb3\x01\x31\xd2\x52\x68\x72\x6c\x64\x0a\x68\x6f\x20\x57\x6f\x68\x48\x65\x6c\x6c\x89\xe1\xb2\x0c\xcd\x80\xb0\x01\xb3\x02\xcd\x80"

print "Total null bytes in the shellcode: ",shellcode.count("\x00")
print "Total \\xcd\\x80 in the shellcode: ",shellcode.count("\xcd\x80")

Upvotes: 0

Chris
Chris

Reputation: 16172

import re
def ScanStringNullByte(_arg_string):
    totalNullByte = 0
    print("\033[101m\033[1mNull Bytes Detected:\033[0m\n")

    p = re.compile("\\x31\\xc0")
    for m in p.finditer(_arg_string):
        print("\t{} at {} index".format(p.pattern, m.start()))
        totalNullByte += 1

    print("\n\t\033[95m\033[1mTotal {} in the shellcode: {}\033[0m\n".format(p.pattern, totalNullByte))


ScanStringNullByte('\x31\xc0\xb8\x04\x00\x00\x00\x31\xdb\xb3\x01\x31\xd2\x52\x68\x72\x6c\x64\x0a\x68\x6f\x20\x57\x6f\x68\x48\x65\x6c\x6c\x89\xe1\xb2\x0c\xcd\x80\xb0\x01\xb3\x02\xcd\x80')

Output:

Null Bytes Detected:

    \x31\xc0 at 0 index

    Total \x31\xc0 in the shellcode: 1

Upvotes: 0

Related Questions